On September 15, 2022, California Governor Gavin Newsom signed into law the bipartisan AB 2273, known as the California Age-Appropriate Design Code Act (“California Design Code”). The California Design Code aims to protect children online by imposing heightened obligations on any business that provides an online product, service, or feature “likely to be accessed by children.” Governor Newsom stated that he is “thankful to Assemblymembers Wicks and Cunningham and the tech industry for pushing these protections and putting the wellbeing of our kids first.” The California Design Code’s business obligations take effect on July 1, 2024, though certain businesses must complete Data Protection Impact Assessments “on or before” that date.
In this post, we outline the California Design Code and its compliance requirements, compare it to pre-existing privacy regimes, and conclude with key takeaways for businesses to keep in mind as they adapt to the ever-changing privacy landscape.
What is the California Design Code?
The California Design Code covers businesses that provide “an online service, product, or feature likely to be accessed by children.” Children are defined as anyone under 18. The California Design Code incorporates the same threshold requirements from the California Privacy Rights Act (“CPRA”), meaning it only applies to businesses subject to the CPRA that also meet the California Design Code’s “likely to be accessed by children” standard.
New Obligations and Prohibitions
The California Design Code contains a list of affirmative requirements and a list of prohibited activities.
Notable affirmative obligations include:
- Data Protection Impact Assessments (“DPIAs”). Businesses are required to complete DPIAs for “any online service, product, or feature likely to be accessed by children.” DPIAs must identify the service/product/feature’s purpose and how the business uses children’s personal information (“PI”). DPIAs must assess a variety of potential “risks of material detriment to children” that could stem from the service/product/feature. Businesses must review all DPIAs biennially, document any identified risks, and create a “timed plan” to address them. Additionally, businesses must be ready to furnish a list of and/or copies of all DPIAs to the California Attorney General (“CA AG”) within three or five business days of a written request, respectively. Notwithstanding this, DPIAs are considered confidential and exempt from public disclosure.
- Defaulting to High Privacy Settings. Businesses must configure default privacy settings for products/services/features likely to be accessed by children to “offer a high level of privacy.”
- Estimating Children’s Ages. The law offers businesses two options for applying the heightened privacy settings across different consumer groups. Businesses can either (1) apply the heightened privacy and data protections to all consumers, or (2) “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business.” Critics of the latter option note its potential to contradict fundamental data privacy principles by requiring businesses to collect more consumer data than they otherwise would in an effort to satisfy this requirement.
- Using Child-Friendly Language. Businesses must use child-friendly language for all privacy information, terms of service, policies, and community standards.
- Providing Notice of Parental Monitoring/Tracking. Businesses must provide obvious signals to children when they are being monitored or tracked under parental monitoring features.
The Design Code prohibits businesses from:
- Using children’s PI in a way that is “materially detrimental” to their health or well-being.
- Engaging in default profiling of children (with certain exceptions).
- Collecting, selling, sharing or retaining children’s PI when not necessary to provide a service/product/feature likely to be accessed by children.
- Collecting children’s precise geolocation without providing an obvious sign to the child of said collection.
- Using dark patterns to encourage children to provide more PI than reasonably expected to provide the service/product/feature in question, or to take any action that would be “materially detrimental” to the child’s health or wellbeing.
- Using data collected to estimate age for any purpose other than age estimation.
The CA AG will enforce the California Design Code through injunctions and civil penalties, including fines up to $2,500 per affected child for negligent violations and up to $7,500 for willful violations. In contrast to these potentially hefty civil fines, the California Design Code cannot serve as the basis for a private right of action.
The California Design Code provides that if a business is in “substantial compliance” with the affirmative DPIA-related obligations, “the Attorney General shall provide written notice to the business, before initiating an action under this title.” In that notice, the Attorney General will identify the specific provisions that it believes the business has violated. A business that receives such notice will have 90 days to (1) cure the violation, (2) notify the Attorney General in writing of said cure, and (3) take “sufficient measures” to prevent future violations. If all three conditions are met, the business will not be held liable.
The California Design Code also creates a ten-member “California Children’s Data Protection Working Group” to report on best practices for implementing the California Design Code. Reports must be submitted to the Legislature before January 1, 2024, and every two years thereafter. This working group is separate from the California Privacy Protection Agency (“CPPA”).
How does the California Design Code compare to other laws?
The California Design Code borrows heavily from the UK’s Age Appropriate Design Code (“UK Design Code”), which went into effect on September 2, 2020, and the two share a number of similarities. In contrast, the California Design Code differs quite significantly from the Federal Children’s Online Privacy Protection Act (“COPPA”). The chart below compares the three laws across four key provisions.
|Provision||California Design Code||UK Design Code||COPPA|
|Scope||Businesses that provide “an online service, product, or feature likely to be accessed by children.”||Applies to organizations that provide online products or services “likely to be accessed by children.”||Businesses that direct products or services to children, or affirmatively know their product or service is used by children.|
|Definition of “Child”||Under age 18.||Under age 18.||Age 13 or younger.|
|Parental Monitoring||Must notify children of parental monitoring.||Must notify children of parental monitoring.||N/A|
|Default Privacy Settings||Settings that “offer a high level of privacy, unless [there is] a compelling reason that a different setting is in the best interests of children.”||“High privacy” (unless there is a compelling reason not to, taking account of the “best interests of the child”)||N/A|
|Major Limits on Data Collection||Collection, sale, retention or sharing of PI must be necessary to provide the child a product or service.
Collection of geolocation data requires obvious signal to the child that such data is being collected.
|Collection or retention of PI must be limited to the amount or duration necessary to provide elements of a service in which the child is knowingly and actively engaged.
Geolocation options should be turned off by default. Collection of geolocation data requires obvious signal to the child that such data is being collected.
|Covered businesses may not collect PI from children without notice and verifiable parental consent.|
Businesses subject to the California Design Code should consider the following action items to help anticipate its impact and mitigate any regulatory enforcement actions:
- Data Mapping. Map the personal data you collect from consumers under 18, if any; the purpose of said data collection; and how said data is used, stored, and disposed.
- Assess Applicability. Determine which of your services/product/features could fall under the California Design Code. If you are already subject to the CPRA, the following questions can help assess whether your technology is “likely to be accessed by children” using the statutory indicators laid out in the California Design Code:
- Does your business direct its online service, product, or feature to children?
- Has it been determined that your online service, product, or feature is routinely accessed by a “significant number” of children?
- Do you have advertisements marketed to children?
- Is your online service, product, or feature substantially similar to one that has been determined to be routinely accessed by a significant number of children?
- Does your online service, product, or feature have design elements in which children would take interest, such as games, cartoons, music, and child celebrities?
- Has your company internally determined that a significant amount of its audience is children?
If you answered any of these questions “yes,” the California Design Code might apply.
- Minimize Geolocation Data. Turn off automatic geolocation data collection, where possible.
- Start Preparing DPIAs. When trying to prioritize complying with the California Design Code’s myriad of new obligations, prioritize those related to DPIAs to position your business for potential relief via the safe harbor, if needed. Note that the California Design Code requires that businesses complete DPIAs on or before July 1, 2024 for applicable services/products/features offered to the public before July 1, 2024.
- Prepare for Consequences of Stricter Default Privacy Settings. Consider how your business will implement the required heightened privacy protections—either to all consumers, or just those under 18—and if the latter, how you would verify consumers’ age.
- Look to the UK for Compliance Insights. As discussed, the California Design Code is modeled after the UK Design Code. One of the California Design Code’s core guiding principles—to act in “the best interest of children”—is borrowed from the UK Design Code. When considering general compliance measures to satisfy this standard, look to guidance from the UK’s Information Commissioner’s Office on UK Design Code compliance.
To subscribe to the Data Blog, please click here.
The authors would like to thank Debevoise law clerk Elise M. Coletta for her assistance on this Data Blog post.