California’s Governor signed Assembly Bill (AB) 2273, the first of its kind state legislation that requires businesses that provide online services, products, or features likely to be accessed by children to comply with specified standards.
Building on federal protections for children online under the Children’s Online Privacy Protection Act (COPPA), AB 2273 enacts the California Age-Appropriate Design Code Act, which starting on July 1, 2024, would require a business that provides an online service, product, or feature likely to be accessed by children to comply with a significant number of specified requirements. For example, under the Act, such businesses must:
-
Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children;
-
Provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature;
-
Provide an obvious signal to the child when the child is being monitored or tracked when the online service, product, or feature allows the child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location;
-
Provide prominent, accessible, and responsive tools to help children, or if applicable their parents or guardians, exercise their privacy rights and report concerns;
-
Not (i) use the personal information of any child in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child; (ii) profile a child by default unless certain criteria are satisfied; or (iii) collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged, or according to certain legal requirement unless the business can demonstrate a compelling reason that the collecting, selling, sharing, or retaining of the personal information is in the best interests of children likely to access the online service, product, or feature.
AB 2273 requires a business, before any new online services, products, or features are offered to the public, to complete a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by children. The Impact Assessment must address several aspects of the online service, product, or feature, such as
-
Whether its design could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature.
-
Whether its design could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts.
-
Whether algorithms used could harm children.
-
Whether the targeted advertising systems used could harm children.
Moreover, a business would need to make a Data Protection Impact Assessment available, within 5 business days, to the Attorney General pursuant to a written request. The bill also exempts a Data Protection Impact Assessment from public disclosure
AB 2273 also authorizes the Attorney General to seek an injunction or civil penalty against any business that violates its provisions. The bill would hold violators liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation.