California recently enacted the California Age-Appropriate Design Code Act (“Act“) with the stated intention of requiring businesses to consider the best interests of minors under the age of 18 when designing, developing and providing online services. If your business currently offers online services that are likely to be accessed by minors in California, you should consider starting to prepare Data Protection Impact Assessments in accordance with the Act as soon as possible because the law will require covered businesses to undertake such assessments before offering these services to the public, and it will take time to address the risks identified by the assessments before the Act fully takes effect on July 1, 2024. The California Attorney General will have the authority to require covered businesses to produce Data Protection Impact Assessments within five business days of receiving a written request.
Who Must Comply with the Act? The Act will apply to any “business” that provides an online service that is “likely to be accessed by children”. The Act defines “child” to mean a California resident under 18 years so this summary uses the term “minor” instead of “child.” A “business” is any for-profit organization that determines the means and purposes of processing California residents’ personal information and meets any of the following three thresholds: (1) annual gross revenues of $25 million; (2) buys, sells or shares personal information of 100,000 or more California residents or households annually; or (3) derives at least 50% of annual revenue from selling or sharing California residents’ personal information. Businesses anywhere in the world, not just those with a physical presence in California, may be subject to the Act.
When Is An Online Service Likely To Be Accessed By Minors? An online service is “likely to be accessed by children [i.e., minors]” if, for example: (1) there is reliable and competent evidence that the service is routinely accessed by a significant number of minors; (2) the service has substantially the same functionality as a service that meets definition #1; (3) it includes advertisements marketed to minors; (4) it includes or features games, cartoons, music, celebrities who appeal to minors or other similar elements known to be of interest to minors; or (5) the business knows based on internal research that a significant amount of the service’s audience comprises minors. These definitions are much broader than the comparable definitions in the Children’s Online Privacy Protection Act and will likely cover any service that offers videos, shows, music, games, stories, forums, messaging channels or any other content or features that may be of interest to children or teenagers in California, regardless of the knowledge or intent of the business operating the service.
What Compliance Considerations Apply? Covered businesses should consider whether their online services are likely to be accessed by minors residing in California and, if so, determine whether they wish to change their services so that they fall outside the scope of the Act, or continue to provide the services and comply with the Act. One of the Act’s main requirements is that covered businesses must complete a Data Protection Impact Assessment before offering an online service likely to be accessed by minors to the public. The assessment must identify the purpose of the online service, how it uses minors’ personal information, and the risks of material detriment to minors that arise from the business’ data management practices. In particular, businesses must consider various prescribed risk factors, not all of which directly relate to data privacy. Examples include whether algorithms used by the service could harm children and whether the service could lead to children being targeted by potentially harmful contacts or witnessing potentially harmful conduct on the service. Businesses required to prepare Data Protection Impact Assessments should consider protecting the content of the documents through attorney-client privilege, as the Act states that a disclosure of a Data Protection Impact Assessment to the California Attorney General does not constitute a waiver of such privilege.
Other requirements of the Act will necessitate design and functionality changes. Because the Act requires covered businesses to estimate the age of minor users, the Act seems to contemplate that they must create one or more “minor-friendly” versions of the service that are partitioned from the “adults only” components of the service, or else make the “minor-friendly” version of the service the only experience available to users. The Act will impose numerous requirements on the design and functionality of online services likely to be accessed by minors, including to adhere to privacy by design and default principles, and to not use a minor’s personal information for any reason other than a reason for which that personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the “best interests” of minors, or in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a minor. The Act also requires covered businesses to provide various notices, tools and enforcement mechanisms to protect minors’ interests and facilitate the exercise of their rights. The Act represents one of numerous recent initiatives to protect children’s personal information in the U.S.
What about Enforcement? The California Attorney General may institute civil actions to enforce the Act through injunctions and monetary penalties of up to $2,500 per affected minor for each negligent violation and up to $7,500 per affected minor for each intentional violation. The California Attorney General may also ask for a list of all of the Data Protection Impact Assessments that a covered business has completed under the Act, which the business must furnish within three business days, and ask for a copy of any such Data Protection Impact Assessment, which the business must provide within five business days. The Act states that it must not be interpreted to serve as the basis for a private right of action, but it seems possible that private plaintiffs may seek to base Unfair Competition Law or other claims on allegations of non-compliance with the Act. The Act contemplates that the California Attorney General may adopt regulations that clarify requirements and concepts under the Act.
