California Legislature Takes Steps to Regulate Collection and Storage of Children’s Data

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

On September 15, 2022, California Governor Newsom signed the California Age-Appropriate Design Code Act (the Act). This Act, scheduled to go into effect July 1, 2024, is the first state law to require heightened standards for businesses’ collection and use of the personal information of California individuals under the age of 18. Currently the federal Children’s Online Privacy Protection Act (COPPA) protects data of minors who are under the age of 13.

Products and services are within the scope of the Act if the product is “likely to be accessed by children.” Data collectors are expected to make this determination based on factors such as: (1) whether the feature falls under the scope of COPPA; (2) whether evidence shows that the feature is determined to be routinely accessed by a significant number of children; and (3) whether advertisements for the feature market to children.

Data collectors subject to the Act must take steps to protect children, including conducting a Data Protection Impact Assessment (DPIA) before offering the product or service to the public. The California Attorney General has authority to review these assessments every two years. Businesses subject to the Act are required to provide a list of DPIAs to the California Attorney General within five business days of receiving a request from the AG’s office.

In addition to further regulation of the use of children’s data, the Act also creates obligations on data collectors to consider how privacy measures can be integrated into the design of their products and services. Specifically, the Act explicitly directs data collectors to prioritize the interests of children over the commercial goals of data collectors. For example, data collectors are prohibited from using the personal information of any child in a way that the business knows, or has reason to know, is materially detrimental to the health or well-being of a child. The Act also requires data collectors to “configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy.” Data collectors offering online services, products, or features geared toward children would also need to provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language that would be easier for children to understand.

Critics of the Act cite concerns that it may require data collectors to actually collect more data in order to be in conformity with the Act. For example, data collectors may need to know a user’s date of birth prior to the provision of goods and services to demonstrate compliance, even though this information was not otherwise required.

Violations of the Act could result in significant penalties, including civil litigation from impacted individuals and fines of up to $7,500 for intentional violations.

The Act could have a major impact across the country as data collectors would have to make significant changes to their products and practices. This is consistent with many other state, federal, and international laws designed to protect children’s data.

Businesses have some time to prepare before the Act becomes effective in July 2024 and should use it to evaluate whether their products and services are “likely to be accessed” by users under the age of 18. If yes, businesses subject to the Act should conduct and document DPIAs and evaluate whether additional administrative, technical, and/or physical safeguards are needed to protect children’s data.

Lewis Brisbois’ Data Privacy & Cybersecurity Team is available to assist businesses as they navigate how to address these new requirements effectively and efficiently. For more information on this new law, contact the authors of this alert. You can also subscribe to this blog to receive email alerts when new posts go up.