There is clear consensus among lawmakers and regulators of the need for increased regulation surrounding the processing of children’s data. Recent actions by the Federal Trade Commission (FTC) and state lawmakers signal that companies processing children’s data should expect to see increased scrutiny.
The California Age-Appropriate Design Code Act
On September 15, 2022, Governor Newsom signed the California Age-Appropriate Design Code Act (the “Act”), a law directed at businesses that provide online services, products, or features that are likely to be accessed by children under 18. It was modelled after the UK Age-Appropriate Design Code. The Act takes effect on July 1, 2024.
The Act applies to businesses who provide online services, products, or features “likely to be accessed by children”, meaning that it is “reasonable to expect”, access by children. Indicators of such access include if the activity is:
- Directed to children as defined by the Children’s Online Privacy Protection Act (“COPPA”);
- Determined to be routinely accessed by a significant number of children based on competent and reliable evidence regarding audience composition, or substantially similar to such an online service, product, or feature;
- Marketed to children;
- Designed to include elements that are known to be of interest to children, such as games, cartoons, music, and celebrities who appeal to children; or
- Determined, based on internal company research, to have a significant amount of the audience be children.
Unless the Act provides a specific definition, it utilizes the defined terms found in the California Privacy Protection Agency (CPRA). As a result, the Act only applies to those businesses subject to the CPRA.
A notable difference in definition from the CPRA is that of “children”, which means California residents who are under the age of 18. The CPRA specifies rules for children under the age of 16, while COPPA specifies rules for children under 13 years of age.
Therefore, businesses need to re-evaluate their online services, products, or features with respect to different age categories under the Act.
Data Protection Impact Assessments
Before any new service that attracts children is offered to the public, businesses must complete a Data Protection Impact Assessment. A business shall bi-annually review all Data Protection Impact Assessments, and must, upon request from the California Attorney General, provide copies of the assessments within five business days.
The Act requires businesses to clearly display a signal to a child when the child’s activity or geolocation is being monitored or tracked.
Default High Privacy Levels
Businesses must configure all default privacy settings provided to children to offer a high level of privacy. Businesses should follow the Age-Appropriate Design Code requirement of only making children’s personal information visible or accessible to other users of the business if they change settings from the default of not allowing visibility.
Unique Needs of Different Ages
The Act states that businesses should estimate the age of their child users and take into account the unique needs of different age ranges. These include 0 to 5 years or “preliterate and early literacy”; 6 to 9 years or “core primary school years”; 10 to 12 years or “transition years”; 13 to 15 years or “early teens”; and 16 to 17 years or “approaching adulthood.” This means that requirements can vary, and are often less strict, if older children are affected.
The California Attorney General has enforcement authority under the Act. There is no private right of action. The Act carries civil penalties from $2,500 up to $7,500 per affected child. There is a limited cure time of 90 days under the act.
In May, the FTC released a Policy Statement. In this statement, the FTC emphasized the need to enforce COPPA limitations on operators’ ability to use, retain, and collect children’s data. In addition, the FTC demanded enforcement of notice and consent requirements.
CCPA and CPRA Compliance
In addition to complying with COPPA, businesses must comply with the opt-in requirement for collecting children’s data under the CCPA and CPRA. This means that businesses covered by the CCPA and CPRA will need express consent to sell the personal information of a consumer under the age of 16. If the consumer is younger than 13, a parent or guardian must affirmatively authorize the sale of information.
Complex compliance tasks require competent advice. Your organisation may profit from an experienced Data Protection Officer (DPO). For further support, please contact us at firstname.lastname@example.org.