With so much attention focused on the California Privacy Rights Act (CPRA) going into effect on January 1, 2023, it is not surprising that the enactment of another far-reaching California privacy law has flown beneath the radar. On September 15, 2022, California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act, A.B. 2273 (CAADCA), which imposes stringent new privacy requirements on businesses that provide online products, services, or features that are “likely to be accessed” by consumers under 18 years of age. 

At the outset, businesses should be aware that CAADCA casts a wider net than the federal Children’s Online Privacy Protection Act (COPPA), which applies to websites and online services that are “directed to” children under 13 or have actual knowledge that they are collecting information from children under 13 or users of another website directed to children under 13. Whereas CAADCA applies to online services likely to be accessed by persons under 18, which would potentially subject a large number of general audience websites and online services to the law’s requirements if they are likely to attract a significant number of minors. CAADCA will take effect on July 1, 2024.

CAADCA’s definition of a covered business mirrors the CPRA’s, a for-profit entity that does business in California and either

1. has annual gross revenues exceeding $25,000,000,
2. annually buys, sells, or shares the personal information of at least 100,000 California consumers or households, or
3. derives 50% or more of its annual revenues from sales of personal information.

CAADCA provides that an online service, product, or feature offered by a covered business is “likely to be accessed by children” if it is reasonable to expect that it would be accessed by children based on certain indicators, such as whether it is directed to children (as defined in COPPA), is routinely accessed by a significant number of children, has advertisements marketed to children, is substantially similar to another online service that is routinely accessed by a significant number of children, and/or has design elements that are known to be of interest to children (including games, cartoons, music, and celebrities who appeal to children).

If a covered business offers an online service, product, or feature that is likely to be accessed by children, new measures that the business must take include the following:

1. Before any new online service, product, or feature that is likely to be accessed by children is offered to the public, complete a Data Protection Impact Assessment that evaluates potential harms to children. The business must also biennially review all Data Protection Impact Assessments and make them available to the California Attorney General on request. Businesses must complete a Data Protection Impact Assessment on or before July 1, 2024, for any online service, product, or feature likely to be accessed by children that is offered to the public before July 1, 2024.
2. Configure all default privacy settings provided to children by the online service, product, or feature to settings that offer a high level of privacy unless the business can demonstrate a compelling reason that a different setting is in children's best interests.
3. If the online service, product, or feature allows a child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, provide an obvious signal to the child when the child is being monitored or tracked.
4. Estimate the age of child users with a reasonable level of certainty appropriate to the risks arising from the business's data management practices, or apply the privacy and data protections afforded to children to all consumers.
5. Provide any privacy disclosures and other online policies (such as terms of use, community standards, etc.) prominently and concisely, using “clear language suited to the age of children likely to access” the online service, product, or feature.

The business must also place the interests of children above its own business interests by not: 

1. Using a child’s personal data in a way that the business knows, or has reason to know, is materially detrimental to the child’s physical or mental health or well-being.
2. Collecting, selling, sharing, or retaining any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged unless the business can demonstrate a compelling reason that this is in the best interests of children likely to access the online service, product, or feature.
3. Profiling a child by default, subject to certain narrow exceptions.
4. Collecting, selling, or sharing precise geolocation data of children by default, unless this is strictly necessary to provide the service.
5. Collecting any precise geolocation information of a child without providing an obvious sign to the child for the duration of the collection period that precise geolocation information is being collected.
6. Using dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide the online service, product, or feature, to forego privacy protections, or to take any action that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health, or well-being.

CAADCA, unlike the CPRA, does not contain a private right of action and will be enforced by the California Attorney General. Monetary penalties for violations range from $2,500 per affected child for each negligent violation to $7,500 per affected child for each intentional violation.  

CAADCA’s sweeping provisions will cover many businesses which are not currently subject to COPPA. Businesses whose online properties may fall within its scope should begin the process of completing Data Protection Impact Assessments as far in advance of the effective date as possible. Online properties which feature advertising targeted to persons under 18, especially third-party advertising, are likely to be significantly impacted. Finally, although it was passed with overwhelming bipartisan support, the future of CAADCA is not entirely clear. It is very likely that the new law will be challenged in litigation, possibly on First Amendment grounds and also potentially based on arguments that it is preempted by COPPA.