Age-Appropriate Design Code Passes California Legislature

Update: On Sep 15, 2022, California Governor Gavin Newsom signed AB 2273, the California Age-Appropriate Design Code Act. The law will apply to businesses that provide online services, products, or features likely to be accessed by children and broadly requires businesses to implement their strongest privacy settings by default for young users up to the age of 18. AB 2273 will become enforceable on July 1, 2024.

This week, the California legislature passed AB 2273, the California Age-Appropriate Design Code Act (ADCA). The California ADCA is modeled after the UK’s Age Appropriate Design Code, and would apply to businesses that provide “an online service, product, or feature likely to be accessed by a child.” If enacted by Governor Gavin Newsom, the child-centered design law would be the first of its kind in the United States. 

The California ADCA would introduce significant new compliance obligations for US businesses that go beyond the requirements codified in COPPA – the longstanding federal children’s privacy law. Unlike COPPA, which defines “child” as an individual under 13 years old and applies to child-directed services, the California bill defines “child” as  an individual under 18 and applies to any online service that is “likely to be accessed by a child.” For covered entities, the bill would require the implementation of new protective measures for young users, such as configuring default privacy settings to those with the highest level of privacy, and places new limits on profiling, processing geolocation data, and the use of “dark patterns” to influence behavior.

• Age verification: The bill would require that any online service, product, or feature that is “likely to be accessed by a child” estimate the age of young users with a “reasonable level of certainty” or alternatively, apply child-appropriate protections for all consumers. The bill states that the collection of data for age estimation should be balanced appropriately to the risks.
• Data Protection Impact Assessments: Covered entities would be required to complete a Data Protection Impact Assessment (DPIA) on or before July 1, 2024, for any online service, product, or feature likely to be accessed by children offered to the public before that date. After July 1, 2024, the bill would require entities to complete DPIAs for any new online service, product, or feature before offering them to the public. The Act would require DPIAs to account for risks and design features beyond the scope of traditional data protection issues, including elements such as the likelihood of exposure to harmful content, whether algorithms could harm children, and how design features extend use of the online product. Additionally, entities would be required to provide the California Attorney General with a list of all DPIAs the business has completed within three days following the receipt of a written request.
• Enforcement: This bill would authorize the Attorney General to seek an injunction or civil penalty against any business that violates its provisions. Civil penalties would be capped at $2,500 per affected child for each negligent violation or $7,500 per affected child for each intentional violation. The bill was recently amended to provide for a 90-day cure period before penalties may be pursued.

What’s Next?

The California Age-Appropriate Design Code would become enforceable July 1, 2024 if enacted by Governor Newsom. The bill leaves many important questions unanswered. Covered entities may seek clarity and guidance from the California Children’s Data Protection Working Group, a new entity created by this bill. The working group would be required to submit a report to the legislature by January 1, 2024 regarding recommendations and best practices for compliance. The passing of the California ADCA reflects a growing focus on protecting children’s privacy online and many expect to see other legislatures follow California’s lead next year. 

With contributions from FPF’s Keir Lamont and Bailey Sanchez.