The California governor recently signed into law the California Age-Appropriate Design Code Act, which will go into effect July 1, 2024. The law applies to “businesses” (as defined by CCPA) that provide online services or features “likely to be accessed by children.” To understand if the product or service is likely to be accessed by children, companies should look at factors like audience composition, if there are child-directed ads, or elements known to be of interest to children. Children are those who are under 18 (as opposed to the federal Children’s Online Privacy Protection Act, applicable to collection of personal information of those under 13).

Unlike COPPA, the law is not focused on parental consent. Its prohibitions and requirements are much broader. By way of example, the law prohibits companies from several activities, including:

  1. Using information in a way that harms children
  2. Profiling children (subject to certain exceptions)
  3. Collecting or using children’s precise geo-location information (again, subject to some exceptions)
  4. Use “dark patterns” to get children to provide too much information or engage in activities detrimental to their health or well-being

The law contains data minimization provisions, and will require entities to conduct a data protection impact assessment before launching a product or service “likely to be accessed” by children. That assessment needs to examine whether the product or service will be “harmful” to children or could exploit children, among other things. These assessments must be made available to the Attorney General upon request. The law calls for a working group to provide a report on (among other things) how to best protect children, which report will be provided on January 1, 2024 and every two years thereafter until January 2030.

Putting It Into Practice: Companies who are subject to CCPA can take two steps now to begin preparing for this law. First, begin to assess if their sites are likely to be accessed by those under 18. If so, then second, companies can look to the laws data protection impact assessment requirements, and begin now in thinking through how they would conduct such an assessment for their online products and services.