In his State of the Union address on February 7, 2023, President Biden affirmed his position on consumer data privacy protections and specifically his focus on strengthening protections for children. With several state data privacy acts now effective (and more scheduled later this year), compliance with the complex mesh of data privacy laws in the U.S. requires more attention than ever before. Recent activity from regulators suggest that state and federal agencies are committing resources to investigate and penalize offenders. However, not only is it critical that businesses ensure they comply with current laws as quickly as possible, but they should also understand that the effect of some new requirements are staggered — not all changes are effective immediately and there is still time to be proactive.
On September 15, 2022, California signed into law the Age Appropriate Design Code Act (“AADC” or the “Act”), which aims to protect “the wellbeing, data, and privacy of children using online platforms.” The AADC, which is modeled after similar laws in the United Kingdom, becomes effective on July 1, 2024, and will work in tandem with the California Privacy Rights Act (“CPRA”). Despite the future deadline, all businesses should prepare to revisit their handling of data because of new and significant changes regarding protecting the privacy of children.
Under the AADC, children (defined as consumers under the age of 18) are afforded protection from online products and services that specifically target them, but also from products and services “likely to be accessed by children.” Below are the six indicators listed in the AADC that determine whether it is reasonable to expect children to access a business’s services, products or features:
- The online service, product or feature is directed to children as defined by the Children’s Online Privacy Protection Act (“COPPA”), the federal act concerning the privacy of children’s data;
- The online service, product or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children.
- An online service, product or feature with advertisements marketed to children.
- An online service, product or feature that is substantially similar or the same as an online service, product or feature — determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children.
- An online service, product or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music and celebrities who appeal to children.
- A significant amount of the audience of the online service, product or feature is determined, based on internal company research, to be children.
Despite this definite list, the responsibility of indicator analysis lies with businesses — no single indicator clearly and unambiguously defines what constitutes a service or product that is likely to be accessed by children. Furthermore, it is unclear whether these indicators should be considered together, or only individually. To even determine whether a service or product is subject to the AADC, businesses will incur costs to analyze their own services and products as well as the overall market of services and products designed for children. The AADC goes on to differentiate between age ranges of children, requiring businesses to adopt data protection regimes “appropriate for the ages of children.” The AADC identifies ages 0-5, ages 6-9, ages 10-12, ages 13-15 , and ages 16-17 as different developmental stages.
Once the AADC’s applicability is established, the Act then imposes certain requirements and restrictions on (i) services and products, and (ii) use and/or sharing of children’s data. Interestingly, the AADC refers to COPPA to help establish applicability, but seemingly aims to achieve a different purpose. In doing so, the AADC arguably imposes a higher standard of protection than the federal standard. COPPA applies to businesses that collect, utilize or disclose the data of children under the age of 13. These businesses are required to obtain verifiable parental consent. COPPA does not specify how parental consent must be verified, but the Federal Trade Commission (the “Commission”) has outlined some acceptable methods. [1] In contrast, the AADC requires businesses to restrict or curb their activity, regardless of parental consent, for consumers under the age of 18. Among other requirements and under certain exceptions, businesses covered under the AADC must:
- Perform a “Data Protection Impact Assessment” before any services or products are offered to the public. (A Data Protection Impact Assessment is an eight-part analysis to determine whether an individual service or product, or algorithms or advertising systems (i) can harm, or potentially harm, a child, (ii) whether the service or product is designed to increase, sustain or extend use, and/or, (iii) processes sensitive personal information of a child.)
- Configure, by default, children with the highest level of privacy settings.
- Clearly and obviously indicate to a child when their online activity or location is being collected, monitored, or tracked.
- Prominently, and in clear language, provide concise user agreements, such as privacy policies and terms of use. As a best practice, user agreements should be specifically tailored to each individual business, website or service — but the AADC also suggests that businesses should consider the different protections necessary for users in each age range of development stages.
Also noteworthy, the AADC specifically prohibits covered businesses from using “dark patterns” to (i) prompt children to provide personal information beyond what is reasonably expected to be provided for that particular online service, product or feature, or (ii) take actions that the business knows (or has reason to know) is “materially detrimental” to the child’s physical or mental health or well-being. [2]
The AADC’s restrictions and requirements for online services, products and features, separate from any parental consent, will likely increase the cost of compliance for businesses covered by the Act. Unfortunately, these costs are difficult to project, and will be unique to each individual business — particularly the cost of completing Data Protection Impact Assessments. But businesses may need to anticipate increased spending on in-depth consumer analytics and market research (to determine the number and ages of children who use their website and/or online services), and potential decreases in ad revenue as restrictions on advertising come into effect.
Businesses shouldn’t rely on industry pushback on the AADC either — despite a suit brought against the State of California by NetChoice [3], a technology industry group that includes some of the biggest tech companies like Amazon, Google, and Meta, to block the AADC, California reiterated its commitment to the AADC. [4] Other states are also pushing for increased privacy protection for children. For example, a proposed bill in Connecticut will require social media companies to obtain parental consent before children under the age of 16 can create social media accounts [5] and Pennsylvania proposed a bill in 2022 that also provides, among other things, greater protection of children’s privacy. [6]
Businesses should take the time to prepare for the AADC before it comes into effect. The requirements the Act imposes will not be easy to set up or complete overnight. And despite the likelihood that the AADC will result in higher administrative costs, ensuring you compliance will almost certainly be less costly than any of fines and/or settlements with government regulators.
——————————–
This DarrowEverett Insight should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. We are working diligently to remain well informed and up to date on information and advisements as they become available. As such, please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.
Unless expressly provided, this Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.
[1] https://www.ftc.gov/business-guidance/resources/childrens-online-privacy-protection-rule-six-step-compliance-plan-your-business#step4
[2] https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=202120220AB2273&showamends=false
[3] https://netchoice.org/netchoice-v-bonta/
[4] https://www.gov.ca.gov/2023/02/21/governor-newsom-statement-on-challenge-to-californias-child-online-privacy-law/
[5] https://www.cga.ct.gov/2023/TOB/H/PDF/2023HB-05025-R00-HB.PDF
[6] https://www.legis.state.pa.us/cfdocs/billinfo/BillInfo.cfm?syear=2021&sind=0&body=H&type=B&bn=2257
