California recently became the first state to enact legislation governing the profiling and processing of personal information gathered from children online.[1] The California Age-Appropriate Design Code Act (CAADCA) becomes law on July 1, 2024, and builds upon the state’s current privacy legislation.[2] The law applies to any business that provides an online service, product, or feature that children are likely to access and meets one or more of the following three criteria: (1) has gross revenue above $25 million; (2) buys, sells, or shares the personal information of 100,000 or more consumers or households; or (3) derives 50 percent or more of its revenue from selling or sharing consumer personal information.[3]
What Requirements Do Businesses Have?
To be CAADCA compliant, businesses must complete a data protection impact assessment, which must identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the business’s data management practices.[4] Covered businesses must complete this DPIA by July 1, 2024.[5] Any identified risk of material detriment to children from the covered businesses’ information management practices must be documented and mitigated or eliminated in accordance with a timed plan.[6] Also, a covered businesses’ privacy settings must provide a “high level of privacy” unless the business can show a compelling reason that different privacy configurations are in the bests interest of the child.[7]
Additionally, a covered business must not:
- Use personal information of a child that the business knows or has reason to know is materially detrimental to the child’s health or well-being
- Collect a child’s precise geolocation information without providing an obvious sign to the child for the duration of the collection of the geolocation information
- Collect, sell, share, or retain personal information that the business does not need to provide an online service, product, or feature with which a child is actively and knowingly engaged. [8]
What Are Businesses Required To Provide To Consumers?
Covered businesses must provide three things. [9] First, they must provide privacy information such as terms of service and policies. These must be provided in concise and clear language that is suited to the age of children that are likely to access the online service or product. [10] Second, if the online service or product allows a parent or guardian to monitor the online activity or track a child’s location, an obvious signal must be provided to the child when the child is being monitored or tracked. [11] Third, a covered business must provide tools to help children—and if applicable, parents or guardians-report concerns and utilize privacy rights. [12]
What Are The Penalties For Not Complying?
A covered business that violates the CAADCA is subject to a civil penalty of no more than $2,500 per affected child from negligent actions. Penalties go up to no more than $7,500 per affected child for intentional violations. [13] The CAADCA is enforced by the California Office of the Attorney General, and there is no private right of action for violations of the law. [14]
Conclusion
The number of privacy laws across the United States continues to increase. Navigating comprehensive data privacy laws is already a difficult task, and a topic-specific privacy law that applies only to children, —such as the CAADCA—only adds to the complexity that businesses can face when it comes to compliance. More than ever, it is important for businesses to stay informed of the shifting legal landscape and be proactive about complying with new data privacy requirements.
[1] Don Thompson, California’ First With Law Protecting Children’s Online Privacy, Los Angeles Times (Sept. 15, 2022), https://www.latimes.com/business/story/2022-09-15/california-first-with-law-protecting-childrens-online-privacy.
[2] Cal. Civ. Code § 1798.99.31 (d) (2023).
[3] Cal. Civ. Code § 1798.99.31 (a) (2023); Cal. Civ. Code § 1798.140 (d) (2023), see Cal. Civ. Code § 1798.99.30 (a) (2023).
[4] Cal. Civ. Code § 1798.99.31 (a)(1)(A),(B) (2023).
[5] Cal. Civ. Code § 1798.99.33 (a) (2023).
[6] Cal. Civ. Code § 1798.99.31 (a)(2)(B) (2023).
[7] Cal. Civ. Code § 1798.99.31 (a)(6) (2023).
[8] Cal. Civ. Code § 1798.99.31 (b) (2023).
[9] See Cal. Civ. Code § 1798.99.31 (a)(1) (2023).
[10] Cal. Civ. Code § 1798.99.31 (a)(7) (2023).
[11] Cal. Civ. Code § 1798.99.31 (a)(8) (2023).
[12] Cal. Civ. Code § 1798.99.31 (a)(10) (2023).
[13] Cal. Civ. Code § 1798.99.35 (a) (2023).
[14] Cal. Civ. Code § 1798.99.35 (d) (2023).