The California Age-Appropriate Design Code Act (the “Act”) was signed into law on September 15, 2022, and will take effect on July 1, 2024. The Act imposes additional obligations on businesses pertaining to children’s privacy.[1]
Does the Act Cover My Organization?
The Act applies to California Privacy Rights Act (“CPRA”)-covered businesses that provide an “online service, product or feature”[2] that is “likely to be accessed by children”—here, persons under 18 years of age. As a reminder, CPRA-covered businesses are for-profit entities doing business in California that: (i) have gross revenues in excess of $25 million, (ii) buy, sell or share the personal information of 100,000 or more California consumers or (iii) derive 50% or more of their annual revenue from selling or sharing personal information.
The “likely to be accessed by children” criteria includes whether such online service, product or feature (here, “Covered Service”):
- is “directed to children” (as defined under the Children’s Online Privacy Protection Act, but with an age cutoff of 18, not 13) or contains advertisements marketed to children;
- is determined to be routinely accessed by a significant number of children (or is substantially similar to or the same as a Covered Service meeting such standard);
- has design elements known to be of interest to children (g., games and cartoons); or
- is determined to include children as a significant portion of its audience, based on internal research.
What Is To Be Done?
Under the Act, a covered business must, among other requirements:
- Complete a Data Protection Impact Assessment (“DPIA”) before offering Covered Services likely to be accessed by children;
- Reasonably estimate the age of its users so as to separate the higher level of privacy protection afforded to children or apply the higher protections to all consumers;
- Configure to high levels all default privacy settings provided to children by Covered Services, absent a compelling reason otherwise;
- Provide (i) privacy information and policies in clear, prominent, age-appropriate language and (ii) prominent, accessible and responsive customer privacy tools;
- Provide an obvious signal to the child when they are being monitored or tracked by a parent, guardian or others;
- Not collect, sell or retain a child’s personal information unless necessary to provide the Covered Service to an active participant, absent a compelling interest otherwise;
- Not collect any precise geolocation information of children without providing an obvious sign to the child or collect, sell, or share such information unless strictly necessary;
- Not use dark patterns (e. deceptive design patterns) to lead or encourage children to provide personal information;
- Not profile a child absent safeguards or a compelling reason; and
- Not use the child’s personal information in a way that the business knows, or has reason to know, is materially detrimental to their health or well-being.
Enforcement
The Act authorizes the California Attorney General to seek an injunction and civil penalty of not more than (i) $2,500 per child for each negligent violation or (ii) $7,500 per child for each intentional violation. However, there is a potential 90-day cure period for businesses that are in substantial compliance with the DPIA-related requirements of the Act (see first bullet above).
[1] This memorandum is only a high-level summary of the new law. For detailed questions, please consult one of the authors.
[2] The definition excludes broadband internet access service, telecommunications service and the delivery or use of a physical product.