By Julie Sweeney and Amber Thomson
Mayer Brown’s Arsen Kourinian, Julie Sweeney, and Amber Thomson consider the impact of California’s new child data privacy bill on businesses that provide online products and services to children. In preparation, companies should implement more robust privacy measures and consider broader compliance for adult users.
As federal data privacy legislation continues to stall, California is once again trailblazing a path for other states to follow in the world of privacy. This time, California lawmakers have focused on children’s privacy and safety online.
The California Age-Appropriate Design Code Act (ADCA) passed unanimously and now awaits Gov. Gavin Newsom’s signature. It would impose sweeping new requirements on businesses that provide online products and services to children.
In preparation, companies should implement more robust privacy measures and consider the broader compliance impact on adult users.
The proposed law, branded the Kids’ Code, would require businesses to impose an array of safeguards designed to protect children starting July 1, 2024. Although ADCA is garnering most of the attention, California legislators also recently passed the Social Media Accountability and Transparency Act, AB 587.
It would require social media platforms to increase transparency with their terms of service. That law, if signed by the governor, would also strengthen protections for the privacy and welfare of minors on social media.
Despite today’s proliferation of social media, online educational programs, video games, and more, it has been more than 20 years since American lawmakers passed meaningful and comprehensive regulations on children’s online activity.
The 1998 Children’s Online Privacy Protection Act (COPPA) addressed the rapid growth of online marketing techniques that were targeting children. But COPPA is limited in its scope in that it only applies to commercial websites or online services that specifically target children, and it only protects the privacy of children under the age of 13.
California’s ADCA would go significantly further. First, it would apply to all California Privacy Rights Act (CPRA)-covered businesses that provide online products, services, and features “likely to be accessed by children,” not just those targeting children.
This means that the regulation could apply to general audience sites, such as retail, news, and music—and not just sites or apps that typically target children, such as video games and educational sites.
The bill outlines indicators that might increase the likelihood that a site could be accessed by children. For example, a service or product that features advertisements marketed to children is likely to be subject to ADCA.
However, some of these listed indicators are more vague, such as whether a site is “routinely accessed by a significant number of children.”
Second, ADCA defines a child as anyone under the age of 18—extending data privacy protection to all children, not just the youngest ones. Businesses would be required to impose age verification measures to determine the age of users with “a reasonable level of certainty.”
Critics of the law are concerned that this will affect how we all interact with online services and products, and the information that we have to provide.
Among ADCA’s many requirements, businesses would be required to turn on privacy settings by default for children, include kid-friendly language in their privacy policy, limit the use of children’s personal information, and avoid collecting geolocation data unless “strictly necessary.”
However, some of the ADCA’s requirements are more ambiguous. For example, businesses would be expected to consider “the best interests of children when designing, developing, and providing” their products or services in a way that prioritizes “the privacy, safety and well-being of children over commercial interests,” including by considering the “unique needs of different age ranges.”
It is not necessarily clear how, in practice, businesses that operate sites or apps that are accessed by both adults and children will be able to comply with this requirement, or how any commercial enterprise could be in a position to assess the best interests of a child.
Adding to the list of safeguards required under the ADCA, businesses would also be required to conduct a data protection impact assessment (DPIA) before offering the product or service to the public. The DPIA should assess, in part, the “material detriment to children that arise from the data management practices of the business.”
ADCA lists factors that should be considered, including whether the product or service could “harm” children by exposing them to “harmful, or potentially harmful” content.
It is unclear how expansively the California attorney general will read “harmful” content, but it is likely to consider any mental health effects, especially as national discourse has focused on the harmful impact of social media usage generally on children and particularly teenage girls.
Notably, businesses that are not subject to the EU General Data Protection Regulation (GDPR)—and/or are not preparing for the California Consumer Privacy Act (CPRA)—may find it challenging to operationalize this requirement.
ADCA would not include a private right of action. Instead, the California attorney general would have exclusive jurisdiction to enforce the law. Fines for violations could range from $2,500 per affected child for negligent violations to $7,500 per affected child for intentional violations.
Notably, businesses that have achieved “substantial compliance” with ADCA’s data protection impact assessment and mitigation plan requirements would be granted a 90-day grace period to cure any violations identified by the California attorney general—which should incentivize businesses to comply with these requirements.
As with CPRA, businesses should be prepared for future rounds of rulemaking, as the California attorney general would have the authority to adopt clarifying regulations.
ADCA would also create a children’s data protection working group” that we hope will provide guidance on the law’s ambiguities, including how to assess the best interests of children and what are examples of sites that are “likely to be accessed” by children.
Although ADCA would not take effect until summer 2024, businesses that may be subject to the law should start planning for compliance now. New products or services should be developed with privacy-by-design in mind, and ADCA requirements should be rolled into businesses’ existing compliance programs.
As with CPRA, businesses will also need to consider whether to extend these compliance obligations beyond California minors. Given the flurry of state data protection laws that followed in the wake of CCPA, it would not be surprising if other states followed California’s lead on child online safety and privacy legislation.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for Us: Author Guidelines
Arsen Kourinian is a Mayer Brown partner and member of the Cybersecurity & Data Privacy practice. He provides practical and operational guidance on how to harmonize data privacy laws and standards into uniform policies, procedures and practices.
Julie Sweeney is a lawyer in Mayer Brown’s Cybersecurity & Data Privacy and Litigation & Dispute Resolution practices. She advises US companies and multinational organizations on complex global privacy and data protection compliance efforts, data breach response, and AG investigations.
Amber Thomson is a lawyer in Mayer Brown’s Cybersecurity & Data Privacy and Litigation & Dispute Resolution practices. She counsels clients of all sizes on complex and cutting-edge issues related to cybersecurity and privacy.
To read more articles log in.
Learn more about a Bloomberg Law subscription.
About Author
