California Passes Landmark “Best Interests of the Child” Privacy Law
Last week, at the very end of what social media has dubbed #HotPrivacySummer, California’s legislature passed a new children’s privacy law that has the potential to transform data privacy protections for children and teens in the United States. The law, known as the California Age Appropriate Design Code Act (“CAAADC” or “Code”), sets up a far-reaching privacy framework that requires businesses to prioritize the “best interests of the child” when designing, developing, and providing online services such as online video games and mobile apps. It is modeled on a U.K. law that just reached its first birthday and has had a significant impact on kid and teen privacy across the pond.
ESRB Privacy Certified – a leading non-profit privacy compliance and certification program – has been following the California law closely. The CAAADC mandates “privacy-by-design,” a concept that is already at the core of ESRB’s program for member video game and toy companies. It will, however, change privacy practices in the U.S. significantly. By way of example, it will:
- Apply to children under the age of 18, a higher age threshold than other federal and state privacy laws in the U.S., which are generally limited to children under the age of 13 or, in limited cases, 16.
- Cover a wide range of businesses that provide online services “likely to be accessed by a minor” even if the business lacks “actual knowledge” that children use the service, which is the current standard under federal law.
- Require businesses to set default privacy settings that offer a “high level” of privacy protection (e.g., setting geolocation and app tracking to off) unless the business can present a “compelling reason” that a different setting is in the best interests of children.
There are also provisions on age verification, data protection impact assessments, data minimization, and more.
California Governor Newsom has until September 30 to sign or veto the bill. Given the unanimous votes in favor of the legislation, in both the California Senate and the Assembly, there’s no indication that a veto is really in play. Assuming it’s not pre-empted by a new federal law or delayed or struck down by a court challenge, the CAAADC will take effect on July 1, 2024.
The CAAADC will be enforced by the California Attorney General and there are hefty fines for non-compliance – civil penalties of up to $7,500 per affected child for intentional violations, and up to $2,500 per affected child for negligent violations. (When a business has substantially complied with threshold requirements of the Act, though, the Attorney General must provide notice and give the business a 90-day period to cure.)
Even though the law’s effective date is nearly two years away, we’re already thinking about how the law will affect video game and toy companies doing business in the U.S. and abroad, and planning for a changed children’s privacy landscape. There are many questions about how the California law, which is likely to become the de facto national standard, will intersect with other privacy laws on the books, such as the Children’s Online Privacy Protection Act (“COPPA”). (COPPA prohibits the collection, use, and sharing of the personal data of children under the age of 13, without verifiable parental consent, by websites, apps, and other online services that are directed to or targeted to children or that have “actual knowledge” that such young people are using their site.) The CAAADC requires the state to establish a task force, which is charged with developing and implementing regulations by April 1, 2024. These regulations may help answer some of these questions.
In the meantime, we will continue to help our members comply with existing laws and adopt and implement best practices for children’s privacy. As an organization, we already recommend that our program members incorporate many of the concepts that will be required by the California law into their privacy programs. As privacy protections for kids and teens continue to evolve, we’ll be following closely and providing guidance on CAAADC, COPPA, and the many other moving parts of the complex children’s privacy landscape.
Stacy Feuer is the Senior Vice President of the Entertainment Software Rating Board Privacy Certified program. The program is an authorized Safe Harbor under the Federal Trade Commission’s COPPA Rule.
If you have more questions about kids’ privacy and the CAAADC or you want to learn more about our program, please reach out to us through our contact page. Be sure to follow us on LinkedIn for more privacy-related updates.