InfoLawGroup LLP

View Original

From the U.K. to California – Age Appropriate Design Code Enacted in the Golden State


California has passed AB 2273, the California Age-Appropriate Design Code Act, with Governor Newsom signing the Act on September 15, 2022. The Act is modeled after the UK’s Age Appropriate Design Code and imposes strict requirements on companies that offer services or products likely to be accessed by children. It also creates the California Children’s Data Protection Working Group (further explained below), which will seek to leverage the expertise of the California Privacy Protection Agency (CPPA), for implementation guardrails.

The California Age-Appropriate Design Code Act is effective July 1, 2024. Covered businesses under the Act should begin compliance preparation prior to the Act’s enforcement date, as the Act imposes several unique concepts related to children’s data protection that have not been seen in the United States. We have provided an overview of key takeaways below.

Applicability and Penalties – The Act will have sweeping applicability, requiring compliance by any business that provides an online service, product, or feature likely to be accessed by children. While there is no private right of action under the Act, enforcement is vested in the California Attorney General. Violations of the Act are subject to $2,500/child for negligent violations and up to $7,500/child for intentional violations.

Requirements under the Act – Covered businesses will be required to take significant steps to ensure compliance. At a high level, these requirements include:

  • DPIAs. Companies looking to launch any new online services, products, or features that are likely to be accessed by children must submit DPIAs prior to launch.

    • Material Detriment: In the event a DPIA identifies a risk of material detriment to children, the company must create a timed plan to mitigate or eliminate the risk before the online service, product, or feature is accessible by children.

    • California Attorney General: DPIAs must be made available to the California AG within five (5) business days of a written request, subject to certain confidentiality and privilege protections.

  • Age Estimation. Companies must estimate the age of child users with a reasonable level of certainty.

  • Privacy Settings. Configure all default privacy settings related to any online service/product to provide the highest possible level of privacy protection.

  • Disclosures. Provide proper privacy disclosures prominently and in clear language suited for children.

  • Profiling. Companies cannot profile a child by default unless (i) the proper safeguards are in place to protect such child and (ii) the profiling is either necessary to provide the service, product, or feature OR the business can demonstrate a compelling reason that profiling is in the best interests of the child.

  • Geolocation. Companies cannot collect, sell, or share children’s precise geolocation by default, unless it is strictly necessary to provide the service, product, or feature. In such case, the collection is limited only to the time that is necessary for that purpose.

  • Monitoring Signals. Provide an obvious signal to the child if their parent/guardian has the ability and is monitoring the child’s online activity or location.

  • Dark Patterns. Prohibit dark patterns that would encourage minors to give away personal information that is not necessary to the service, product, or feature.

  • Exercising Rights. Provide prominent and accessible tools to help children and parents/guardians exercise their privacy rights.

Working Group – The Act creates the California Children’s Data Protection Working Group, a group that is set to provide a report of their recommendations on the below by January 1, 2024:

  • How to identify online services, products, or features likely to be accessed by children

  • Processes for evaluating and prioritizing the best interests of children through the design, development, and implementation of an online service, product, or feature

  • Privacy-focused age verification procedures

  • Guidance on updating privacy policies in accordance with the Act

  • Means of assessing and mitigating risks that may arise from children’s use of an online service, product, or feature

  • Clarity on how the working group and DOJ will utilize the CPPA’s expertise on furthering the safety of children online.

The Working Group’s report will provide some necessary clarification on the scope and practicality of the requirements under the Act. Nonetheless, given that the report is not expected until six (6) months prior to enforcement, companies should begin their initial determinations on whether they need to comply with the Act and assess their capability to do so with respect to the online services, products, or features they offer or plan to offer.


Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights
HERE.