On Aug. 29, California’s Senate unanimously passed Assembly Bill 2273, known as the Age-Appropriate Design Code Act (the CA AADC or the Bill). The Bill, which is anticipated to be signed into law by Gov. Gavin Newsom, is aimed at promoting online safety and privacy for children under 18. The Bill was inspired by the UK’s Age-Appropriate Design Code (the UK AADC or the Children’s Code) and includes many similar requirements. If it is signed into law, covered businesses would need to come into compliance with the Bill’s core provisions by July 1, 2024. This blog explains who is covered, key provisions and how the CA AADC compares to its UK counterpart.
Who is covered
The CA AADC will apply to any business that meets the revenue or data-collection thresholds created by the California Consumer Privacy Act (CCPA) and “provides an online service, product or feature likely to be accessed by children.” The Bill includes a detailed definition of the phrase “likely to be accessed by children,” which includes not only services directed to children under the federal Children’s Online Privacy Protection Act (COPPA) but also general-audience websites, apps and online services that are routinely accessed by a significant number of children, have a “significant amount” of child users, are “substantially similar” to services known to be accessed by a significant number of children, feature advertisements marketed to children or have design elements known to be of interest to children.
In contrast to COPPA, which protects online users under the age of 13, the CA AADC broadly defines a “child” as anyone under 18 years of age and calls for businesses to “take into account the unique needs of different age ranges.” Like the UK AADC, the CA AADC splits the age ranges of children into five developmental categories: 0 to 5 years of age or “preliterate and early literacy”; 6 to 9 years of age or “core primary school years”; 10 to 12 years of age or “transition years”; 13 to 15 years of age or “early teens”; and 16 to 17 years of age or “approaching adulthood.”
Also similar to the UK AADC, the Bill calls for businesses to adopt age-assurance mechanisms that are “proportionate to the risks and data practice[s] of an online service, product or feature.” If a business cannot estimate the age of users with a reasonable level of certainty, it must “apply the privacy and data protections afforded to children to all consumers.”
What the Bill entails
The Bill includes both affirmative requirements and a list of prohibited acts. The affirmative steps that businesses must take include configuring all default privacy settings to offer a high level of privacy unless the business can demonstrate a compelling reason that a different setting is in the best interests of children. The Bill also mandates that businesses provide privacy information, terms of service, policies and community standards concisely, prominently and in clear language suited to the age of children likely to access their services.
Businesses will also be required to complete Data Protection Impact Assessments (DPIAs) for online services, products and features likely to be accessed by children. The Bill includes several factors that must be addressed in a DPIA:
- Whether the design of the online product, service or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service or feature.
- Whether the design of the online product, service or feature could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts on the online product, service or feature.
- Whether the design of the online product, service or feature could permit children to witness, participate in or be subject to harmful, or potentially harmful, conduct on the online product, service or feature.
- Whether the design of the online product, service or feature could allow children to be party to or exploited by a harmful, or potentially harmful, contact on the online product, service or feature.
- Whether algorithms used by the online product, service or feature could harm children.
- Whether targeted advertising systems used by the online product, service or feature could harm children.
- Whether and how the online product, service or feature uses system design features to increase, sustain or extend use of the online product, service or feature by children, including the automatic playing of media, rewards for time spent and notifications.
- Whether, how and for what purpose the online product, service or feature collects or processes sensitive personal information of children.
Based on the identified risks, businesses must “create a timed plan to mitigate or eliminate the risk before the online service, product or feature is accessed by children.”
The Bill also includes several specific prohibitions, including:
- Using children’s personal information for ways the business knows, or has reason to know, “is materially detrimental to the physical health, mental health or well-being of a child.”
- Profiling children unless certain criteria are met.
- Collecting, selling, sharing or retaining any personal information not necessary to provide an online service with which a child is actively and knowingly engaged unless the business can demonstrate a compelling reason for doing so.
- Collecting, selling or sharing a child’s precise geolocation data by default unless doing so is strictly necessary. If a business must collect a child’s precise geolocation data, it must provide an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.
- Using dark patterns to encourage children to forgo privacy protections, provide personal information beyond what is reasonably expected to provide that online service or take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health or well-being.
Covered businesses must complete a DPIA on or before July 1, 2024, for any currently existing online service, product or feature that the business plans to continue offering beyond that date. After July 1, 2024, businesses must complete a DPIA for any new service, product or feature before that service, product or feature is offered to the public.
Comparison to UK version
The factors to be considered in a DPIA and the list of prohibitions above will no doubt look familiar to businesses that have addressed compliance with the UK AADC. Indeed, on the first anniversary of the implementation of the UK AADC, the UK Information Commissioner’s Office issued a press release in which it lauded the UK AADC’s positive influence over California, Europe, Canada and Australia in inspiring reviews of children’s privacy protections and asserted that California lawmakers used the UK AADC as its “template.” While the CA AADC is not identical to the UK version and is not structured in a way that directly follows the 15 standards described in the UK AADC, the influence of the UK Children’s Code on the Bill can hardly be overstated. The Bill specifically provides that “[i]t is the intent of the Legislature that businesses covered by the California Age-Appropriate Design Code may look to guidance and innovation in response to the Age-Appropriate Design Code established in the United Kingdom when developing online services, products or features likely to be accessed by children.”
Indeed, the Bill further allows that “[a] Data Protection Impact Assessment conducted by a business for the purpose of compliance with any other law complies with this section if the Data Protection Impact Assessment meets the requirements of this title.” Given the overlap between the requirements – from considering the best interests of the child to adopting high-privacy default settings to avoiding detrimental use of data to switching off precise geolocation tracking and profiling by default, among many others – there is a good likelihood that a thorough DPIA conducted under the UK AADC would satisfy the requirements of the California DPIA.
Regulations and creation of the California Children’s Data Protection Working Group
The Bill specifies that the California Attorney General “may solicit broad public participation and adopt regulations to clarify the requirements of this title.” This could add an interesting twist to the rulemaking currently taking place under the CCPA because that rulemaking is being handled by the California Privacy Protection Agency (the CPPA) and not the Attorney General. When the CPPA published its initial proposed California Privacy Rights Act Regulations, it deferred rules on risk assessments and profiling for a future round of rulemaking. It remains to be seen how the CCPA Regulations on these topics may intersect with the CA AADC’s requirements, and the introduction of a second rulemaking authority could complicate matters.
The Bill also creates the California Children’s Data Protection Working Group – whose members must have expertise in several areas, including in the areas of children’s data privacy and children’s rights – to deliver a report to the Legislature regarding best practices for implementation every two years until 2030. The members of the Working Group will be appointed by multiple governmental authorities, including the CPPA. The Bill requires the Working Group to take input from stakeholders, including academics, consumer advocacy groups and affected businesses. Further cementing the California-UK connection, the Bill also calls for the Working Group to “consider the guidance provided by the Information Commissioner’s Office in the United Kingdom when developing and reviewing best practices or other recommendations related to the California Age-Appropriate Design Code.” The creation of the Working Group appears to be an acknowledgement of the challenges in interpretation of certain best practices and the current lack of consensus with certain key tenets of the Bill, such as what is in the “best interests of the child” and how to effectively implement age assurances without collecting more data than necessary.
The Bill authorizes the California Attorney General to monitor businesses’ compliance by requesting businesses to produce copies of their DPIAs and to enforce violations by seeking injunctions and civil penalties. Businesses must provide the Attorney General with a list of all DPIAs completed within three business days of a written request and copies of all DPIAs within five business days. Civil penalties range from no more than $2,500 per affected child for each negligent violation and no more than $7,500 per affected child for each intentional violation. The Bill includes a 90-day cure provision for businesses to correct any violations.
The Bill expressly does not provide for a private right of action, stating that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under this title or any other law.” Plaintiffs’ attorneys may nevertheless attempt to bring actions for violations of the CA AADC using other avenues.
California’s Unfair Competition Law (UCL), which prohibits businesses from engaging in “unlawful, unfair or fraudulent” business practices, allows plaintiffs to treat violations of other laws as an “unlawful” practice under the UCL. However, use of a violation of the CA AADC to bring a UCL claim would likely not survive the pleading stage, as courts typically do not allow plaintiffs to use a statute as a predicate act under the UCL’s unlawful prong if the statute expressly does not provide a private right of action.
Similar issues arise when a plaintiff attempts to use an alleged violation of law as the basis for a negligence per seclaim – a tort claim based on the doctrine that one who violates a statute may be liable for damages if the violation caused the type of harm the statute was intended to avoid. Courts have generally held that a negligence per se claim cannot be premised on a statute that does not contain a private right of action. Therefore, a negligence per se claim predicated on a violation of the CA AADC would likely not survive the pleading stage.
Given that the CA AADC contains no private right of action, plaintiffs will likely continue to rely on other creative ways to sue social medial companies. This year, several lawsuits have pushed the envelope using a number of different theories, including product liability alleging social media platforms suffer from design defects and that social media companies are liable for failure to warn.
Defendants facing these types of claims have a variety of defenses at their disposal, one of the top being that a variety of intervening factors break the chain of causation, preventing plaintiffs from proving that social media platforms are the but for cause of their injuries. We will continue to monitor how the AADC impacts the litigation risk landscape.
If Gov. Newsom signs the CA AADC into law, businesses should begin working toward compliance as soon as possible – whether that means revisiting existing UK AADC compliance or starting to design and implement a new CA AADC program. Because the CA AADC requires not just completion of a DPIA but material changes to online services, products and features likely to be accessed by children, it may take substantial time and effort for businesses to comply. Additionally, because the law applies to general-audience websites and online applications, many businesses that have not previously had to give much consideration to children’s privacy issues will need to do so.