On Sept. 15, 2022, California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act, A.B. 2273 (CAADCA) into law, which goes into effect July 1, 2024. CAADCA is California’s most recent privacy law, following the California Privacy Rights Act of 2020 (CPRA), which modifies and extends the California Consumer Protection Act of 2018 (CCPA). CAADCA seeks to protect children accessing the internet by restricting certain actions of businesses that provide an online service, product, or feature likely to be accessed by them. It cites the increasing amount of time that children spend interacting with the internet and raises concerns for the negative impact that the online world has on their well-being. Covered businesses which violate CAADCA will be subject to a $2,500 penalty per affected child for each negligent violation or a $7,500 penalty per affected child for each intentional violation.
APPLICABILITY
A “covered business” under CAADCA is any entity that is subject to CCPA and provides an online service, product, or feature that is likely to be accessed by children. “Likely to be accessed by children” means it is reasonable to expect that the online service, product, or feature would be accessed by children because:
- it is directed to children as defined by the Children’s Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.) (COPPA);
- it is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;
- it is associated with advertisements marketed to children;
- it is substantially similar or the same as an online service, product, or feature described in subparagraph (b);
- it has or contains design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children; or
- it is determined, based on internal company research, that a significant amount of the audience will be children.
Broadband internet access services, telecommunications services, and the delivery and use of a physical product are exempt from these requirements.
COPPA v. CAADCA
CAADCA will require covered businesses to comply with several new requirements and restrictions, and goes further than current federal legislation, COPPA, in several ways. Most notably, there is a significant difference in how each law defines a child. COPPA defines a child as an individual under the age of 13, whereas CAADCA extends protections to children under the age of 18. Under CAADCA, covered businesses will have to “estimate the age of child users with a reasonable level of certainty,” but does not describe how companies will achieve this. Whereas COPPA does not require a covered business to determine a child’s age unless they have actual knowledge that children’s information has been collected, which requires verifiable parental consent. Both laws also vary their limits on data collection. CAADCA requires data collection to be reasonably necessary to provide the product or service, unlike COPPA, which restricts data collection without notice and verifiable parental consent. CAADCA’s applicability is also much broader than COPPA, which applies to businesses that direct their services to children or those that have actual knowledge that a user is a minor, whereas CAADCA applies to businesses that develop and provide online services, products, or features children are “likely” to access.
CAADCA extends beyond COPPA by also having specific requirements for the collection of precise geolocation, default privacy settings, and language of certain privacy information. A covered business must provide an obvious sign to the child for the duration of the collection that the business is collecting their precise geolocation. Covered businesses will also be required to provide an obvious sign to the child if the product or service allows a parent, guardian, or any other consumer to monitor the child’s activity or track their location for the duration of the monitoring. CAADCA will require covered businesses to configure the default privacy settings provided to children to settings that offer a “high level of privacy,” unless a business can demonstrate a compelling reason that a different setting is in the child’s best interest. CAADCA will require any privacy information, terms of service, and other similar policies to be written in clear language, suitable to the age of the child likely to access the site.
RESTRICTIONS