On September 15, California Governor Newsom signed the bipartisan bill AB 2273, the California Age-Appropriate Design Code Act (“ADCA”). Set to take effect on July 1, 2024, the ADCA is the first state law in the nation to require businesses to put protections in place for users of an “online service, product, or feature” who are under 18 years old.
In contrast, current regulations under the Children’s Online Privacy Protection Act (COPPA) cover only users under the age of 13. The ACDA aligns with international frameworks that are moving toward stricter protection of children’s data and establishes the California Children’s Data Protection Working Group to develop and review additional best practices and requirements under the ACDA. Businesses in scope of the ACDA will be faced with sweeping regulations that govern their online services not only directed to children under 18 but also “likely to be accessed” by children under 18.
Key Provisions of the Law
- Age Verification: Businesses must estimate the age of child users for any online service, product, or feature that is “likely to be accessed by a child,” as defined by the law–and apply child-appropriate protections for child users. Alternatively, businesses can apply child-appropriate protections to all consumers that visit the online services.
- Data Protection Impact Assessment: Before providing any new online services, product, or feature that is likely to be accessed by children, businesses must complete a Data Protection Impact Assessment (DPIA) of the risks associated with the access by children. Moreover, businesses are required to provide the California Attorney General with a list of all DPIAs completed by the business upon request.
- Privacy Notice: Businesses must provide any privacy information and terms of service in clear language so that children likely to access that online service, product, or feature, can understand it.
- Restrictions on Personal Information Processing: Businesses are prohibited from collecting, selling, sharing, or retaining any personal information that is not necessary for providing the online service or product. They are also prohibited from collecting any precise geolocation information unless it is strictly necessary for providing the online service or product.
- Significant Penalties for Violations: The Attorney General may seek an injunction or civil penalty against any business that violates its provisions. Civil penalties range from not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation.
Action Items/Takeaways:
While the ACDA does not take effect until July 1, 2024, because it applies to a larger swath of users, its requirements are likely to take numerous resources and time for businesses that are in scope. Businesses can start preparing sooner rather than later to ensure their operations are not Interrupted when the effective date arrives.
- Determine Applicability: Businesses should perform an analysis to determine if their services are directed toward users under the age of 18 or are “likely to be accessed” by users under the age of 18. Businesses can reference the law’s enumerated list of factors that may suggest the service is “likely to be accessed” by such users.
- Perform Required Data Protection Impact Assessment (DPIA): Businesses that determine they are in scope of the law should take steps to perform a DPIA and document their findings.
- Develop and Implement Appropriate Safeguards: Businesses in scope of the law should determine whether their current data protection safeguards comply with the law’s requirements. From there, businesses can bolster (and remediate where necessary) their compliance efforts to align with the key requirements outlined above.
Octillo regularly monitors the data privacy landscape and will continue to provide updates on enforcement trends related to the CCPA, GDPR, and other global and domestic privacy regulations. Our team routinely works with clients to update their external policies and data collection practices to work towards compliance with the growing list of privacy regulations.
*Attorney Advertising. Prior results do not guarantee similar outcomes.