Earlier this month, the governor of California signed into law a legislative bill passed with bipartisan support that requires online services to design their privacy practices in a way that by default protects the privacy of children under the age of 18. The new law, the California Age-Appropriate Design Code, will go into effect in July 2024. This law introduces data protection requirements and much more extensive privacy protections than those provided by the federal Children's Online Privacy Protection Act (COPPA).
The law will apply to any online service that can reasonably be expected to be used by California children under the age of 18. The law does not limit its application to online services that are domiciled in California. At its declarative level, the law requires operators of online services (including websites) to consider the best interests of the child when designing, developing, and operating an online service or product, and to prioritize the best interests of the child, their well-being, and protection if there is a conflict between these principles and commercial interests. At the practical level, the law imposes a series of requirements on online service operators, including:
- Drafting a written data protection impact assessment report regarding children's privacy on the service and affirmatively reducing the risks identified in the report before launching the service. The impact assessments must be made available for review at the request of the California Attorney General.
- Assessing the ages of the children who use or are likely to use the service.
- Having the privacy settings for users who are children configured to the highest level of protection by default.
- Adjusting the language of privacy notices, terms of use, community rules, and other similar documents, so that they are suitable for reading and comprehension by the target audience of children at the ages that are expected to use the service.
- Where the service allows the parent to monitor the child's activity on the service, the child must be given a clear indication while the monitoring is performed.
- Ban on using information collected from children for purposes that are likely to substantially harm the child's well-being or physical or mental health.
- Prohibition on amassing a behavioral profile about the child unless adequate privacy protections are implemented, and this profiling is required for the benefit of the child or to provide content or features that the child actively or knowingly uses.
- Ban on collecting and using information that is not required to provide content or features that the child actively or knowingly uses.
- Ban on collecting precise geolocation information about the child unless a clear indication of this is given while this is carried out.
The law also enumerates several factors that demonstrate whether it is reasonable to expect children under the age of 18 to use the online service:
- If it is "directed" to children, within the meaning of this term in COPPA.
- If there is empirical evidence that children use it.
- If it displays ads aimed at children.
- If it has design elements that attract children, such as games, animation, music, or celebrities who are popular with children.
Enforcement of the new law vests exclusively with the California Attorney General, who is authorized to seek an injunction against businesses that violate the law. The California Attorney General is also authorized to recover from online service operators civil penalties of up to $2,500 for each child harmed by a negligent violation of the law, and up to $7,500 for each child harmed by an intentional violation of the law. Businesses suspected of violating specific provisions of the law, although they generally comply with it, can benefit from a 90-day grace period to correct the violation before the Attorney General takes enforcement measures.
Click here to read the California Age-Appropriate Design Code.