IDC Names Securiti a Worldwide Leader in Data PrivacyView
The California Legislature enacted the California Age-Appropriate Design Code Act (A.B. 2273) on August 30, 2022. The legislation will compel online platforms to proactively assess the privacy and protection of children in the design of any digital product or service that they offer.
The bill, which aims to regulate the collection, processing, storage, and transfer of children's data, is based on the Age Appropriate Design Code (AADC) of the United Kingdom. The California legislature considers the bill necessary as young people increasingly use digital services for entertainment, education, communication, and other objectives and are subject to targeted online advertisements.
The bill will put extensive new rules on companies that offer online services, products, or features that are "likely to be accessed” by children, as defined under the bill as anybody under 18 years of age. After being passed by both the California Senate and Assembly, the legislation is anticipated to be signed by the Governor of California and will take effect on July 1, 2024.
The law applies to “businesses” as defined by the California Consumer Privacy Act (CCPA). The CCPA defines businesses as any for-profit company operating in California that satisfies one of three requirements:
According to the California Age-Appropriate Design Code Act, any “company that provides an online service, product, or feature likely to be accessed by children” must adhere to certain rules and regulations. Children are referred to as “a consumer or consumers who are under the age of 18.”
The protections under the Act extend to all “children,” defined as consumers under the age of 18, and in respect of online products and services (i) specifically directed at children and (ii) that are “likely to be accessed” by children.
The application to users below the age of 18 is significant since the federal Children’s Online Privacy Protection Act of 1998 only applies to users below the age of 13 (and is generally focused on online services directed at children).
The California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020, which find and declare that children are particularly vulnerable from a negotiating perspective concerning their privacy rights, both stress that it is in the public interest to ensure that children have robust privacy protections by design.
Companies should put children's privacy, safety, and well-being ahead of their own interests if there is a conflict between them and what is in their best interests.
The California Age-Appropriate Design Code Act makes a few exemptions. “Online service, product, or feature” does not mean any of the following:
Unless otherwise specified, a “child” or “children” means a consumer or consumers under 18 years of age.
A systematic survey to assess and mitigate risks arising from the business's data management practices to children who are reasonably likely to access the online service, product, or feature at issue arising from the provision of that online service, product, or feature.
A preselected option adopted by the business for the online service, product, or feature.
“Likely to be accessed by children” means it is reasonable to expect, based on the following indicators, that children would access the online service, product, or feature:
Any form of automated processing of personal information that uses personal information to evaluate certain aspects relating to a natural person, including analyzing or predicting aspects concerning a natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Organizations must conduct a Data Protection Impact Assessment for every online service, product, or feature that is likely to be used by children before making it available to the public, and keep the documentation of this assessment for as long as the online service, product, or feature is likely to be used by children.
The Data Protection Impact Assessment should identify the objective of the online service, product, or feature, how it uses children's personal information, and the risks of material harm to children that result from the business's data management practices.
To the degree possible, all of the following must be addressed in the data protection impact assessment:
The Data Protection Impact Assessment should be conducted within five business days after receiving a written request by the Attorney General. Additionally, the Data Protection Impact Assessment should remain confidential and not disclosed to the public, regardless of any other laws, including the California Public Records Act.
To facilitate the development of online features, services, and products, businesses should consider the special requirements of various age groups, including the following developmental stages:
The bill mandates that strong privacy protections should be provided by design and default for online services, products, or features that are likely to be used by children. This includes disabling features that use a child's past behavior, browsing history, or assumptions about their similarity to other children to profile them and present harmful content.
An organization that offers an online service, product, or feature that children are likely to access must not do any of the following:
Document any risk that the company's data management methods provide to children that could be materially harmful, as determined by the Data Protection Impact Assessment.
The Act requires businesses to estimate the age of child users with a “reasonable” level of certainty appropriate to the risks that arise from their data management practices or to apply privacy and data protections afforded to children to all of their consumers. However, businesses are prohibited from using the personal information collected to estimate age for any other purpose or to retain such information longer than necessary.
Any privacy information, terms of service, policies, or community standards must be concise, prominently displayed, and use clear language suited to the age of children likely to access the Service. Any published terms, policies, and standards the business establishes must be enforced.
Strong data minimization standards would be established by the ADCA, making it illegal to collect, sell, share, or keep personal data that is not required to deliver the product or service.
Children's data is only permitted to be utilized for the purpose it was gathered. The ADCA would allow data collection for the sole purpose of determining an individual's age. Still, it would limit data use by prohibiting it for any other purpose.
When a child accesses digital services, the ADCA will mandate covered businesses to set "all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business."
Unless the company can prove convincingly that a different option is in children's best interests, all default privacy settings offered to children by the online service, product, or feature should be configured to settings that offer a high level of privacy.
Give any privacy information, terms of service, policies, and community standards in a clear, concise manner that is visible to children of the age group most likely to access it.
Organizations must clearly indicate to the child when they are being tracked or monitored if the online service, product, or feature has permitted the parent, legal guardian, or any other consumer to keep an eye on the child's online behavior.
The California Age-Appropriate Design Code Act states that children or, if necessary, their parents or guardians should be given accessible and responsive tools which assist them in exercising their right to privacy and report concerns.
The California Age-Appropriate Design Code Act would task the California Privacy Protection Agency (CPPA) to create the California Children's Data Protection Working Group and communicate privacy guidelines, standards, and information.
The Working Group would be in charge of adopting regulations by April 1, 2024, and providing compliance advice. Additionally, the Working Group will be tasked with, among other things, the following:
The Act mandates that by April 1, 2023, the Working Group will be in place, with members chosen by the CPPA. "Californians with knowledge in privacy, physical health, mental health, well-being, technology, and children's rights" would constitute members of the Group. Companies would have three months to comply.
The Attorney General would be permitted to seek a civil lawsuit against any company that violates its provisions. The proposed law would subject violators to civil penalties of up to $2,500 per impacted kid for each negligent violation and up to $7,500 for each intentional violation.
Organizations that process personal data of children and target children for advertisements must ensure they comply with California Age-Appropriate Design Code Act by:
As countries witness a profound transition in the digital landscape, automating privacy and security processes for quick action is essential. Organizations must become even more privacy-conscious in their operations and diligent custodians of their customer's data.
Securiti uses the PrivacyOps architecture to provide end-to-end automation for businesses, combining reliability, intelligence, and simplicity. Securiti can assist you in complying with California Age-Appropriate Design Code Act and other privacy and security standards worldwide. Examine how it functions.
Request a demo right now.
The California Kids Code refers to legislation that enhances online privacy and protection for children, particularly regarding personal information.
The California Age Appropriate Design Code Act (ADCA) is a legal initiative that compels online platforms to proactively assess the privacy and protection of children in the design of any digital product or service they offer.
Under the California Age-Appropriate Design Code Act, any “company that provides an online service, product, or feature likely to be accessed by children” must adhere to specific rules and regulations. Children are referred to as “a consumer or consumers who are under the age of 18.
The California Children's Code likely refers to legal provisions or regulations that specifically address the rights, protection, and privacy of children within the state.
The California Age Appropriate Design Code Act might matter to a social media company based in New York if it offers services to California residents, as it could require compliance with specific design standards for children's privacy protection.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.