On September 15, 2022, California became the first state to pass legislation that requires online businesses to build additional safeguards into their services to protect children. The California Age-Appropriate Design Code Act (“ADCA”) targets businesses that provide “online services, products or features” to children under 18. Set to take effect on July 1, 2024, the ADCA will work in conjunction with the California Privacy Rights Act of 2020 (“CPRA”) and is modeled after similar legislation adopted in the United Kingdom, namely the Age-Appropriate Design Code.
Who Will the ADCA Apply To?
The ADCA will apply to businesses that provide online services, products, or features “likely to be accessed by children” under the age of 18. By contrast, the Children’s Online Privacy Protection Act (“COPPA”) only covers users under the age of 13. The ADCA borrows terms defined in the CPRA and will only apply to businesses subject to the CPRA.
What Does the ADCA Require?
The key requirements of the ADCA include:
Data Protection Impact Assessment: Businesses must complete a Data Protection Impact Assessment (“DPIA”). This assessment must be completed every two years and copies must be provide to the California Attorney General upon request.
Default Privacy: Business must configure all default privacy settings to a high level for children. Businesses are prohibited from collecting, selling, sharing, or retaining any personal information that is not necessary for providing the online service or product.
Tracking Signals: Businesses are prohibited from collecting any precise geolocation information unless it is strictly necessary for providing the online service or product. If it does, it must display an obvious sign to the child when collecting the information. Businesses are also required to display a signal to a child when the child’s activity or location is being monitored or tracked by a parent, guardian, or others.
Are There Penalties for Non-Compliance?
Yes. Although there is no private right to action under the ADCA, the California Attorney General has enforcement authority. Civil penalties up to $2,500 per affected child may be enforced for negligent violations, and up to $7,500 per affected child for intentional violations. The Attorney General must provide written notice of violations and allow a 90-day cure period.
Need Help with Data Privacy Compliance?
You’re not alone! With several U.S. states and foreign jurisdictions enforcing their own data privacy laws, businesses are at increasing risk of violating applicable data privacy laws, and penalties can be significant. Out-House Attorneys, LLC. can help your business identify applicable data privacy laws and create a plan for ongoing compliance.
The information provided on this website does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser.