California Expands Online Protections for Those Under 18

Bolstering the protections afforded under the California Consumer Privacy Act (as amended by the California Privacy Rights Act, the CCPA), California has enacted the California Age-Appropriate Design Code Act (AADC), which expands the scope of online privacy protections for children under 18. The AADC will take effect on July 1, 2024 and apply to CCPA-regulated businesses. As such, those businesses are encouraged to begin conducting impact assessments now in light of the possibility that material design changes may be necessitated by the AADC.

Background
The AADC is closely modeled after the United Kingdom’s Age Appropriate Design Code (the UK Code) passed in 2020. The UK Code extended regulators’ reach beyond the basic protection of children’s personal data by prescribing specific design guidelines for digital services, products, or features “likely to be accessed” by persons under 18, as well as requiring Data Protection Impact Assessments (DPIAs) to assess potential risk, among other requirements.

No law currently exists in the United States like the AADC. Whereas the U.S. federal law, the Children’s Online Privacy Protection Act (COPPA), addresses the collection of personal data, and the EU’s General Data Protection Regulation and CCPA both cover the processing of personal data, the AADC will regulate the design of product/service features. Importantly, the AADC extends privacy protections beyond services directed at children to also cover those likely to be accessed by children, with “children” being defined as a person under 18 years old, as opposed to 13 years old under COPPA. The AADC also covers the passive collection of data by connected devices and “inferred data,” such as that created by ad targeting platforms.

Key Provisions of AADC
The AADC includes the following key provisions:

Applicability
If a business meets the applicability thresholds created by the CCPA (described below) and provides “an online service, product, or feature likely to be accessed by children” (the Service), then the AADC applies and design changes will likely be required to ensure compliance with AADC requirements.

Specifically, the CCPA applies to any for-profit business that (i) makes over $25 million in annual gross revenue, or (ii) annually buys, sells, or shares the personal information of 100,000 or more California consumers or households, or (iii) derives 50% or more of its annual revenues from selling California consumers’ personal information. Where a business is based is not a factor.

Primacy of the Best Interests of Children
Under the AADC, if a conflict of interest arises between what is best for the Service and what is best for children, the business needs to prioritize the privacy, safety, and well-being of children over commercial interests.

Prohibitions
The AADC prohibits businesses from:

• Detrimental Use. Using any personal data of children in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.

• Profiling by Default. “Profiling” children by default except where such profiling is necessary to provide the Service or where the business can demonstrate a compelling reason that such profiling is in the best interests of the child.

• Not Implementing Data Minimization. Collecting, selling, sharing, using or retaining personal data of children except as necessary to provide the Service with which the child is knowingly engaged, unless the business can demonstrate a compelling reason that to do so is in the best interests of the child.

• No Geolocation by Default. Collecting, selling or sharing precise geolocation data of children by default except as necessary to provide the Service and then only so long as necessary and with an obvious sign to the child that such information is being collected for the duration of the collection period.

• No Dark Patterns. Using “dark patterns” that would cause children to provide more personal data beyond what is reasonably expected, forego privacy protections, or take any other actions that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child. For more information about Dark Patterns, please see my blog post.

Obligations
To comply with the AADC, a business will need to, as applicable:

• Conduct DPIAs for each new Service that is likely to be accessed by children before the Service is offered to the public. DPIAs are required to be retained for so long as the Service is available and must be re-assessed every two years. DPIAs must be provided to the California Attorney General upon request.

• Take into account the unique needs of different age ranges and use reasonable efforts to group children into applicable age groups. The AADC places children into five age ranges: 0 to 5 years old (preliterate and early literacy); 6 to 9 years old (core primary school years); 10 to 12 years old (transition years); 13 to 15 years old (early teens; and 16 to 17 years old (approaching adulthood).

• Clearly indicate to the child when they are being tracked or monitored if the Service has permitted a parent or any other person to track or monitor the child’s online activity.

• Default privacy settings to the highest (most private) settings, unless the business can convincingly prove that a different option is in child’s best interests.

• Provide children and their parents or guardians with accessible and responsive tools that enable them to exercise their right to privacy and report concerns.

• Provide clear and concise privacy notices, terms of services, and other policies or notices in a manner that is visible to children of the age group most likely to access it.

• Enforce the published terms, policies, and community standards established by the business, including privacy policies and those concerning children.

Penalties
Penalties for violations of the AADC are up to US$2,500 per affected child for negligent violations, and up to US$7,500 per affected child for intentional violations. The AADC does not create a private right of action.

Next Steps
Complying with the AADC is likely to involve a substantial investment of time and effort for businesses that fall within its scope. For this reason, businesses are encouraged to assess (1) whether the business is subject to the CCPA, and if so, (2) whether any of their Services are likely to be accessed by persons under 18 years old. If the answers to both questions are yes, businesses should begin taking steps to become compliant by July 1, 2024.

Don Levy is a California-based corporate and commercial lawyer who focuses on technology transactions. If you have questions about the AADC or its application to your business or Service, please contact Don Levy at [email protected].