Update Applicable to:
All businesses that provide online services or products in the state of California.
In our previous communication here, we notified you that Assembly Bill 2273 (AB 2273) was passed by the Governor’s Senate and was awaiting signature from Governor Newsom. this is an update to that communication.
What are the details?
On September 15, 2022, California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act, A.B. 2273 (CAADCA), which imposes stringent new privacy requirements on businesses that provide online products, services, or features that are “likely to be accessed” by consumers under 18 years of age.
At the outset, businesses should be aware that CAADCA casts a wider net than the federal Children’s Online Privacy Protection Act (COPPA), which applies to websites and online services that are “directed to” children under 13 or have actual knowledge that they are collecting information from children under 13 or users of another website directed to children under 13. Whereas CAADCA applies to online services likely to be accessed by persons under 18, potentially subject many general audience websites and online services to the law’s requirements if they are likely to attract a significant number of minors. CAADCA will take effect on July 1, 2024.
CAADCA’s definition of a covered business mirrors the CPRA’s, a for-profit entity that does business in California and either:
CAADCA provides that online service, product, or feature offered by a covered business is “likely to be accessed by children” if it is reasonable to expect that it would be accessed by children based on certain indicators, such as whether it is directed to children (as defined in COPPA), is routinely accessed by a significant number of children, has advertisements marketed to children, is substantially similar to another online service that is routinely accessed by a significant number of children, and/or has design elements that are known to be of interest to children (including games, cartoons, music, and celebrities who appeal to children).
If a covered business offers an online service, product, or feature that is likely to be accessed by children, new measures that the business must take include the following:
The business must also place the interests of children above its business interests by not:
CAADCA, unlike the CPRA, does not contain a private right of action and will be enforced by the California Attorney General. Monetary penalties for violations range from $2,500 per affected child for each negligent violation to $7,500 per affected child for each intentional violation.
CAADCA’s sweeping provisions will cover many businesses which are not currently subject to COPPA. Businesses whose online properties may fall within its scope should begin the process of completing Data Protection Impact Assessments as far in advance of the effective date as possible. Online properties which feature advertising targeted to persons under 18, especially third-party advertising, are likely to be significantly impacted. Finally, although it was passed with overwhelming bipartisan support, the future of CAADCA is not entirely clear. The new law will likely be challenged in litigation, possibly on First Amendment grounds and potentially based on arguments that COPPA preempts it.
For more information, please see the links below:
Assembly Bill 2273 (AB 2273)
Previous Vensure Communication (9/14/2022)
What do employers need to do?
Employers should review the links above and adjust their data privacy policies to comply with the law come July 1, 2024.