*The views expressed in this article do not represent the views of Santa Clara University.
Credit: Kelly Sikkema | Unsplash
Across the United States, federal and state policymakers are directing their focus on protecting children’s privacy online. In the most recent action of this sort, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). Effective July 1, 2024, the Act will require a business that provides an online service, product, or feature “likely to be accessed by a child” to comply with specified requirements.
California Age-Appropriate Design Code Act Legal Analysis
The Act is drawing a lot of attention because it is a California state law that notably extends beyond the scope of the the Children’s Online Privacy Protection Act (“COPPA”), the primary federal children’s online privacy law. Compared to COPPA, the Act defines a child as an individual under the age of 18 years of age, whereas COPPA defines a child as those under 13 years of age. Further, the Act applies to online businesses whose online products, services, or features are “likely to be accessed by children” as compared to COPPA’s application to products, services, or features that are “directed to children.”
The Act defines “likely to be accessed by children” to mean that “it is reasonable to expect, based on the following indicators, that the online service, product, or feature would be accessed by children”:
Is directed to children as defined by COPPA;
Is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;
Has advertisements marketed to children;
Is substantially similar or the same as an online service, product, or feature routinely accessed by a significant number of children;
Has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children;
A significant amount of the audience is determined, based on internal company research, to be children.
In addition to extending beyond COPPA’s scope, the Act prohibits certain processing activities that use a child’s personal information and imposes significant affirmative compliance requirements for covered businesses, which are summarized in-depth by Sean W. Fernandes on the Wyrick Robbins Practical Privacy Blog.
Although the Act is a first-of-its-kind children’s online protection at the state level, it nevertheless lacks a private right of action that many consumers and privacy advocates desire within privacy statutes. Only the California Attorney General has enforcement authority, and businesses will be subject to a $2,500 penalty per affected child for each negligent violation and $7,500 per affected child for each intentional violation.
California Age-Appropriate Design Code Act Business Implications
Entities must expand their understanding of the definition of children beyond the COPPA-established under-13 threshold to encompass those under 18 years of age. In addition, entities will need to adjust to the Act’s knowledge standard which diverges from COPPA, creating liability if a service knew or should have known that children are likely to access its products or services given the indicators mentioned above.
Age assurance and verification measures have been ongoing concerns as companies struggle with the practical implementation of children-specific privacy regulations. As the Future of Privacy Forum explains, these measures have been criticized by some because such “mandates compel services to collect additional information about individuals.” While some online services already engage in forms of age verification, some advocate critique the “actual knowledge” standard under COPPA, arguing that it incentivizes websites to not ask the ages of its users, using ignorance as a defense.
This divergence from COPPA may cover online services such as social media, chat-and video-based messaging websites that do not directly appeal to children. Even if they are not covered under COPPA, entities should audit their current understanding of their existing user-base to ensure they are not implicated by the Act.
Additional Resources
For more information on the Act, see the Future of Privacy Forum’s released policy brief, An Analysis of the California Age-Appropriate Design Code.
For a critique of the Act see Eric Goldman’s Blog