California Governor Gavin Newsom recently signed into law the California Age-Appropriate Design Code Act (AADCA), which significantly increases the privacy protections that businesses must extend to children online. The AADCA builds on an existing federal privacy law, the Children’s Online Privacy Protection Act (COPPA), but takes those protections to a whole new level by greatly expanding their reach.
The new law does not go into effect until July 1, 2024, but some of the compliance measures will take a lot of planning so it’s never too early to get a handle on it. Learn about when the AADCA applies and what it requires from businesses.
The AADCA applies to “businesses that develop and provide online services, products, or features that children are likely to access.” This raises three main questions:
The AADCA applies to “businesses”; fortunately, we already have a familiar definition for that term because the new law explicitly refers to the California Consumer Privacy Act (CCPA) for many of its key definitions. Under the CCPA, a business is a for-profit entity that collects personal information, does business in California, and meets at least one of the following criteria:
To learn more about how these criteria are calculated, read our full article on which businesses must comply with the CCPA.
Under the new law, a “child” is anyone under the age of 18 years of age. This is a major departure from COPPA, which defines a child as anyone under 13 years old. Even the CCPA and the European Union’s General Data Protection Regulation (GDPR) stop imposing additional data-privacy protections once someone reaches the age of 16.
Of course, this expansion means many people are protected by the AADCA, but it also expands the types of content and subject matter likely to be affected. Now it’s not just about products and services like cartoons, toys, and games that are clearly geared toward young children, but anything likely to be accessed by adolescents as well. The dividing line between content for children and adults may be less clear.
While COPPA imposes requirements on online services that are “directed to children,” the AADCA takes a more expansive approach.
Online services do not need to be specifically directed to children to fall under the law’s requirements; instead it’s a question of whether they are “likely to be accessed” by anyone under 18. The AADCA provides six indicators to consider when determining whether an online service is likely to be accessed by children:
Meeting any one of these criteria is enough to indicate that an online service is likely to be accessed by children.
For businesses that must comply with the AADCA, the law could mean big changes to the way they process the personal information of minors. Here are some of the most notable requirements.
For any online service likely to be accessed by children, businesses must complete a data protection impact assessment before offering it to the public (or, for existing services, by the AADCA’s effective date of July 1, 2024).
These assessments must examine the business’s data practices with regard to minors, and determine whether those practices have the potential to be harmful. Data protection impact assessments must also be reviewed every two years.
All privacy settings offered to children must be set—by default—to the highest level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interest of children. Implementing this requirement will mean either including an age verification procedure, or making the highest privacy setting the default for all users.
Businesses are prohibited from collecting, selling, or sharing the precise geolocation (within 1850 feet) of children, unless it is strictly necessary to provide the online service. While geolocation information is being tracked, the online service must provide an obvious sign that it is doing so.
If an online service allows parents, guardians, or any other consumer to monitor a child’s online activity or location, it must provide an obvious sign when this feature is active.
The AADCA further places further limits on the use of dark patterns. A dark pattern is an interface that is designed to manipulate or encourage the user in a certain direction, such as a consent pop-up where the “yes” option is brightly colored and larger than the “no” option.
Businesses may not use dark patterns to encourage children to provide personal information beyond what is reasonably necessary to provide the online service, or to take any action that the business knows is materially detrimental to the child’s well-being.
For example, if a business has all privacy settings at the highest level as required, but also uses design features such as font sizes and colored buttons to encourage children to accept a lower privacy setting, this would probably violate the AADCA’s dark-pattern prohibition.
Businesses may not collect, sell, share, or retain (as those terms are defined in the CCPA) any personal information that is not necessary to provide an online service with which a child is actively and knowingly engaged, unless the business can demonstrate a compelling reason why it is in the best interests of the child.
By default, businesses may not engage in the profiling of minors. Profiling is any automated processing of personal information that is used to evaluate a person, such as using past purchases to predict future shopping behavior.
However, a businesses may profile a child by default if two conditions are met:
For businesses that already need to be CCPA compliant and whose services are likely to be accessed by minors, the AADCA adds an extra layer of complexity to privacy compliance. Without an in-house privacy expert or the resources to hire a specialist consultant, managing all of the different requirements seems like an almost impossible task.
TrueVault Polaris simplifies the complexities of data privacy compliance for small and medium-sized businesses. Designed by attorneys, Polaris provides a guided experience that takes businesses all the way from onboarding vendors to responding to privacy requests. Contact us today to learn more and schedule a demo.