Update Applicable to:
All businesses that provide online services or products in the state of California.

What happened?
In our previous communication here, we notified you that Assembly Bill 2273 (AB 2273) was passed by the Governor’s Senate and was awaiting signature from Governor Newsom. this is an update to that communication.

What are the details?
On September 15, 2022, California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act, A.B. 2273 (CAADCA), which imposes stringent new privacy requirements on businesses that provide online products, services, or features that are “likely to be accessed” by consumers under 18 years of age. 

At the outset, businesses should be aware that CAADCA casts a wider net than the federal Children’s Online Privacy Protection Act (COPPA), which applies to websites and online services that are “directed to” children under 13 or have actual knowledge that they are collecting information from children under 13 or users of another website directed to children under 13. Whereas CAADCA applies to online services likely to be accessed by persons under 18, potentially subject many general audience websites and online services to the law’s requirements if they are likely to attract a significant number of minors. CAADCA will take effect on July 1, 2024.

CAADCA’s definition of a covered business mirrors the CPRA’s, a for-profit entity that does business in California and either:

1. has annual gross revenues exceeding $25,000,000,
2. annually buys, sells, or shares the personal information of at least 100,000 California consumers or households, or
3. derives 50% or more of its annual revenues from sales of personal information.

CAADCA provides that online service, product, or feature offered by a covered business is “likely to be accessed by children” if it is reasonable to expect that it would be accessed by children based on certain indicators, such as whether it is directed to children (as defined in COPPA), is routinely accessed by a significant number of children, has advertisements marketed to children, is substantially similar to another online service that is routinely accessed by a significant number of children, and/or has design elements that are known to be of interest to children (including games, cartoons, music, and celebrities who appeal to children).

If a covered business offers an online service, product, or feature that is likely to be accessed by children, new measures that the business must take include the following:

1. Before any new online service, product, or feature likely to be accessed by children is offered to the public, complete a Data Protection Impact Assessment that evaluates potential harms to children. The business must also biennially review all Data Protection Impact Assessments and make them available to the California Attorney General on request. Businesses must complete a Data Protection Impact Assessment on or before July 1, 2024, for any online service, product, or feature likely to be accessed by children that are offered to the public before July 1, 2024.
2. Configure all default privacy settings provided to children by the online service, product, or feature to settings that offer a high level of privacy unless the business can demonstrate a compelling reason that a different setting is in children’s best interests.
3. If the online service, product, or feature allows a child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, provide an obvious signal to the child when the child is being monitored, or tracked.
4. Estimate the age of child users with a reasonable level of certainty appropriate to the risks arising from the business’s data management practices, or apply the privacy and data protections afforded to children to all consumers.
5. Provide any privacy disclosures and other online policies (such as terms of use, community standards, etc.) prominently and concisely, using “clear language suited to the age of children likely to access” the online service, product, or feature.

The business must also place the interests of children above its business interests by not: 

1. Using a child’s data in a way that the business knows, or has reason to know, is materially detrimental to the child’s physical or mental health or well-being.
2. Collecting, selling, sharing, or retaining any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged unless the business can demonstrate a compelling reason that this is in the best interests of children likely to access the online service, product, or feature.
3. Profiling a child by default is subject to certain narrow exceptions.
4. Collecting, selling, or sharing precise geolocation data of children by default, unless this is strictly necessary to provide the service.
5. Collecting any precise geolocation information of a child without providing an obvious sign to the child for the duration of the collection period that precise geolocation information is being collected.
6. Using dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide the online service, product, or feature, to forego privacy protections, or to take any action that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health, or well-being.

CAADCA, unlike the CPRA, does not contain a private right of action and will be enforced by the California Attorney General. Monetary penalties for violations range from $2,500 per affected child for each negligent violation to $7,500 per affected child for each intentional violation.  

CAADCA’s sweeping provisions will cover many businesses which are not currently subject to COPPA. Businesses whose online properties may fall within its scope should begin the process of completing Data Protection Impact Assessments as far in advance of the effective date as possible. Online properties which feature advertising targeted to persons under 18, especially third-party advertising, are likely to be significantly impacted. Finally, although it was passed with overwhelming bipartisan support, the future of CAADCA is not entirely clear. The new law will likely be challenged in litigation, possibly on First Amendment grounds and potentially based on arguments that COPPA preempts it.   

For more information, please see the links below:

Assembly Bill 2273 (AB 2273)

Previous Vensure Communication (9/14/2022)

Article  

What do employers need to do?
Employers should review the links above and adjust their data privacy policies to comply with the law come July 1, 2024.

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.