California enacted the Age-Appropriate Design Code Act (AADC) last Thursday, September 15th– which will impose significant new child and teen safety requirements on a large variety of online services. The AADC goes into effect on July 1, 2024.
ZwillGen previewed this Act last March, shortly after it was introduced alongside similar potential federal legislation. Although the federal legislation has not made much progress, CA moved this bill quickly into law. The Act’s final version contains a few substantial changes from last spring, which are noted below with the full breakdown of the AADC’s requirements.
The AADC closely tracks a similar children’s design code adopted in the United Kingdom, with the main differences being the AADC’s focus on a child’s mental and physical “well-being,” and the lack of prescriptive requirements surrounding how to comply, such as the UK’s requirement to present tailored and “bite-sized” legal terms to different age ranges of minor users.
The AADC applies broadly to all “businesses that provide online services, products, or features that children are likely to access.” Unlike the Children’s Online Privacy Protection Act (COPPA), which defines children as under 13 years of age, the AADC broadens the definition to all individuals under 18 years of age.
“Likely to be accessed by children” is defined as the “reasonable likelihood” that a child will access a service based on a list of six delineated factors. These factors include the COPPA standard for a service being “directed” to children, but also include a variety of factors that require the service to assess if a child is likely to access the service. For example, whether the service “has design elements that are known to be of interest to children.”
The AADC imposes several affirmative requirements on covered businesses. A few of the main actions that businesses will be required to take include:
- Complete a data protection impact assessment (DPIA) for every new online service, product, or feature likely to be accessed by children that documents and measures the “risk of material detriment to children;”
- This must be completed by all current services prior to the July 1, 2024 implementation date.
- Set default privacy settings at a “high” level of privacy unless the business can demonstrate a “compelling reason” that a different setting is in the “best interest” of children;
- This requirement was amended to decrease the requirement from the previous language which required the “highest level of privacy.”
- Provide privacy policies and other related information “prominently” and in “clear language that is suited to the age of children likely to access;” and
- Provide an “obvious signal” to the child if the online service tracks their online activity.
Businesses’ services, products, or features will not be allowed to do the following:
- Use a child’s personal information in a way that is “materially detrimental” to their physical or mental health or well-being;
- Profile a child by default unless they meet a narrow exception;
- Collect, sell, share, or retain a child’s personal information in a way that is not “necessary” to provide the service, product, or feature unless there is a “compelling reason” that is in the best interest of the child;
- Collect, sell, or share any precise geolocation data of children by default unless it is “strictly necessary” to provide the service, product, or feature;
- This requirement was amended from the “compelling” reason language seen elsewhere in the statute – making this provision the hardest exception to meet in the bill.
- Use dark patterns to lead or encourage children to provide personal information.
The AADC implements several new standards that are not yet defined in this context, including what will be considered “materially detrimental” to a child, what constitutes a “high” level of default privacy, and what will be considered a “compelling reason” to exercise exceptions to the requirements.
Further, the AADC presents complex issues surrounding age authentication. Companies have several options to comply with the age provision of the AADC, but each option has costs and benefits. For example, companies could require users to authenticate their age every time they use the online service, but this may annoy users and reduce their desire to return. Or, companies could deploy identity verification procedures that would prevent frequent age authentication, but this results in increased costs and risks associated with collecting even more personal information. Ultimately, the AADC is poised to affect all Internet users, and companies will have to decide whether to adopt extensive age authentication measures or instead raise their privacy protections across the board for all users.
While the AADC will not go into effect until July 2024, companies should start to plan for how their products may be implicated in CA’s new law and begin to prepare the required DPIAs.