Children's privacy in California – are your online services age appropriate?

On 15 September 2022, the Governor of California signed the California Age Appropriate Design Code Act ("California Code") into law. Readers of this blog may think this new law sounds familiar – it is! It very closely mirrors the United Kingdom's Age Appropriate Design Code ("UK Code") which took effect in the UK in September 2020 (see our blogs here and here). There are also similarities to the Irish Fundamentals.

What is the aim of the California Code?

The aim of the California Code is to protect children's privacy when using online services, products and features. It does this through a requirement for businesses to complete a Data Protection Impact Assessment. Businesses must also implement requirements such as ensuring that default privacy settings are set to a high level of privacy and providing information and terms to children using language suited to their age. If a conflict arises between the commercial interests of a business and the best interests of the child, the business should prioritize the privacy, safety, and well-being of the child.

Who needs to comply?

Businesses which meet the financial or data collection thresholds of the California Privacy Rights Act (CPRA) and which provide an online service, product or feature "likely to be accessed" by children need to comply with the California Code, but what does this mean?

This is where the two regimes differ in approach, although the ultimate result is likely to be similar. The UK Code provides a non-exhaustive list of examples and a test of "more probable than not". The California Code on the other hand takes a more legalistic approach by reference to online services, products and features:

• directed to children as defined by the Children’s Online Privacy Protection Act;
• which are determined, based on the use of competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;
• which are substantially similar or the same to the service, product or feature noted above;
• which contain advertisements marketed to children;
• that have design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children; or
• which are determined to have children as a significant amount of their audience based on internal company research.

A child is a person under 18 years of age under both Codes.

When is compliance expected?

The California Code commences on 1 July 2024. Unlike the UK Code, which gave businesses a year to prepare, there is no such delay to enforcement under the California Code.

How do the obligations under the UK and California Codes compare?

The obligations between the two Codes are very similar, although there are some important differences, for example around nudge techniques – these are referred to as "dark patterns" in the California Code (about which the EU has published specific guidance – see our blog here). The California Code also contains some specific requirements on the timings of completing a data protection impact assessment. Another important difference is that the California Code explicitly excludes "the delivery or use of a physical product" from its scope, meaning that unlike the UK Code, connected toys or devices are excluded from the scope of the California Code.

We've identified 15 key points of comparison between the UK and California Codes – click here to have a read.

How is the California Code enforced?

One of the starkest differences is the enforcement regime. The California Code allows the Attorney General to seek enforcement or a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation. This is subject to a 90 day cure period.

In the UK, there is no separate enforcement regime built into the UK Code – any enforcement would be undertaken under the pre-existing regime under the UK's Data Protection Act 2018 and the UK GDPR.

Can we expect further guidance?

The California Children's Data Protection Working Group has been created to provide recommendations to the legislature on best practices. The first such recommendations are to be published on or before 1 January 2024. In the meantime, businesses may wish to look at the more detailed UK Code which provides examples of acceptable and unacceptable practices.

What practical steps can organisations take?

Businesses should undertake the necessary DPIAs. The Attorney General can request a list of all completed DPIAs within three business days, and copies of the DPIAs themselves within five business days. DPIAs should be completed by 1 July 2024 for any service, product and feature that was likely to be accessed by children before that date and will still be available after that date.

Thankfully, it is not necessary to undertake separate DPIAs under the California Code and UK Code. The California Code confirms that any DPIA conducted for the purposes of complying with any other law (e.g. the UK Code and GDPR!) could also be used to comply with the California Code as long as it covers the necessary requirements. You may therefore want to revisit and update any existing DPIAs.