It is no secret that for years, California has been a leader in consumer digital privacy regulation. Now, California has set its sights on expanding children's privacy rights.
As readers of this blog know, the State of California passed the groundbreaking California Privacy Rights Act of 2020 ("CCPA") which, among other measures, ensured that businesses protect the personal data of children under 16 years of age. The CCPA requires parental or guardian consent before the sale of a child's information can take place. Additionally, the CCPA awards treble damages for anyone who commits a violation involving a child's personally identifiable information.
In continuation of its efforts to protect the privacy rights of children, California recently introduced the California Age-Appropriate Design Code Act (the "CAADCA," "Children's Privacy Act," or the "Bill").
The Bill highlights that lawmakers all over the world (in the EU, in particular) have taken steps to enhance online privacy protections for children. The CAADCA explains that "[c]hildren should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access." This includes strong privacy protections, including disabling features that profile children.
Unlike prior privacy laws passed in California, the CAADCA defines a child as a consumer under the age of 18 years of age. However, the Bill recognizes that not all minors under the age of 18 require the same degree of protection and that safeguards afforded should be "designed in a manner that recognizes the distinct needs of children at different age ranges."
What are the Specific Provisions Contained in the Children's Privacy Act?
The CAADCA requires businesses that provide online services, products, or features likely to be accessed by children to comply with specific requirements. Among other things, businesses must:
- Configure all default privacy settings to the highest level of privacy, unless businesses can demonstrate a compelling reason that a different setting is in the best interests of children;
- Provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access the applicable online businesses; and
- Before offering a new online service, product, or feature to the public, complete a Data Protection Impact Assessment ("DPIA") and maintain documentation as long as it is likely to be accessed by children.
Among other things, the Children's Privacy Act prohibits covered businesses from:
- Using the personal information of children for any purpose other than the reason for which it was collected, unless businesses can demonstrate a compelling reason for doing so;
- Using dark patterns to lead or encourage children to provide personal information; and
- Collecting, selling, or sharing any precise geolocation information of children that is not strictly necessary.
Please note that the Bill applies to "businesses" which are for-profit organizations that do business in California and: (1) have revenue of more than $25 million, or (2) derive 50% or more of their annual revenue from selling consumers' personal information, or (3) buy/receive for commercial purposes the personal information of more than 50,000 consumers/households/devices.
Significantly, there is no private right of action under the CAADCA. Exclusive enforcement authority is vested in the Attorney General, who would have the ability to seek injunctive relief and/or civil penalties against any business that violates its provisions. Under the CAADCA, businesses would have a 90-day cure period to ensure sufficient measures have been taken to prevent future violations. Penalties range from $2,500 for negligent violations and up to $7,500 for intentional violations.
With the impending and likely passage of the CAADCA, it looks like Internet marketers will be further restricted with what they can do when it comes to the personally identifiable information of people under the age of 18.
Please note that while the CCPA and the CAADCA are designed to protect the privacy of minors, one could argue that in practice and execution the effect of the regulations leads to more privacy risk. Under these statutes, businesses are required to estimate the age of individuals with a reasonable level of certainty. To do so, users over the age of 18 would need to provide more information to prove that they are of the age of majority than they presently do today. Consequently, online businesses would end up controlling more personally identifiable information and, by definition, more data would be subject to potential misuse and/or security breach. This certainly was not the intent of the Legislature.
The CAADCA will remain a bill until the Governor either signs or vetoes it by September 30, 2022. While the Bill contemplates an effective date of July 1, 2024, there is a lot that must happen before that time. For example, the CAADCA creates the California Children's Data Protection Working Group which must submit a Report to the Legislature prior to or on the date of enactment. The report must include recommendations on various topics (such as which online services, products, or features are likely to be accessed by children) and contain input from a broad range of stakeholders.
Related Blog Posts:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.