On August 30, one day before the close of the legislative session, the California State Assembly voted unanimously to approve AB 2273 – the California Age Appropriate Design Code Act (AADCA). The Bill now heads to Governor Newsom for signature.
Scope
The AADCA imposes obligations on providers of online services “likely to be accessed by children” and defines children as consumers under 18 years of age. This includes websites that are specifically targeted to children, websites whose audience is made up of a large number of children based on internal research or other reliable evidence, and websites with design elements or advertising likely to appeal to children.
For context, the federal Children’s Online Privacy Protection Act (COPPA) defines children as anyone under the age of 13 and imposes requirements on online services directed towards children or that have actual knowledge a child is using the site. The AADCA, thus, broadens the universe of applicable data subjects and covered entities that must afford privacy protections to minors using the internet.
“Likely to be accessed by children”
As mentioned, the AADCA applies to websites that are “likely to be accessed by children” and delineates some criteria to consider in determining whether a site is targeting children. The AADCA applies to “online service[s], product[s], or feature[s]” – which in itself is broader than simply a website or application. Further, it delineates considerations for these services, products or features to determine whether they are “likely to be accessed by children.” These considerations are:
- Whether it is deemed to be targeted to children under COPPA;
- Whether it is accessed by children;
- Whether it has features, products or advertisements marketed to children;
- Whether it has design elements that are known to be of interest to children, such as games, cartoons, music or celebrities; or
- Whether a significant section of the audience is determined to be made up of children.
Given the fact that the AADCA defines a “child” as someone under the age of 18, and the broad applicability of the elements to consider in determining whether a site is “likely to be accessed by children,” it is very likely that the AADCA could apply to all social media platforms, online entertainment and media services and platforms, music-sharing platforms, photo-sharing sites, video game services, other content platforms, and even retail and consumer product platforms.
Requirements
Data Protection Impact Assessment
So what does this mean for businesses that may fall under this umbrella? Under the AADCA, before a covered entity offers a new online product, service or feature likely to be accessed by children, the entity must complete a Data Protection Impact Assessment (DPIA) to identify material risks. Similar assessments are required under the California Privacy Rights Act (CPRA) for businesses processing sensitive personal information; however, the DPIA required by the AADCA should assess:
- Whether the design of the online service, product or feature could harm children, including by leading to exposure to harmful content, experiencing harmful contacts, witnessing or participating in harmful conduct, etc.
- Whether the algorithms used could harm children.
- Whether the targeted advertising systems used could harm children.
- Whether and how the online service, product or feature uses system design features to increase the amount of time spent on the service, including by using auto-play features on videos, and rewarding time spent on the site and notifications sent.
- Whether the product, service or feature collects or processes sensitive personal information of children.
Any material risk to children identified by the DPIA must be documented, and the operator must develop a plan to mitigate that risk before the product or service is offered to the public. DPIAs must be reviewed every two years, and must be provided to the California attorney general upon written request but will not be accessible to the public.
Operational requirements
Additionally, operators of online services, products or features likely to be accessed by children must:
- Enable “settings that offer a high level of privacy” by default, including by disabling geolocation collection.
- Draft legal notices, including privacy policies and terms of service, in language that is appropriate for and can be understood by children in the age group likely to be using the service, product or feature.
- Provide clear signals when a product, service or feature is being used by a parent, guardian or another person to track a child’s geolocation or monitor online activity.
- Use personal information collected from consumers to estimate the age range of the website’s or service’s audience base.
- Refrain from profiling children unless the profiling is necessary to provide the service or there is a compelling reason to do so that is in the best interest of the child.
Operators are prohibited from using a child’s personal information in any way that could be detrimental to the child’s mental, physical or general well-being; using manipulative techniques (i.e., dark patterns) to convince a child to provide personal information; and using a child’s personal information for a secondary purpose other than the original purpose for which it was collected unless the operator can demonstrate it is in the best interest of the child to do so.
Enforcement
The law requires that any service, product or feature that is likely to be accessed by children must complete an assessment by July 1, 2024. The AADCA does not provide a private right of action and is enforceable by the attorney general. Penalties for violations range from $2,500 for negligent violations to $7,500 for intentional violations per affected child. Finally, the legislation establishes the Children’s Data Protection Working Group to provide input on the various requirements of the law and to find ways to work in conjunction with the California Privacy Protection Agency established by the CPRA.
Potential impact
Businesses that currently offer online services should assess whether such services fall within the scope of the AADCA and if so, start planning for what steps may need to be taken by July 1, 2024. Because of the development timeline for many online services, the requirements of the AADCA may need to be considered soon in order to ensure compliance if launching close to July 1, 2024 or after. The AADCA represents a seismic shift in the children’s privacy landscape. The requirements imposed cover a broad swath of businesses and will require more diligence to determine whether compliance is necessary. Although the Bill was likely written to target social media companies, the impact will be much wider. Further, because there are no defined thresholds for applicability (i.e., it applies to all businesses with an annual revenue of $25 million or more, similar to the CPRA), this legislation obligates any website or online service operator to conduct an assessment of their audience base and determine whether the AADCA may apply, regardless of size or revenue. Finally, operators of websites and online services may be required to make value determinations about whether a data processing activity is in the best interest of a child. In some cases that answer may not be obvious, and the operator of a website or service may be ill-equipped to make such a determination.
Reed Smith will continue to monitor developments with this law. If you have any questions, please reach out to one of the authors.
Client Alert 2022-222