California Age-Appropriate Design Code Act (CAADCA)

On September 15, 2022, California Governor Newsom signed into law the California Age-Appropriate Design Code Act (CAADCA). This groundbreaking Act, which is set to take effect on July 1, 2024, forces businesses to proactively consider how their digital product or service will impact the safety and privacy of children and teens in California.

Since the CAADCA greatly expands upon existing minor protection laws such as the Children's Online Privacy Protection Act (COPPA), businesses should review their existing privacy and data measure protections to determine which must be updated.

To help you understand some of the obligations California businesses must comply with, we've created this comprehensive guide to understanding the CAADCA. Here you'll find guidance on what the CAADCA is, to whom it applies, and actionable steps you can take to make sure your digital product or service is in compliance.

What is the California Age-Appropriate Design Code Act (CAADCA)?

The California Age-Appropriate Design Code Act is a bill designed to protect children's privacy and safety online. The law, which is modeled after the United Kingdom's Age Appropriate Design Code (AADC), aims to regulate the collection, processing, storage, and transfer of children's data.

The CAADCA places extensive rules on businesses that offer digital products or services that are 'likely to be accessed by children.' It defines 'children' as any California residents 'who are under 18 years of age.'

As young people are increasingly using digital services for various purposes such as entertainment, education, and communication, they are exposed to targeted online advertisements. The California legislature believes this bill is crucial for safeguarding children, especially from the inappropriate use of their data or deceptive design practices known as "dark patterns."

Who Does the CAADCA Apply to?

The CAADCA applies to all 'businesses' as they are defined under the California Consumer Privacy Act (CCPA/CPRA).

The CCPA (CPRA) defines a business as any for-profit company operating in California that satisfies one of three requirements:

• If the company has an annual gross revenue of more than $25 million,
• If the company purchases, shares or sells for commercial purposes the personal information of at least 100,000 customers or households, or
• If the company derives at least 50% of its annual revenues from sharing or selling the personal data of consumers

There are some exceptions. The CAADCA explains that the following online services, products, and features are exempt:

• A broadband internet access service, as defined in Section 3100
• A telecommunications service, as defined in Section 153 of Title 47 of the United States Code
• The delivery or use of a physical product

What Products and Services are Covered by the CAADCA?

The CAADCA applies to businesses that "provide an online service, product, or feature likely to be accessed by children." Remember that 'children' are defined as any consumer that is under 18 years of age.

In assessing whether a product or service is 'likely to be accessed by children,' the CAADCA provides certain indicators to look for, including:

• If the digital product or service is directed toward children as defined by the Children's Online Privacy Protection Rule (COPPA)
• If the digital product or service contains advertisements directed at children
• If the digital product or service is regularly accessed by a significant number of children
• If the product or service is substantially similar to one that is routinely accessed by children
• If the digital product or service contains design elements typically of interest to children (e.g., games, cartoons, or celebrities appealing to children)

It is important to note that this new standard departs significantly from COPPA. That law only applies to children under the age of 13. CAADCA expands its scope to include teenagers up to age 17. CAADCA also imposes many new restrictions on businesses and broadens the standard for when the law is triggered.

If you determine that your business offers a digital service, product, or feature that is covered by the CAADCA, then you should take several steps to ensure compliance. We've identified the following as among the more onerous steps that must be taken.

How to Comply with the CAADCA

Here are a number of steps you can take to ensure you comply with the requirements of the CAADCA.

Conduct a Data Protection Impact Assessment

Pursuant to CAADCA, businesses that offer online products and services that are likely to be accessed by children must conduct a Data Protection Impact Assessment (DPIA) by July 1, 2024.

This DPIA must thoroughly identify the purpose of every online service, product, or feature likely to be accessed by children, the manner in which it utilizes children's personal information, and the potential risks of harm to children that may arise from the company's data management practices.

Additionally, the documentation of this assessment must be kept for as long as the product or service is likely to be accessed by children and reviewed biennially. Upon written request, a copy must be provided to the California Attorney General within five business days.

After July 1, 2024, covered businesses must complete a DIPA before launching a new service, product, or feature. If any "risk of material detriment to children" is identified, a plan with specific deadlines for mitigating or eliminating the risk must be developed and implemented before making the new product or service available to the public.

Estimate the Age of Child Users or Treat all Consumers as Children

Your business must take steps to estimate the age of child users with a reasonable level of certainty. In the alternative, you can simply apply the data and privacy protections afforded to children under the CAADCA to all users.

While the CAADCA does not provide any guidance on estimating a child's age, we can look to the UK's Age Appropriate Design Code for guidance. The AADC suggests methods such as allowing the user to self-declare their age, using AI algorithms to establish a user's age, third-party verification services, or hard identifiers like passports or similar documents.

Include Default Privacy Settings

Any business subject to the CAADCA must ensure all privacy settings provided to children are automatically set to the highest level of privacy by default. If you want to deviate from this standard, your business will have to demonstrate a compelling reason as to why a different setting is in the best interests of children.

In the following example, you can see how all but the necessary cookies preferences are automatically set to off and must be manually turned on. This is a good example of automatically setting the highest level of privacy by default:

Get your own compliant cookie consent notice here.

Provide Clear and Age-Appropriate Privacy Information

Any Privacy Policy, Terms and Conditions agreement or other types of policies or community standards must be provided clearly and concisely, and must be presented in a way that is suited to the age of the children likely to access that particular digital product or service.

In this small sample taken from Scholastic Kid's larger Kids Privacy Policy, you can see how Scholastic Kids strives to keep the language simple and kid-friendly despite the technical nature of the information being presented:

Provide Clear Monitoring Signals

If your online digital product or service allows the child's parent, guardian, any other consumer, or your business itself to track a child's online activity, you must provide an obvious signal to the child of when this monitoring or tracking is occurring.

Provide Clear and Accessible Tools for Exercising Rights

In order to comply with the CAADCA, your digital product or service must offer clear, prominent, and easily-accessible tools to help children, parents or guardians exercise their privacy rights and report any concerns.

Here is an example of how PBS Kids makes its Privacy Policy quite visible and easily accessible on the footer of its webpage:

Within its Privacy Policy, you can see how Sesame Street includes contact information for reporting concerns:

What Does the CAADCA Prohibit?

The CAADCA also imposes strict prohibitions on the collection, use, and sale of personal data collected from children. This includes:

• Online products and services are prohibited from using a child's personal information in any way the business knows or has reason to suspect is "materially detrimental" to the physical or mental well-being of the child.
• Businesses are prohibited from collecting, selling, sharing, or retaining the personal information of a child that is not strictly required to provide an online service, product, or feature unless they can demonstrate a compelling reason for doing so that is in the child's best interest.

• Businesses cannot conduct profiling by default.

  • Profiling by default is the practice of automatically collecting and analyzing a wide range of personal information about an individual without their explicit consent, in order to create a detailed profile of that person.
  • The CAADCA allows profiling by default only when it is necessary for an online service, product, or feature to work and even then only if the "appropriate safeguards" have been put in place.
• The precise geolocation data of children must not be collected unless it is necessary for a digital product or service to work. Even then, the data can only be kept for the short period the data is required to deliver the product, service, or feature.
• "Dark patterns" and other unethical practices cannot be used to persuade or encourage children to divulge more personal information than is necessary or to forgo privacy protections.

Fines for Non-Compliance with the CAADCA

Failing to comply with the new restrictions imposed by the CAADCA can lead to hefty fines. The CAADCA does not create a private right of action. Nonetheless, the California Attorney General has exclusive jurisdiction to apply the following civil penalties:

• Up to $2,500 per affected child for negligent violations, and
• Up to $7,500 per affected child for intentional violations of the Act

This is why it is so important for businesses to create and implement a comprehensive Data Protection Impact Assessment and subsequent mitigation plan. If a business is deemed to be in "substantial compliance" with this assessment and mitigation plan, then the Attorney General should provide a written notice to the business before initiating an action. The business found in violation will then have 90 days to comply.

Summary

California's Age-Appropriate Design Code created big changes for businesses that offer digital products or services likely to be accessed by children under 18.

This legislation compels businesses to proactively assess the privacy and protection of children in the design of any digital product or service that they offer.

In order to ensure compliance with CAADCA before July 1, 2024, California businesses should:

• Determine if the business is likely to be accessed by children
• Conduct a Data Protection Impact Assessment
• Update existing Privacy Policies and Terms to ensure they are easily understood by children
• Ensure that optional data tracking is switched off by default and minimize the collection of geolocation data unless strictly necessary
• Implement new tracking signals that notify children any time they are being monitored or tracked
• Ensure that children, parents, and guardians have an easily accessible method of exercising their privacy rights