Businesses which are covered by the CPRA and that offer an online service, product or feature likely to be accessed by children will be required to comply with the newly passed California Age-Appropriate Design Code Act (CAADCA) – or risk penalties of up to $7,500 per child for violations.
If this is you, read on to find out more about the impending requirements:
Covered Businesses
There are two requirements businesses must meet to be covered by this legislation:
- The business must be covered by the CPRA (read more here); and
- The business must offer an online service, product or feature likely to be accessed by children.
There are several key definitions that are important in determining whether your business meets the threshold for the second requirement:
The definition of “children” under the CAADCA:
The CAADCA defines children more broadly than the federal government’s Children’s Online Privacy Protection Act (COPPA) legislation. COPPA applies to children 13 and under, while the CAADCA applies to children 18 and under.
The definition of “likely to be accessed by children” under the CAADCA:
An online service, product, or feature is “likely to be accessed by children” if it is reasonable to expect it would be accessed by children based on the following indicators:
- It is “directed to children”, as defined in the COPPA.
- It is routinely accessed by a significant number of children, based on competent and reliable evidence.
- It has advertisements marketed to children.
- It is substantially similar or the same as a service that is routinely accessed by a significant number of children, based on competent and reliable evidence.
- It has design elements known to be of interest to children, including games, cartoons, music, and celebrities who appeal to children.
- Internal research shows that children make up a significant amount of the audience of the online service, product, or feature.
Covered businesses must be compliant by July 1, 2024.
Requirements Under CAADCA
The CAADCA’s specific requirements for covered businesses include the following:
- Undertake a Data Protection Impact Assessment (DPIA) that addresses whether the design of the online product, service, or feature could
- Harm children;
- Lead to children experiencing or being targeted by harmful or potentially harmful contacts;
- Permit children to witness, participate in, or be subject to harmful or potentially harmful conduct;
- Allow children to be party to or exploited by a harmful or potentially harmful contact; or
- Collect sensitive personal information of children.
The DPIA must also consider whether the algorithm(s) or targeted advertising system(s) used by the online product, service, or feature could harm children or whether it contains design features that promote increased, sustained, or extended use.
- Document any material risk of harm to children.
- Provide the California Attorney General (AG) with certain DPIA-related documents, within 5 business days of request from the AG .
- Either apply the privacy and data protections afforded to children to all customers or estimate the age of child users with a reasonable level of certainty appropriate to the relevant risks.
- Offer high levels of privacy by default to child users.
- Convey important privacy information in language that is suited to the age of children likely to access that online service, product, or feature.
- Provide obvious signals to the child when the child is being tracked by a parent, guardian, or other consumer.
- Provide easy-to-access tools facilitating the exercise of privacy rights by children or their parents.
Covered businesses are also prohibited from the following:
- Using personal information of a child in a way that is materially detrimental to the child.
- Profiling children by default (except in certain circumstances).
- Collecting, selling, sharing, or retaining personal information that is not necessary to provide the online service, product or feature.
- Using personal information for any reason other than that/those for which it was collected.
- Collecting, selling, or sharing precise geolocation information of children by default;
- Collecting precise geolocation information of a child without providing an obvious sign to the child for the duration of the collection.
- Using dark patterns to encourage children to provide personal information other than in certain circumstances.
- Using any personal information used to estimate age or age range for any other purpose or retaining that personal information longer than necessary to estimate age.
Penalties for Non-Compliance with the Age-Appropriate Design Code
California’s new law empowers the AG’s office to impose penalties as follows:
- Up to $2,500 per child for negligent violations; and
- Up to $7,500 per child for intentional violations.
If you need assistance developing and implementing a plan to meet the CAADCA requirements, reach out. Our privacy team would love to help.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
