Key Takeaways:

  • On September 15, 2022, California Governor Gavin Newsom signed into law the bipartisan California Age-Appropriate Design Code Act (CAADCA or the Act), Cal Civ. Code 1798.99.28 et seq., which goes into effect on July 1, 2024.
  • The Act places new obligations on companies with online products, services, or features that are “likely to be accessed by children” under the age of 18.
  • The Act is notable for its strict obligations applying to a broad spectrum of businesses, including those whose digital products and services are used by a significant number of minors, even if the business does not directly target children. It is also notable for applying to all minors under 18, rather than distinguishing between those under 13 and those aged 13-18.
  • A recent lawsuit brought by a technology trade group claims the Act violates free speech and is preempted by the Children’s Online Privacy Protection Act (COPPA), which sets website operator requirements for online interactions with children 13 and under, and the Communications Decency Act (CDA).
  • At least five other states are considering children’s privacy-related legislation.

The Act requires “businesses”—as that term is defined by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA)—to implement certain privacy and safety features when designing digital products and services that are “likely to be accessed” by consumers under age 18. Businesses covered by the CPRA include for-profit organizations that do business in California and (1) have an annual gross revenue of more than $25 million, or (2) buy, receive, or sell the personal information (PI) of 100,000 or more California residents; or derive 50% or more of their annual revenue from selling California residents’ PI.

The Act requires that these businesses take the following actions:

  • Avoid the use of “dark patterns” or other design choices that persuade children to provide more PI than is reasonable.
  • Employ age-appropriate design elements, make it easier for children to report privacy problems, and provide an obvious signal to children who are being monitored or tracked.
  • Concisely and prominently provide privacy information, terms of service, policies, and community standards, using language suited to the age of the children.
  • By default, implement high-level privacy safeguards unless there is a compelling business reason in the best interest of the children to set the privacy settings otherwise.
  • Determine the ages of child users with a “reasonable” level of confidence.
  • Conduct a Data Protection Impact Assessment (DPIA) when offering a new product or service to the public that is “likely to be accessed by children” and maintain records of this assessment for as long as such product or service is likely to be used by children (records of the DPIA must be produced upon request to the California attorney general within five days of request).
  • Enforce published terms, policies, and community standards.
  • Avoid the use of children’s PI in ways that are “materially detrimental” to their well-being.
  • Avoid use of precise geolocation of minors, including the collection, sale, or retention of a child’s geolocation.

The last requirement builds on the CPRA which requires that companies that “sell” data of children 16 and under must opt-in to the data sale and more broadly provides data subjects with the ability in certain situations to limit the use of their sensitive personal information, of which precise geolocation data is included in the definition. The Act applies to any business “likely to be accessed by children,” which has a broad definition, including any service, product, or feature that:

  • Is “directed to children,” as defined by COPPA.
  • Is routinely accessed by a significant number of children, as determined by “competent and reliable evidence regarding audience composition.”
  • Has advertisements marketed to children.
  • Has design elements that are known to be of interest to children (including, but not limited to, games, cartoons, music, and celebrities who appeal to children).
  • Has children as a significant portion of its audience, determined based on internal company research.
  • Is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children.

The penalties for breaking the law are harsh. Negligent infractions may result in fines up to $2,500 per affected child, while intentional violations may result in fines of up to $7,500 per affected child. The Act tasks the California attorney general with enforcement and provides a 90-day cure period. In this, the Act differs from the CPRA which has sunsetted a prior 30-day cure period. The Act expressly excludes a private right of action.

While the Act is set to go into effect on July 1, 2024, a lawsuit brought by a technology trade group claims the CAADCA is a content-based restriction on speech and violates the First and Fourth Amendments, as well as the due process and commerce clauses of the Constitution, and that it is preempted by the COPPA and the CDA. That litigation is pending.

In recent months, state legislatures have signaled that children’s privacy is a priority for 2023, with at least five states, including New Jersey, Oregon, Texas, Virginia, and West Virginia, considering children’s privacy-related legislation. Federal regulatory authorities have also prioritized advertising to children and online child safety. The Federal Trade Commission (FTC) held a virtual event on October 19, 2022, titled “Protecting Kids From Stealth Advertising in Digital Media,” and will solicit public feedback on how digital advertising and marketing affect children. The Children’s Advertising Review Unit (CARU) issued new Self-Regulatory Guidelines for Children’s Advertising last year, which took effect January 1, 2022, and apply to advertising that is primarily directed to children under age 13 in any medium or content.