Age-Appropriate Design Codes: A New Wave Of Online Privacy Legislation?

FH
Finnegan, Henderson, Farabow, Garrett & Dunner, LLP

Contributor

Finnegan, Henderson, Farabow, Garrett & Dunner, LLP is a law firm dedicated to advancing ideas, discoveries, and innovations that drive businesses around the world. From offices in the United States, Europe, and Asia, Finnegan works with leading innovators to protect, advocate, and leverage their most important intellectual property (IP) assets.
The California Age-Appropriate Design Code Act (CA AADC) was passed in September 2022, with the stated aim of prioritizing the privacy, safety, and well-being of children online. In particular, the law seeks...
United States California Privacy

The California Age-Appropriate Design Code Act (CA AADC) was passed in September 2022, with the stated aim of prioritizing the privacy, safety, and well-being of children online.1 In particular, the law seeks to protect online consumers under the age of 18.2 Under the CA AADC, businesses that provide online services, products, or features that are "likely to be accessed by children" must comply with certain requirements.3 These requirements apply to any for-profit California business that collects consumers' personal information and satisfies certain other thresholds related to revenue or size.4

While the CA AADC is the first law of its kind in the U.S., it was derived from the United Kingdom's Age-Appropriate Design Code (UK AADC), which has been in effect since 2020.5 At the heart of the UK AADC is the concept that the "best interest of the child" should be prioritized when designing online services and products that are likely to be accessed by children.6 This standard maps back to the General Data Protection Regulation (GDPR), which recognizes that children "merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data."7

Mandates and Prohibitions Under the CA AADC

Similar to the UK AADC, the CA AADC requires businesses to consider the best interests of children when designing, developing, and providing any online product or service that is likely to be accessed by children.8 The CA AADC enumerates several mandates and prohibitions that a business must adhere to when developing and providing these online services.

Under the CA AADC, a business must:

  • Complete a Data Protection Impact Assessment (DPIA) before offering the online service or product to the public. The DPIA must identify the purpose of the service or product, how the child's personal information is used, and any risks of material detriment to the child.9 Any risks identified must be documented with a timed plan for mitigation or elimination of the risk.10 A list of DPIAs and the assessments themselves must be promptly provided to the Attorney General pursuant to a written request.11
  • Estimate the age of a child user with a reasonable level of certainty or apply the privacy and data protections for children to all users.12
  • Offer a high level of privacy as the default privacy setting for children.13
  • Provide privacy policies and terms of service in clear language that a child can understand and enforce those policies.14
  • Notify the child when their online activity or location is being monitored or tracked.15
  • Provide accessible tools for children to exercise their privacy rights and report concerns.16

Under the CA AADC, businesses are prohibited from:

  • Using children's personal information in a way the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.17
  • Profiling a child by default unless the business can demonstrate the appropriate safeguards are in place, that profiling is necessary to provide the online service in which the child is actively and knowingly engaged, or it is in the best interests of the child.18
  • Collecting, selling, sharing, or retaining a child's personal information that is not necessary to provide the online service or product.19
  • Using a child's personal information for any reason other than that for which it was collected.20
  • Collecting, selling, or sharing geolocation information of a child by default unless strictly necessary for the business to provide the service, and then only for as long as necessary to provide the service.21
  • Using dark patterns to encourage children to provide personal information, forgo privacy protections, or take action the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.22
  • Using a child's personal information collected to estimate age for any other purpose or retaining it for longer than necessary to estimate age.23

First Amendment Challenges

Before it became effective on July 1, 2024, the CA AADC was challenged in federal district court by NetChoice, LLC, a national trade association of online businesses.24 NetChoice moved for preliminary injunction on the grounds that the CA AADC violates the First Amendment.25 On September 18, 2023, the U.S. District Court for the Northern District of California found that NetChoice was likely to succeed on its claim and granted the motion for preliminary injunction enjoining the Attorney General of California from enforcing the CA AADC.26

In its order, the Court expressed concerns with several of the mandates and prohibitions in the CA AADC. For example, the Court noted that the DPIA mandate does not require businesses to assess the potential harm of product designs, but instead focuses on the risks associated with the business's data management practices.27 Moreover, while the CA AADC requires businesses to create a timed plan to mitigate or eliminate risks, there is no requirement to actually mitigate the identified risks.28

The Court was also "concerned with the potentially vast chilling effect" of the age estimation provision.29 The CA AADC's mandate to estimate the age of the user requires consumers, including children, to provide more personal information thereby "exacerbating the problem."30 The alternative, if the business does not estimate age, requires the business to apply the same privacy protections for children to all users, essentially restricting the adult population to viewing only content fit for children.31

The preliminary injunction was appealed to the Court of Appeals for the Ninth Circuit.32 On August 16, 2024, the Ninth Circuit affirmed the district court's decision enjoining enforcement of the provisions of the CA AADC relating to the DPIA report requirements, finding they violated the First Amendment.33 However, the Ninth Circuit vacated and remanded the district court's decision regarding the other provisions of the CA AADC.34

Lessons Learned and Next Steps

Given the ongoing challenge to the CA AADC, it is uncertain whether age-appropriate design codes will gain traction in other states. For example, in March 2024, the Vermont General Assembly passed its own AADC.35 However, the bill was subsequently vetoed by Governor Phil Scott, who in a letter to the General Assembly cited the California litigation, stating: "We should await the decision in that case to craft a bill that addresses known legal pitfalls before charging ahead with policy likely to trigger high risk and expensive lawsuits."36 Instead of pursuing AADC-type legislation, both Colorado and Virginia passed amendments to their comprehensive privacy laws to add online privacy protections aimed at children.37

Maryland, on the other hand, unanimously passed its own Age-Appropriate Design Code Act (MD AADC), which is slated to go into effect on October 1, 2024.38 The MD AADC incorporated several key changes that addressed some of the concerns expressed by the district court in NetChoice v. Bonta. Unlike the CA AADC, the MD AADC expressly defines "best interests of children,"39 and while the CA AADC required businesses to estimate the age of child users, the MD AADC does not include any such age estimation requirement. The MD AADC still includes the requirement to prepare a DPIA for any "online product reasonably likely to be accessed by children."40 However, the MD AADC has the added provision that the DPIA must include a description of the steps the business "has taken and will take to comply with the duty to act in a manner consistent with the best interests of children."41

How Do Companies Prepare?

Given the recent decision by the Ninth Circuit, it is unclear which provisions of the CA AADC will ultimately go into effect. It is also possible that the MD AADC will face similar constitutional challenges before taking effect in October. Regardless, recent federal enforcement actions have shown that children's online privacy will continue to be an area of focus.42 Given that, it would be prudent for businesses to consider children's online privacy as early as possible in the development of any online product or service. Incorporating AADC requirements that are not being contested into the front-end design of the product or service is more efficient than making changes at the end of a product's development. An effective development process also includes training employees so they can actively incorporate them as they make design decisions. Finally, it is important to craft all privacy policies, including how to exercise privacy rights, in easy, clear, and age-appropriate

Footnotes

1 See Cal. Civ. Code § 1798.99.29.

2 Id. § 1798.99.30(b)(1).

3 See id. §§ 1798.99.31(a)–(b).

4 See id. §§ 1798.99.30, 1798.140(d).

5 See Info. Comm'rs Off., Age appropriate design: a code of practice for online services 5 (Oct. 17, 2022), https://ico.org.uk/media/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services-2-1.pdf.

6 See id. at 23–26.

7 GDPR Recital 38.

8 Cal. Civ. Code § 1798.99.29.

9 Id. § 1798.99.31(a)(1).

10 Id. § 1798.99.31(a)(2).

11 Id. §§ 1798.99.31(a)(3)–(4).

12 Id. § 1798.99.31(a)(5).

13 Id. § 1798.99.31(a)(6).

14 Id. §§ 1798.99.31(a)(7), (9).

15 Id. § 1798.99.31(a)(8).

16 Id. § 1798.99.31(a)(10).

17 Id. § 1798.99.31(b)(1).

18 Id. § 1798.99.31(b)(2).

19 Id. § 1798.99.31(b)(3).

20 Id. § 1798.99.31(b)(4).

21 Id. §§ 1798.99.31(b)(5)–(6).

22 Id. § 1798.99.31(b)(7).

23 Id. § 1798.99.31(b)(8).

24 See NetChoice, LLC v. Bonta, 692 F. Supp. 3d 924, 936 (N.D. Cal. Sept. 18, 2023).

25 Id. The CA AADC was also challenged on the grounds that it violates the dormant Commerce Clause and is preempted by both the Children's Online Privacy Protection Act (COPPA) and Section 230 of the Communications Decency Act.

26 Id. at 937, 959, 966.

27 Id. at 950.

28 Id.

29 Id. at 951.

30 Id.

31 Id. at 952.

32 NetChoice, LLC v. Bonta, No. 23-2969 (9th Cir. filed Oct. 23, 2023).

33 NetChoice, LLC v. Bonta, No. 23-2969, 2024 WL 3838423, *14 (9th Cir. Aug. 16, 2024).

34 Id. at *15.

35 See H.121, 2024 Gen. Assemb., Reg. Sess. (Vt. 2024), https://legislature.vermont.gov/bill/status/2024/H.121.

36 Philip B. Scott, Letter from Governor Scott to Vermont General Assembly (Jun. 13, 2024), https://governor.vermont.gov/sites/scott/files/documents/H.121%20-%20Veto%20Letter.pdf.

37 See S.B. 41, 74th Gen. Assemb., Reg. Sess. (Co. 2024); S.B. 361, 2024 Gen. Assemb., Reg. Sess. (Va. 2024).

38 See Md. Code Ann., Com. Law § 14-4613 (effective Oct. 1, 2024).

39 Id. § 14-4601(C).

40 Id. § 14-4604(A)(1).

41 Id. § 14-4604(B)(4).

42 See, e.g., Fed. Trade Comm'n, "FTC Investigation Leads to Lawsuit Against TikTok and ByteDance for Flagrantly Violation Children's Privacy Law," (Aug. 2, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-investigation-leads-lawsuit-against-tiktok-bytedance-flagrantly-violating-childrens-privacy-law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More