In 2022, children’s online privacy and safety has been top of mind in many state legislatures and interest groups, and the California legislature successfully passed legislation focused on children’s privacy. California’s new bipartisan law (AB-2273), the California Age-Appropriate Design Code Act (“CAADCA”), which targets privacy and safety protections for children and teens on online platforms such as TikTok, Instagram, and YouTube, was signed by Governor Gavin Newsom on September 15, 2022, and goes into effect July 1, 2024.

The CAADCA requires businesses that provide online services, products, or features that will be likely accessed by children to comply with specific requirements, including a requirement to configure all default privacy settings to a high level of privacy. It will also require these businesses to provide privacy information, terms of service, policies, and community standards using clear language suited for the age of the children that are accessing these online services, products, or features. The bill will require businesses to complete a Data Protection Impact Assessment. Additionally, it will prohibit a business that provides services targeted to children from using the personal information of children for any reason other than a reason for which the personal information was collected, unless the business can demonstrate a compelling reason to do so that aligns with the best interests of the children. The CAADCA will also prohibit the use of dark patterns, which are online experiences designed to steer users toward a specific choice—often related to making purchases or providing personal information.

The new law does not include a private right of action for individuals but does authorize the attorney general to seek an injunction or civil penalty against any business that violates its provisions and the attorney general can hold violators liable for a civil penalty of up to $7,500 per affected child. The CAADCA is expected to impact social media platforms as well as the gaming industry and other online services that provide services and products that are marketed to children under age 18.

This first-of-its-kind law includes requirements for robust protection of children’s privacy and is modeled after the United Kingdom’s age-appropriate design policy known as the “Children’s Code,” which caused online platforms to tighten their privacy and safety controls for children. The CAADCA is geared toward providing similar protections and assessing the impact of features such as autoplay and algorithm-driven content on young users. Most importantly, the proposed legislation will add protections for teens who are not currently covered under the federal Children’s Online Privacy Protection Act (COPPA), which is limited to operators of websites or online services directed to children under age 13.

In light of the new law, companies operating in California should assess whether they would be considered within the scope and should consider evaluating privacy protections for data that could be collected from children under age 18. While enforcement is not expected until July 2024, it is important to start looking at any changes to policies or procedures that need to be made well in advance of that effective date.

By passing this law, California is again marking its position as a first-mover on privacy legislation, and we would not be surprised to see other states follow suit in the new year. In addition, children’s privacy has been a focus of much of the debate surrounding federal privacy bill proposals, and we continue to follow those discussions closely. Subscribe to RopesDataPhiles for updates on related legal developments.