Recently signed into law by California Governor Gavin Newsom on September 15, 2022, the California Age-Appropriate Design Code Act ("AADC") changes the playing field for certain businesses that provide online services, products, or features accessible to children under the age of 18. Although California models its new law after the Children's Code passed by the UK, the AADC is first state law of its kind in the US. Once it goes into effect on July 1, 2024, the Attorney General may fine noncompliant businesses up to $7,500 per affected child.

Whom does the AADC affect?

The AADC applies to businesses with online services, products, or features that minors "are likely to access," that also meet the revenue or user thresholds established in the California Consumer Privacy Act (that is, gross revenues exceeding $25 million, buying or selling the personal information of 50,000 or more customers, or deriving more than 50% of annual revenue from selling personal information). The language in the AADC grants the AG a wider reach beyond online platforms that are specifically directed to children. Instead, the AADC affects online platforms that are:

  • Regularly accessed by a significant number of children, or platforms that are substantially similar to the regularly accessed platforms;
  • Largely comprised of child audiences;
  • Advertised to children; or
  • Made with design elements known to attract children, such as games and cartoons.

Social media platforms that are popular with children, as well as video game platforms, are most likely to feel the heaviest impact. With its broad reach, however, the AADC is likely to impact many more businesses that gear towards providing online platforms.

How can covered businesses comply?

Among many requirements, the AADC compels covered businesses under its purview to:

  • Implement strong privacy protections by default, with narrow exceptions;
  • Provide privacy information and terms of service in an age-appropriate language catered to children;
  • Limit the collection and use of a child's personal information, especially when tracking their location; and
  • Complete a Data Protection Impact Assessment ("DPIA"), which is an extensive survey, for any new applicable online service, product, or feature. Businesses must complete a DPIA on or before July 1, 2024 and provide it to the AG within 5 days upon request.

Overall, the AADC extends further than the federal Children's Online Privacy Protection Act – which focuses on permission to collect, maintenance of, and deletion of children's personal information – and forces businesses to consider children's best interests in all aspects of its online service. They must consider what potential harms their content or contacts may have on child consumers and even reevaluate commonly used design features, like 'autoplay,' and its harmful effects. With less than 2 years left until the enforcement of AADC, companies will benefit from consulting counsel to transition into the new regime if they plan to offer covered online services beyond July 2024.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.