The California Age-Appropriate Design Code Act: A Primer
The hot new privacy law (well, one of many) is the California Age-Appropriate Design Code Act (CA AADCA), which the California Senate passed at the end of August and was just signed into law by Governor Gavin Newsom. It’s part of a wider trend in regulators cracking down on sites for children’s privacy issues: see for example the Irish Data Protection Commission’s 405m Euro fine against Instagram for failing to protect children’s data announced earlier this month. What is this new law, and why are so many companies – particularly those in the video game industry – paying attention? See below for some initial observations about this law and some steps you can take today to prepare.
The CA AADCA At a Glance
The CA AADCA was drafted to provide Californian children with stronger online privacy and safety options.
The CA AADCA requires companies to prioritize children's safety and privacy in the design of any online product or service that children in California are likely to access.
It restricts data collection and profiling of children in ways that are detrimental to the child.
It requires companies to document the risks of their product/service to children through a Data Protection Impact Assessment (DPIA).
It requires high privacy settings by default, restrictions on some personal data collection, and prohibit the use of nudge techniques to encourage children to weaken their privacy protections.
The CA AADCA will be enforced exclusively by the CA Attorney General starting July 1, 2024.
What Companies Are Covered by the Code?
The CA AADCA uses the definition of “business” from the CCPA/CPRA, which includes for-profit entities that meet one or more of the following:
have $25 million or more in annual gross revenue,
buy or sell the personal information of 100,000 or more users, or
derive 50% of annual revenue from selling or sharing consumers’ personal information.
Of those companies that meet the criteria above, the CA AADCA applies to those products or services that are likely to be accessed by anyone under 18. Read on for more information regarding this new standard.
Let’s Dive Into the Substance of the Law!
The CA AADCA’s substantive requirements are similar to those described by the UK Age-Appropriate Design Code (UK AADC) published by the UK Information Commissioner’s Office. This is not surprising, given that CA AADCA was modeled explicitly after the UK AADC. Here are five key highlights:
1. It affects all online products and services likely to be accessed by anyone under 18.
Like the UK AADC, companies will need to provide protections for teenagers, who previously were not protected under laws such as COPPA/GDPR-K.
Note that sites and services “likely to be accessed” by children under 18 potentially encompass a much larger swath of online services than services “directed to children” under COPPA – for example, even games explicitly rated Mature/18+ might still be covered, if it is clear children are playing.
To determine whether a site/service is likely to be accessed by children, the CA AG will look both at the existing content-based factors that make a service child-directed under COPPA, but will also look at if the site or service is routinely accessed by a “significant number” of children. We don’t yet know what a “significant number” means – it could refer to situations where children make up a significant portion of a site/service’s audience, but it could theoretically also encompass very popular services where there are large numbers of children present, even when they comprise a small portion of the overall userbase. Note that the CA AG is authorized to examine a company’s internal research as part of this determination.
2. Prohibits secondary uses of data that are not in the “best interest” of child’s physical, mental, or overall well-being.
The CA legislature opines in the CA AADCA that “children need special safeguards and care in all aspects of their lives.” For context, the UK AADC suggests that businesses evaluating a service’s safeguards for children must take a holistic view of everything from targeted advertising to a blanket restriction on harmful content served using the child’s data (e.g., using a child’s data to serve content that encourages self-harm or eating disorders).
While it remains to be seen how broadly the AG will interpret this “best interest” requirement, data practices that endanger a child’s safety or autonomy, features that would otherwise put a child at risk (e.g., unrestricted chat features with adults, services that track a child’s physical location in real-time, biometric scanning features), or features that psychologically profile children for marketing purposes are likely to be considered high risk.
3. Requires High Privacy by default, kid-friendly privacy policies, and prohibits using “dark patterns” to manipulate kids into sharing unnecessary data.
Where a service offers multiple privacy settings, the CA AADCA requires the default setting to be set to the most privacy-protective option. Note that although the CA AADCA permits businesses to prompt 13-18 year olds to change these settings, in the US, children cannot consent to data collection/tracking if they are under 13 (rather, their parent or legal guardian must consent, per COPPA). Prompting 13 to 18-year-olds to consent to data processing isn’t necessarily simple, however.
The CA AADCA requires privacy-related disclosures (including a business’s privacy policy) to be in clear language suited to the age of children likely to access the service. In theory, this means different disclosures for children 0 to 5 years of age (“preliterate and early literacy”); 6 to 9 years of age (“core primary school years”); 10 to 12 years of age (“transition years”); 13 to 15 years of age (“early teens”); and 16 to 17 years of age (“approaching adulthood”). Moreover, language directed to children cannot pressure or mislead the child to consent to unnecessary data collection or processing. So-called “dark patterns” in game and UX design are a developing area of the law, and are of particular interest to the FTC.
4. Requires Data Privacy Impact Assessments (DPIAs) for all products available to the public after July 1, 2024.
Note that this applies retroactively to products already launched if they are still publicly offered. DPIAs must be provided to the CA Attorney General on request within 5 days. Unlike the UK AADC, which provides a sample DPIA template as an example, the CA AADCA dictates specific questions that must be included in a valid DPIA. Businesses must, for example, document and consider the risks their product or service may pose to children, and their strategies for mitigating those risks.
5. Children have limited privacy rights against their parents.
Lastly, to the extent a business provides parental controls to allow parents to monitor and control their children’s use of a given service, the CA AADCA requires that children must be notified at any time when a parent is monitoring their activity. Although the UK AADC also included this requirement, the US has up until now been slow to acknowledge children's rights specifically against their parents.
What Should I Do Now?
Technically, given that the CA AADCA requires businesses to take steps above and beyond those required under the Federal Children’s Online Privacy Protection Act (COPPA), there is an open question of whether the CA AADCA will be preempted by federal law. It’s also possible that a federal privacy law (such as the American Data Privacy and Protection Act (ADPPA), and/or an update to COPPA itself) could be passed that explicitly preempts the CA AADCA.
Assuming the law comes into effect on July 1, 2024, the CA AG may seek an injunction against any business that violates the law, or issue civil penalties of up to $2,500 per affected child for each negligent violation, or up to $7,500 per affected child for each intentional violation. Note the CA AADCA contains no “grandfather clause” – even if a site or service was released before that date, it must still be compliant if it continues to be offered after the effective date.
The good news for businesses? The CA AADCA has no private right of action, and there is a 90-day cure period for violations before fines can be imposed. Since the CCPA went into effect, the AG has made numerous enforcements, but only one to date that resulted in a fine. In all other situations, the businesses who received letters were able to cure the noncompliance within the cure period, avoiding a fine. Still, note that not all violations are necessarily capable of cure (such as concrete harms to children caused by misuse of their data), so businesses should not rely too heavily on this cure period.
What should businesses be watching out for now?:
Internal/external research on audience composition. Under the CA AADCA, regulators can specifically look at “internal company research” to determine whether children are accessing an online product or service, including evidence of parental complaints, market research, or chat history (to the extent it is available). The AG may also look at external news articles or “good for kids” lists that describe the games that are most popular with kids. The listings at Common Sense Media may be a helpful resource to see what parents and children are saying about your game.
Onboarding and in-game flows. When a game prompts a child to provide optional data, the CA AADCA requires that the language to them clearly explains the benefit of sharing the data in kid-friendly language, without putting undue pressure or hiding the optional nature of the request. Some businesses have experimented with “kid-friendly” privacy policies as well, which use pictures and simple language to help better explain what data the business collects and how they use it.
DPIA processes and existing protections for children. Under the CA AADCA, businesses must consider the harms that could arise not only from the businesses’ use of their data, but also the harms that could come from other users. If a conflict ever arises between commercial interests and the best interests of children, businesses subject to the CA AADCA are required to prioritize children's privacy, safety, and well-being of over their commercial interests. Although many businesses have comprehensive terms of service and community standards their users must agree to, the CA AADCA also requires those policies to be enforced, such as through effective moderation programs.
As always, it’s important to review each product or service holistically with experienced counsel to identify and mitigate risks. If you have any questions, please contact us.