On September 15, 2022, Governor Newsom of California approved the California Age-Appropriate Design Code Act (the “Act”), marking a significant shift in the regulation of children’s personal data. The bipartisan landmark Act, which will take effect July 1, 2024, was inspired by the U.K. Age-Appropriate Design Code, and imposes new requirements on businesses that provide services, products, or features that are “likely to be accessed” by individuals under the age of 18. The Act imposes a number of obligations on covered businesses, including by requiring businesses to provide clear notices to children and to conduct a robust data protection impact assessment evaluating risks the service poses to children. Below is a summary of the scope of the law, key requirements, how the law will be enforced, and what covered businesses can do now to prepare.

---

Who does the law apply to?

The Act will require “businesses” that offer online services, products or features “likely to be accessed by children” to implement protective guardrails and refrain from certain activities with respect to child users. The California Privacy Rights Act (which will already be in force once the Act takes effect) defines a “business” for purposes of the Act as a for-profit entity that does business in California and meets one or more of the following criteria:

• Had annual gross revenues in excess of $25,000,000 in the preceding calendar year;
• Alone or in combination, annually buys, sells, or shares the personal information of 100,000[1] or more California consumers or households; or
• Derives 50% or more of its annual revenues from selling consumers’ personal information.

An online service, product, or feature is “likely to be accessed by children,” if, among other criteria specified in the Act:

• It is “directed to children,” as defined by the Children’s Online Privacy Protection Act (“COPPA”)[2],
• It is routinely accessed by a “significant number” of children,
• It contains ads marketed to children, or
• It has design elements that are known to be of interest to children.

Notably, the Act defines a “child” more broadly than COPPA. While COPPA defines a “child” as an individual under the age of 13, the Act defines a “child” as a consumer under the age of 18.

What does the law require?

Businesses subject to the Act will be required to take several steps designed to evaluate, mitigate, or prevent risks to children that may arise from the businesses’ collection, use, and sharing of children’s personal data. For example, covered businesses must:

• Perform a Data Protection Impact Assessment (“DPIA”). Businesses will need to complete, maintain, and review a DPIA every two years for any digital services, products or features likely to be accessed by children for as long as such services, products or features are offered. The DPIA must identify the purpose of the online service, product or feature, how it uses children's personal information, and the risks of material detriment to children that arise from the data management practices of the business. The DPIA must address, among other things, whether the services (and any targeted advertising used on the services) could harm children, expose them to harmful content, or expose them to harmful contacts. The business must also create a timed plan to mitigate or eliminate any risks identified in the DPIA. The California Attorney General is entitled to request and receive a copy of the DPIA.
• Configure all default privacy settings provided to children by the online service, product or feature to settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children.
• Provide disclosures in language suitable for children. Businesses must provide any privacy information, terms of service, policies, and community standards concisely and prominently, and use clear language suited to the age of children likely to access that online service, product, or feature.
• Notify children of monitoring or tracking on the service. If the online service, product, or feature allows the child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, it must provide an obvious signal to the child when the child is being monitored or tracked.
• Enforce their own terms. Businesses must enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and other terms and standards concerning children.
• Facilitate children’s, parents’, or guardians’ ability to exercise privacy rights. Businesses must provide prominent, accessible, and responsive tools to help children, or if applicable their parents or guardians, exercise their privacy rights and report concerns.

Businesses subject to the Act are also prohibited from certain activities, such as:

• Using a child’s personal data in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.
• Profiling the child (subject to certain exceptions).
• Collecting, selling, or sharing precise geolocation information of children unless it’s strictly necessary for provision of the service to the child.
• Collecting precise geolocation without providing an “obvious sign” to the child regarding this collecting.
• Using dark patterns (e.g., manipulative interface designs) to lead or encourage children to provide personal information beyond what is reasonably expected to provide the service.

The Act also creates the California Children's Data Protection Working Group, to be comprised of ten appointed experts in children’s data privacy and children’s rights, which will be responsible for identifying best practices for implementation of the Act.

What are the penalties for non-compliance?

Businesses that violate the Act may be subject to an injunction and liable for a civil penalty of $2,500 per affected child for each negligent violation or $7,500 per affected child for each intentional violation. The Act will be enforced by the California Attorney General.

What can businesses do now to prepare for the Act?

The Act becomes effective on July 1, 2024, providing covered businesses with a long run-way to become compliant. Businesses should start by evaluating whether they do (or in the foreseeable future will) qualify as “businesses” under the CPRA and whether their features are “likely to be accessed by children,” which would require compliance with the Act. Prior to the Act’s effective date, covered businesses should conduct a DPIA. Additionally, covered businesses should evaluate whether any changes are needed to online disclosures and their collection, use, and sharing practices with respect to children’s personal data. For assistance with that process, or if you have any questions regarding this client alert, please reach out to your Gunderson Dettmer attorney or contact one of our data privacy experts: