Governor Newsom recently signed into law AB 2273, the California Age-Appropriate Design Code Act (CA AADCA), making California the first state to pass broad privacy protections for children.

The CA AADCA is modeled after the UK’s Age-Appropriate Design Code (UK AADCA) which came into effect last year. While the two acts are not identical, businesses that conformed to the UK AADCA will see many similarities with the CA AADCA. Both laws seek to provide higher default privacy protections for children and set forth various requirements for covered businesses.

What businesses are covered under the CA AADCA?

Like the UK AADCA, the CA AADCA applies to online platforms that “children are likely to access”, which the statute defines broadly to include services, products, and features that are directed to children, routinely accessed by children, marketed to children, or known to be of interest to children, among others. Children are defined as under the age of 18.

Key features of the CA AADCA

Before launching any new online products, services, or features, covered businesses must undertake a Data Protection Impact Assessment which details how the business intends to use children’s personal information and the associated risks. The Data Protection Impact Assessment must also address the various ways in which children could be targeted or subject to harm by the new product, service, or feature and establish a mitigation plan for those risks. Businesses must also take into account the estimated age of child users and provide privacy information in “clear language suited to the age of children” likely to access the platform.

The CA AADCA also includes a series of prohibited actions that limit how covered businesses may use children’s personal information. Businesses may not collect, sell, share, or retain children’s personal information that is not necessary to providing the online service, product, or feature, and geodata may only be collected if “strictly necessary” for the online service and after providing “an obvious sign to the child” that the data is being collected. Businesses are also prohibited from profiling a child by default, encouraging children to provide unnecessary information, or using age-related data for purposes other than to estimate the child’s age. These prohibitions are mandatory unless the business can show a compelling reason that it is in the best interests of the children to do otherwise.

Penalties for non-compliance

Businesses that fail to comply may be subject to penalties of up to $2,500 per child for negligent violations and up to $7,500 per child for intentional violations in a suit brought by the Attorney General of California.

The CA AADCA is set to take effect on July 1, 2024.