by Rory Sweeney
California privacy never sleeps. On September 20, 2022 Governor Gavin Newsom signed into law AB-2273, “The California Age-Appropriate Design Code Act” (“the Act”). Modeled after the United Kingdom’s Age-Appropriate Design Code, the Act is intended to modernize online protections for children 17 and under by requiring a business, as defined under the California Consumer Privacy Act (CCPA), that provides an online service, product, or feature likely to be accessed by children to comply with numerous provisions. A high level summary of some of the Act’s key areas are provided below:
At its core, the Act is intended to promote a “high-level” of privacy by default, or in other words, a children’s-privacy-by-design scheme, which includes among other provisions:
- A prohibition on profiling and the collection of a child’s precise geolocation unless there is a compelling reason.
- Reinforcing data minimization and purpose limitation principles by barring the collection and use of personal information that is not necessary for the service.
- A business cannot use dark patterns/nudging or take any action it knows or has reason to know, is “materially detrimental” to the physical health, mental health, or well-being of a child (it will be interesting to see how this evolves given the amount of time children spend online and most online services are intentionally designed to increase screen time).
- Data Protection Impact Assessment (DPIA) must be completed before offering an online service likely to be accessed by children and all DPIAs must be reviewed biennially. See § 1798.99.31(1)(B) for specific DPIA criteria.
- Provide any privacy notice, terms of service, policies, and community standards in language suited to the age of the children likely to access the online service.
The California Privacy Protection Agency (CPPA) must publish regulations and guidelines by April 1, 2024 which will be done in consultation with the newly formed California Children’s Data Protection Working Group. The Working Group will consist of ten persons having expertise in areas such as, children’s data privacy, mental health, computer science and children’s rights.
Enforcement of the Act begins on July 1, 2024, does not include a private right of action, but permits the Attorney General to issue civil penalties up to $2,500 per affected child for each negligent violation and $7,500 for each intentional violation as well as order injunctions.
Because the U.K.’s Children’s Code went into effect a little over a year ago, and the California Legislature has encouraged businesses to look to their U.K. counterparts for “guidance and innovation…when developing online services,” businesses can peer across the pond to get a sense of what child-centric privacy designs look like. Here are a few as reported by the children’s advocacy group 5Rights Foundation:
- TikTok and Instagram have disabled direct messages between children and adults they do not follow.
- The Google Play Store now prevents under 18s from viewing and downloading apps rated as adult-only.
- YouTube has turned off autoplay for under 18s and break and bedtime reminders are turned on by default.
- Google have made SafeSearch the default browsing mode for all children under 18.
Additionally, if a business has foregone conducting applicable DPIAs for whatever reason, then the Act should provide the necessary impetus (and business case) to reassess this position and integrate them into product builds.
In the near-term, the Act should cause businesses to improve their privacy practices from design and operational perspectives. While in the longer-term, the Act promises to significantly revitalize the outdated area of children’s online privacy and offer businesses the opportunity to innovate.