New California Privacy Law Expands Protections for Children

children-online
 

California Governor Gavin Newsom recently signed into law the California Age-Appropriate Design Code Act (AADCA), which significantly increases the privacy protections that businesses must extend to children online. The AADCA builds on an existing federal privacy law, the Children’s Online Privacy Protection Act (COPPA), but takes those protections to a whole new level by greatly expanding their reach.

The new law does not go into effect until July 1, 2024, but some of the compliance measures will take a lot of planning so it’s never too early to get a handle on it. Learn about when the AADCA applies and what it requires from businesses.

When Does the AADCA Apply?

The AADCA applies to “businesses that develop and provide online services, products, or features that children are likely to access.” This raises three main questions:

  1. What is a business?
  2. What counts as a child?
  3. What does “likely to access” mean?

1. What Is a Business?

The AADCA applies to “businesses”; fortunately, we already have a familiar definition for that term because the new law explicitly refers to the California Consumer Privacy Act (CCPA) for many of its key definitions. Under the CCPA, a business is a for-profit entity that collects personal information, does business in California, and meets at least one of the following criteria:

  1. Has at least $25 million in gross annual revenue
  2. Buys, sells, or shares the personal information of at least 100,000 California residents annually
  3. Derives 50% or more of its annual revenue from the sale or sharing of personal information

To learn more about how these criteria are calculated, read our full article on which businesses must comply with the CCPA.

2. What Counts as a Child?

Under the new law, a “child” is anyone under the age of 18 years of age. This is a major departure from COPPA, which defines a child as anyone under 13 years old. Even the CCPA and the European Union’s General Data Protection Regulation (GDPR) stop imposing additional data-privacy protections once someone reaches the age of 16. 

Of course, this expansion means many people are protected by the AADCA, but it also expands the types of content and subject matter likely to be affected. Now it’s not just about products and services like cartoons, toys, and games that are clearly geared toward young children, but anything likely to be accessed by adolescents as well. The dividing line between content for children and adults may be less clear.

3. What Does “Likely to Access” Mean?

While COPPA imposes requirements on online services that are “directed to children,” the AADCA takes a more expansive approach. 

Online services do not need to be specifically directed to children to fall under the law’s requirements; instead it’s a question of whether they are “likely to be accessed” by anyone under 18. The AADCA provides six indicators to consider when determining whether an online service is likely to be accessed by children:

  1. It is directed to children as defined by COPPA
  2. It is routinely accessed by a significant number of children, based on competent and reliable evidence regarding audience composition.
  3. It is substantially similar to an online service that meets criteria #2
  4. It features advertisements marketed to children
  5. It has design elements known to be of interest to children, such as games, cartoons, music, and celebrities who appeal to children
  6. Based on internal company research, a significant amount of the audience is determined to be children

Meeting any one of these criteria is enough to indicate that an online service is likely to be accessed by children.

Complying With the AADCA

For businesses that must comply with the AADCA, the law could mean big changes to the way they process the personal information of minors. Here are some of the most notable requirements.

Data Protection Impact Assessments

For any online service likely to be accessed by children, businesses must complete a data protection impact assessment before offering it to the public (or, for existing services, by the AADCA’s effective date of July 1, 2024). 

These assessments must examine the business’s data practices with regard to minors, and determine whether those practices have the potential to be harmful. Data protection impact assessments must also be reviewed every two years.

Privacy by Default

All privacy settings offered to children must be set—by default—to the highest level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interest of children. Implementing this requirement will mean either including an age verification procedure, or making the highest privacy setting the default for all users.

Geolocation Tracking

Businesses are prohibited from collecting, selling, or sharing the precise geolocation (within 1850 feet) of children, unless it is strictly necessary to provide the online service. While geolocation information is being tracked, the online service must provide an obvious sign that it is doing so. 

Tracking by Parents and Others

If an online service allows parents, guardians, or any other consumer to monitor a child’s online activity or location, it must provide an obvious sign when this feature is active.

Dark Patterns

The AADCA further places further limits on the use of dark patterns. A dark pattern is an interface that is designed to manipulate or encourage the user in a certain direction, such as a consent pop-up where the “yes” option is brightly colored and larger than the “no” option.

Businesses may not use dark patterns to encourage children to provide personal information beyond what is reasonably necessary to provide the online service, or to take any action that the business knows is materially detrimental to the child’s well-being.

For example, if a business has all privacy settings at the highest level as required, but also uses design features such as font sizes and colored buttons to encourage children to accept a lower privacy setting, this would probably violate the AADCA’s dark-pattern prohibition.

Data Minimization

Businesses may not collect, sell, share, or retain (as those terms are defined in the CCPA) any personal information that is not necessary to provide an online service with which a child is actively and knowingly engaged, unless the business can demonstrate a compelling reason why it is in the best interests of the child.

Profiling

By default, businesses may not engage in the profiling of minors. Profiling is any automated processing of personal information that is used to evaluate a person, such as using past purchases to predict future shopping behavior. 

However, a businesses may profile a child by default if two conditions are met:

  • The business can demonstrate it has appropriate safeguards in place to protect children, and
  • At least one of the following is true:
    • The profiling is necessary to provide the online service requested and only with respect to the aspects of the online service with which the child is actively and knowingly engaged, or
    • The business can demonstrate a compelling reason that profiling is in the best interests of children

Simple Compliance for Complex Privacy Laws

For businesses that already need to be CCPA compliant and whose services are likely to be accessed by minors, the AADCA adds an extra layer of complexity to privacy compliance. Without an in-house privacy expert or the resources to hire a specialist consultant, managing all of the different requirements seems like an almost impossible task.

TrueVault Polaris simplifies the complexities of data privacy compliance for small and medium-sized businesses. Designed by attorneys, Polaris provides a guided experience that takes businesses all the way from onboarding vendors to responding to privacy requests. Contact us today to learn more and schedule a demo.

Schedule Call