Recently, California introduced Assembly Bill 2273 (AB 2273) or the California Age-Appropriate Design Code Act (ADCA). If passed, the ADCA will impose certain data privacy requirements on businesses that provide “an online service, product or feature likely to be accessed by a child.” Unlike other statutes, the ADCA defines child as a consumer under 18 years of age. These requirements are intended to protect children’s personal information and limit children’s online exposure.
Data privacy dos and don’ts of the ADCA
If enacted, a business subject to the ADCA must comply with the following requirements:
- Consider the “best interests” of children when designing and developing the product in a manner that prioritizes “the privacy, safety and wellbeing of children over commercial interests.” This includes taking into account the “unique needs of different age ranges” such as a child who is not yet literate compared to a teenager.
- Undertake a Data Protection Impact Assessment (DPIA) for their products, which is a “systematic survey” of the risks associated with child access to the business’s products.
- Establish the age of users with a reasonable level of certainty to appropriately configure all default privacy settings to offer a high level of protection for children using online services.
- Provide an obvious “signal” if location or activity is being monitored and make any privacy information and terms of services in clear language that children can understand.
- Enforce the business’s established terms, policies and community standards as defined for children and provide prominent, accessible and responsive tools to help children (or their parent or guardian) exercise their privacy rights and report concerns.
ADCA prohibits businesses from:
- Using the personal information of a child to establish age or age range for any purpose longer than necessary or that may harm the physical health, mental health or wellbeing of a child.
- Profiling a child by default.
- Collecting, selling, sharing or retaining any personal information or precise geolocation that is not necessary for the product with which a child is actively and knowingly engaged.
- Collecting any precise geolocation information of a child unless there is an obvious signal to the child that this information is being collected.
- Using dark patterns to lead or encourage children to provide additional personal information that is unnecessary, as well to forego privacy protection measures.
The ADCA would also require the CPPA to establish and convene the California Children’s Data Protection Working Group (CDWG) to evaluate best practices for the implementation of these provisions. The CDWG, which would be comprised of professionals with expertise in areas such as data privacy, mental health and children’s rights, would make recommendations on best practices for businesses adapting to the increased privacy levels.
The ADCA has the power to make material change in data privacy law, and the requirements and prohibitions for compliance will have a tangible impact on businesses. Not only does it establish guidelines like considering the “best interests” of children or undertaking systematic surveys, but it sets out clear requirements for businesses to make policies with a high default level of protection.
Although the ADCA is specifically for children, its passage will have an even greater impact on businesses than existing data privacy laws in the state. The ADCA’s introduction reflects a greater interest in data protection, especially children’s data.
What’s next for the ADCA?
After its introduction to the California Assembly in February 2022, the ADCA has since passed in the Assembly on May 26, 2022 and was introduced to the California Senate on May 27, 2022. In June 2022, it was referred to the Committee on Judiciary before being amended and referred to the Committee on Appropriations, where a hearing was held on August 1, 2022. On August 11, an amended bill passed the Senate committee that is now under consideration by the State Senate.
The Senate has until the end of the 2022 California legislative session on August 31, 2022, to act. If the Senate passes the amended bill, it will have passed both houses of the California legislature and proceed to Governor Gavin Newsom, who will then have 12 days to either sign or veto the bill. The ADCA would then take effect July 1, 2024.
Tech companies have already shown a greater interest in protecting children’s data by modifying their services on a company-wide scale. For example, Google designated SafeSearch as the default for children under 18 browsing the web. Additionally, social media platforms Instagram and TikTok have barred adults from directly messaging children who don’t follow them back.
The ADCA’s bipartisan support is a good signal for its likely passage. If passed, the ADCA would hold significant weight given the number of tech companies based in California.