The internet has revolutionized society’s ability to communicate, educate, provide entertainment, and access information all around the world.1[1]Andrew Meola, Generation Z News: Latest Characteristics, Research, and Facts, INSIDER INTELLIGENCE (Jan. 5, 2022), https://www.insiderintelligence.com/insights/generation-z-facts/.; Clay Halton, Digital Native, INVESTOPEDIA (Aug. 26, 2021), https://www.investopedia.com/terms/d/digital-native.asp. Children today are the first generation of consumers to grow up entirely in a digital world. In fact, one in three internet users is under 18 years old.2[2]Growing Up in a Connected World, UNICEF, https://www.unicef-irc.org/growing-up-connected (last visited Oct. 16, 2022). Despite the internet’s positive impact on society, children are particularly vulnerable to cyberbullying, age-inappropriate content, and sharing personal information.3[3]Adrienne Katz & Aiman El Asam, Vulnerable Children in a Digital World, INTERNET MATTERS, https://www.internetmatters.org/hub/esafety-news/vulnerable-children-in-a-digital-world-report/ (last visited Oct. 16, 2022). With increases in children online, especially on social media, it is important to have effective laws that protect children from exploitative online privacy practices.4[4]Growing Up in a Connected World, supra note 2.; Children’s Right to Privacy in the Digital Age Must Be Improved, UNITED NATIONS (July 15, 2021), https://www.ohchr.org/en/stories/2021/07/childrens-right-privacy-digital-age-must-be-improved.; Melinda Wenner Moyer, Kids as Young as 8 Are Using Social Media More Than Ever, Study Finds, NEW YORK TIMES (March 24, 2022), https://www.nytimes.com/2022/03/24/well/family/child-social-media-use.html. In light of children’s growing digital footprint, this article examines the recently passed California Age-Appropriate Design-Code Act (“CAADC”) and its impact on protecting children’s privacy online.5[2]CAL. CIV. CODE §§ 1798.99.28–1798.99.40
Privacy Law in the United States
The U.S. lacks universal and comprehensive privacy laws like the E.U.’s General Data Protection Regulation, and instead employs a patchwork approach depending on specific jurisdictions, industries, and populations.6[6]Regulation 2016/679 of the European Parliament and of the Council of Apr. 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 (EU).; Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), NEW YORK TIMES (Sept. 6, 2021), https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/. While there are federal privacy laws like the Children’s Online Privacy Protection Act (“COPPA”), most privacy laws are enacted by the states.7[7]15 U.S.C. §§ 6501-6508.; U.S. State Privacy Laws, ELECTRONIC PRIVACY INFORMATION CENTER, https://epic.org/issues/privacy-laws/state-laws/ (last visited Oct. 16, 2022). California is the only state that recognizes privacy as an “inalienable” right in its constitution and is at the forefront of legislating strict state privacy laws.8[8]CAL. CONST. Art. I, § 1.; Privacy Protections in State Constitutions, NATIONAL CONFERENCE OF STATE LEGISLATURES, https://www.ncsl.org/research/telecommunications-and-information-technology/privacy-protections-in-state-constitutions.aspx#:~:text=All%20people%20are%20by%20nature,safety%2C%20happiness%2C%20and%20privacy. (last visited Nov. 6, 2022).; Privacy Laws, STATE OF CALIFORNIA DEPARTMENT OF JUSTICE, https://oag.ca.gov/privacy/privacy-laws#:~:text=California%20Law%20%2D%20Constitutional%20Right%20to,to%20pursue%20and%20obtain%20%22privacy (last visited Oct. 16, 2022). In addition to the CAADC, California has been regarded for its leading privacy legislation, including the California Privacy Rights Act of 2020 (“CPRA”) which amended the California Consumer Privacy Act of 2018 (“CCPA”) and becomes fully effective on January 1, 2023.9[9]CAL. CIV. CODE §§ 1798.100–1798.199.100. Since California has the largest economy in the U.S., and is often deemed the technology capital of the world, its privacy laws are highly influential.10[10]Peter P. Swire, DeBrae Kennedy-Mayo, U.S. Private-Sector Privacy, 79 (3d ed. 2020).
California Age-Appropriate Design Code Act
On September 15, 2022, California Governor Gavin Newsom enacted the CAADC, which becomes effective July 1, 2024.11[11]Governor signs California Age-Appropriate Design Code Act, INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS (Sept. 16, 2022), https://iapp.org/news/a/newsom-signs-california-age-appropriate-design-code-act/#. It is modeled after the U.K.’s Age Appropriate Design Code.12[12]Age Appropriate Design Code, INFORMATION COMMISSIONER’S OFFICE (Sept. 2, 2020) https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/. The CAADC is the first law in the U.S. to require businesses that offer “online products, services, or features” that are “likely to be accessed by children” under 18 years old to consider the “best interests of children” in their design, development, and implementation.13[13]CAL. CIV. CODE §§ 1798.99.28–1798.99.40.; Governor Newsom Signs First-in-Nation Bill Protecting Children’s Online Data and Privacy, OFFICE OF GOVERNOR GAVIN NEWSOM (Sept. 15, 2022), https://www.gov.ca.gov/2022/09/15/governor-newsom-signs-first-in-nation-bill-protecting-childrens-online-data-and-privacy/#:~:text=AB%202273%20prohibits%20companies%20that,children%20to%20provide%20personal%20information. The CAADC is momentous legislation as it aims to protect children by forcing certain businesses to comply with new online privacy requirements.14[14]Sophie Flay, California Legislators Passed a Bill with Hopes to Make the Digital World Safer for Children, ABC7 (Sept. 8, 2022), https://abc7.com/california-age-appropriate-design-code-act-social-media-privacy-law/12210394/#:~:text=%3E-,The%20California%20Age%20Appropriate%20Design%20Code%20Act%20would%20require%20social,bill%20through%20the%20state%20senate.
Businesses Likely to Be Accessed By Children Are Subject to the CAADC
The CAADC applies to businesses that have “online services, products, or features that are likely to be accessed by children.”15[15]15 U.S.C. § 6501(10)(A).; CAL. CIV. CODE § 1798.99.30(b)(4). Further, businesses that use “design elements” that appeal to children, or look substantially like businesses that are often visited by children, are considered “likely to be accessed by children.”16[16]CAL. CIV. CODE § 1798.99.30(b)(4). Additionally, definitions under the CCPA apply to the CAADC unless otherwise clearly stated.17[17]CAL. CIV. CODE § 1798.99.30(a). When the CAADC becomes effective in 2024, the CCPA’s definition for “business” will have been replaced by the CPRA’s.18[18]CAL. CIV. CODE § 1798.140(d) (amending CAL. CIV. CODE § 1798.140(c)). Like the CCPA, the CPRA covers businesses that are for-profit, do business in California, collect personal information, and meet a certain threshold.19[19]Id. The CPRA’s threshold requirement for applicability requires that a business either have an annual gross revenue greater than twenty-five million dollars, possess the personal information of at least one hundred thousand consumers, or earn more than half of their annual revenue from selling or sharing consumers’ personal information.20[20]Id. Therefore, some businesses that are “likely to be accessed by children” might be exempt from the CAADC if they are not considered a “business” under the CPRA’s definition.21[21]Id.; CAL. CIV. CODE § 1798.99.30(b)(4); 1798.99.31(a).
Privacy Requirements Under the CAADC
Businesses subject to the CAADC are required to take several proactive privacy measures including, but not limited to, filling out data protection impact assessments, estimating the age of child users, applying default privacy settings with the highest protections, and providing notice to children if their online activity or location is being tracked.22[22]CAL. CIV. CODE §§ 1798.99.31(a)(1)–(10). Additionally, the CAADC restricts certain privacy actions such as implementing dark pattern designs to induce children to provide personal information, tracking a child’s precise geolocation, and using personal information beyond what is necessary or in a way that is “materially detrimental to the physical health, mental health, or well-being of a child.”23[23]CAL. CIV. CODE §§ 1798.99.31(b)(1)–(8). However, there are often exceptions to these restrictions if there is a business justification, or if there is a compelling reason in the best interests of children.24[24]Id.
Enforcement under the CAADC
California’s attorney general has enforcement authority over the CAADC.25[25]CAL. CIV. CODE §§ 1798.99.35(a)–(e). The statute offers no private right of action.26[26]CAL. CIV. CODE § 1798.99.35(d). If a business violates the CAADC, it could be subject to an injunction or civil penalty up to $2,500 per child for a negligent act, and up to $7,500 per child for an intentional act.27[27]CAL. CIV. CODE § 1798.99.35(a). Additionally, the California Children’s Data Protection Working Group has been established to advise the legislature on how to best implement the CAADC.28[28]CAL. CIV. CODE § 1798.99.32.
The CAADC’s Impact on Privacy Law
While both the federal COPPA law and California’s CAADC focus on protecting children’s privacy, there are several distinctions. COPPA was amended nearly a decade ago and the internet has since evolved.29[29]Joseph Duball, Biden’s State of the Union Remarks Put Children’s Privacy Front and Center, INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS (Mar. 2, 2022), https://iapp.org/news/a/bidens-sotu-remarks-put-childrens-privacy-front-and-center/. The CAADC covers a wider range of businesses as it targets businesses that are “likely to be accessed by children,” while COPPA only applies to businesses “directed to” children.30[30]CAL. CIV. CODE § 1798.99.29(a).; 15 U.S.C. § 6501(10)(A). The CAADC protects children under 18 years old, whereas COPPA only protects children under 13 years old.31[31]CAL. CIV. CODE § 1798.99.30(b)(1).; 15 U.S.C. § 6501(1). Additionally, the burden of protecting children online shifts from the parent, as seen in COPPA, to businesses under the CAADC.32[32]Complying with COPPA: Frequently Asked Questions, FEDERAL TRADE COMMISSION, https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions (last visited Oct. 16, 2022).; Joseph Duball, California Age-Appropriate Design Code Final Passage Brings Mixed Reviews, INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS (Aug. 31, 2022), https://iapp.org/news/a/california-age-appropriate-design-code-final-passage-brings-mixed-reviews/.
Some experts claim that the CAADC’s standard to protect children online seems well-intended, but its actual application is questionable.33[33]Duball, supra note 32. Requiring businesses to complete data protection impact assessments before releasing any product, service, or feature can be helpful for businesses to identify and mitigate risks of exposing children to harm, but it can also make compliance burdensome.34[34]CAL. CIV. CODE § 1798.99.31(a)(1).; Duball, supra note 32. Although the CPRA defines “dark pattern,” there is still uncertainty on how to objectively determine what constitutes a dark pattern.35[35]CAL. CIV. CODE §§ 1798.99.31(b)(7); 1798.140(l). This might make it difficult to establish if a dark pattern is being used to induce children to provide personal information.36[36]Id. Moreover, there is concern about the broad range of businesses that are considered “likely to be accessed by children.”37[37]CAL. CIV. CODE § 1798.99.30(b)(4).; TWiT Tech Podcast Network, California Age-Appropriate Design Code Passed, YOUTUBE (Sept. 1, 2022), https://www.youtube.com/watch?v=AvpjSoFiu-g.
The CAADC subjects businesses to “potentially over-broad compliance measures” which could create new privacy risks for children.38[38]Duball, supra note 32. For example, the CAADC requires businesses to estimate the age of users visiting their site.39[39]CAL. CIV. CODE § 1798.99.31(a)(5). It is difficult to authenticate a user’s age without their personal information.40[40]Duball, supra note 32. The age estimation requirement could lead to “invasive age verification” practices that involve interrogating the user for personal information or collecting biometric data for facial recognition.41[41]Emma Camp, A California Law Designed To Protect Children’s Digital Privacy Could Lead to Invasive Age Verification, REASON (Oct. 6, 2022, 4:18 PM), https://reason.com/2022/10/06/a-california-law-designed-to-protect-childrens-digital-privacy-could-lead-to-invasive-age-verification/. Both options are not only invasive, but also costly and not always accurate.42[42]Id. As a result, the CAADC’s stringent yet vague compliance measures might be counterproductive to protecting children’s privacy and harmful for businesses.
Because of the lack of a comprehensive federal privacy law, the CAADC is a significant legislative attempt to expand online privacy protections for children in a patchwork privacy system.43[43]Meghan Bobrowsky, California Gov. Gavin Newsom Signs Law Requiring Social Media Companies to Consider Children’s Health, WALL STREET JOURNAL (Sept. 15, 2022, 5:47 PM), https://www.wsj.com/articles/california-gov-gavin-newsom-signs-law-requiring-social-media-companies-to-consider-childrens-health-11663277455. Even though the CAADC applies only to California, when California “promulgates strict regulations,” those standards are often mimicked in other jurisdictions.44[44]Adrian Ma & Darian Woods, The California Effect, NPR (Sept. 6, 2022, 8:47 PM), https://www.npr.org/2022/09/06/1121353515/the-california-effect. In fact, since the CAADC was enacted, New York introduced a similar bill in its senate.45[45]Natasha Singer, Charting the ‘California Effect’ on Tech Regulation, N.Y. TIMES (Oct. 12, 2022), https://www.nytimes.com/2022/10/12/us/california-tech-regulation.html.; New York Child Data Privacy And Protection Act, S.B. 9563 (N.Y. 2022), https://assembly.state.ny.us/leg/?default_fld=&leg_video=&bn=S09563&term=&Text=Y. While it is important to protect children’s online privacy, the CAADC’s actual implementation and repercussions remain to be seen.
Written by: Sara Sachs
Sara is a 2024 J.D. Candidate at Brooklyn Law School
1 Andrew Meola, Generation Z News: Latest Characteristics, Research, and Facts, Insider Intelligence (Jan. 5, 2022), https://www.insiderintelligence.com/insights/generation-z-facts/.; Clay Halton, Digital Native, Investopedia (Aug. 26, 2021), https://www.investopedia.com/terms/d/digital-native.asp.
2 Growing Up in a Connected World, UNICEF, https://www.unicef-irc.org/growing-up-connected (last visited Oct. 16, 2022).
3 Adrienne Katz & Aiman El Asam, Vulnerable Children in a Digital World, Internet Matters, https://www.internetmatters.org/hub/esafety-news/vulnerable-children-in-a-digital-world-report/(last visited Oct. 16, 2022).
4 Growing Up in a Connected World, supra note 2.; Children’s Right to Privacy in the Digital Age Must Be Improved, United Nations (July 15, 2021), https://www.ohchr.org/en/stories/2021/07/childrens-right-privacy-digital-age-must-be-improved.; Melinda Wenner Moyer, Kids as Young as 8 Are Using Social Media More Than Ever, Study Finds, New York Times (March 24, 2022), https://www.nytimes.com/2022/03/24/well/family/child-social-media-use.html.
5 CAL. CIV. CODE §§ 1798.99.28–1798.99.40
6 Regulation 2016/679 of the European Parliament and of the Council of Apr. 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 (EU).; Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), New York Times (Sept. 6, 2021), https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.
7 15 U.S.C. §§ 6501-6508.; U.S. State Privacy Laws, Electronic Privacy Information Center, https://epic.org/issues/privacy-laws/state-laws/ (last visited Oct. 16, 2022).
8 Cal. Const. Art. I, § 1.; Privacy Protections in State Constitutions, National Conference of State Legislatures, https://www.ncsl.org/research/telecommunications-and-information-technology/privacy-protections-in-state-constitutions.aspx#:~:text=All%20people%20are%20by%20nature,safety%2C%20happiness%2C%20and%20privacy. (last visited Nov. 6, 2022).; Privacy Laws, State of California Department of Justice, https://oag.ca.gov/privacy/privacy-laws#:~:text=California%20Law%20%2D%20Constitutional%20Right%20to,to%20pursue%20and%20obtain%20%22privacy (last visited Oct. 16, 2022).
9 CAL. CIV. CODE §§ 1798.100–1798.199.100.
10 Peter P. Swire, DeBrae Kennedy-Mayo, U.S. Private-Sector Privacy, 79 (3d ed. 2020).
11 Governor signs California Age-Appropriate Design Code Act, International Association of Privacy Professionals (Sept. 16, 2022), https://iapp.org/news/a/newsom-signs-california-age-appropriate-design-code-act/#.
12Age Appropriate Design Code, Information Commissioner’s Office (Sept. 2, 2020) https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/.
13CAL. CIV. CODE §§ 1798.99.28–1798.99.40.; Governor Newsom Signs First-in-Nation Bill Protecting Children’s Online Data and Privacy, Office of Governor Gavin Newsom (Sept. 15, 2022), https://www.gov.ca.gov/2022/09/15/governor-newsom-signs-first-in-nation-bill-protecting-childrens-online-data-and-privacy/#:~:text=AB%202273%20prohibits%20companies%20that,children%20to%20provide%20personal%20information.
14Sophie Flay, California Legislators Passed a Bill with Hopes to Make the Digital World Safer for Children, ABC7 (Sept. 8, 2022), https://abc7.com/california-age-appropriate-design-code-act-social-media-privacy-law/12210394/#:~:text=%3E-,The%20California%20Age%20Appropriate%20Design%20Code%20Act%20would%20require%20social,bill%20through%20the%20state%20senate.
15 15 U.S.C. § 6501(10)(A).; CAL. CIV. CODE § 1798.99.30(b)(4).
16CAL. CIV. CODE § 1798.99.30(b)(4).
17 CAL. CIV. CODE § 1798.99.30(a).
18 CAL. CIV. CODE § 1798.140(d) (amending CAL. CIV. CODE § 1798.140(c)).
19 Id.
20 Id.
21 Id.; CAL. CIV. CODE § 1798.99.30(b)(4); 1798.99.31(a).
22 CAL. CIV. CODE §§ 1798.99.31(a)(1)–(10).
23 CAL. CIV. CODE §§ 1798.99.31(b)(1)–(8).
24 Id.
25 CAL. CIV. CODE §§ 1798.99.35(a)–(e).
26 CAL. CIV. CODE § 1798.99.35(d).
27CAL. CIV. CODE § 1798.99.35(a).
28 CAL. CIV. CODE § 1798.99.32.
29Joseph Duball, Biden’s State of the Union Remarks Put Children’s Privacy Front and Center, International Association of Privacy Professionals (Mar. 2, 2022), https://iapp.org/news/a/bidens-sotu-remarks-put-childrens-privacy-front-and-center/.
30CAL. CIV. CODE § 1798.99.29(a).; 15 U.S.C. § 6501(10)(A).
31CAL. CIV. CODE § 1798.99.30(b)(1).; 15 U.S.C. § 6501(1).
32Complying with COPPA: Frequently Asked Questions, Federal Trade Commission, https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions (last visited Oct. 16, 2022).; Joseph Duball, California Age-Appropriate Design Code Final Passage Brings Mixed Reviews, International Association of Privacy Professionals (Aug. 31, 2022), https://iapp.org/news/a/california-age-appropriate-design-code-final-passage-brings-mixed-reviews/.
33Duball, supra note 32.
34CAL. CIV. CODE § 1798.99.31(a)(1).; Duball, supra note 32.
35 CAL. CIV. CODE §§ 1798.99.31(b)(7); 1798.140(l).15 15 U.S.C. § 6501(10)(A).; CAL. CIV. CODE § 1798.99.30(b)(4).
36Id.
37 CAL. CIV. CODE § 1798.99.30(b)(4).; TWiT Tech Podcast Network, California Age-Appropriate Design Code Passed, YouTube (Sept. 1, 2022), https://www.youtube.com/watch?v=AvpjSoFiu-g.
38 Duball, supra note 32.
39 CAL. CIV. CODE § 1798.99.31(a)(5).
40 Duball, supra note 32.
41 Emma Camp, A California Law Designed To Protect Children’s Digital Privacy Could Lead to Invasive Age Verification, Reason (Oct. 6, 2022, 4:18 PM), https://reason.com/2022/10/06/a-california-law-designed-to-protect-childrens-digital-privacy-could-lead-to-invasive-age-verification/.
42 Id.
43 Meghan Bobrowsky, California Gov. Gavin Newsom Signs Law Requiring Social Media Companies to Consider Children’s Health, Wall Street Journal (Sept. 15, 2022, 5:47 PM), https://www.wsj.com/articles/california-gov-gavin-newsom-signs-law-requiring-social-media-companies-to-consider-childrens-health-11663277455. CAL. CIV. CODE § 1798.140(d) (amending CAL. CIV. CODE § 1798.140(c)).
44 Adrian Ma & Darian Woods, The California Effect, NPR (Sept. 6, 2022, 8:47 PM), https://www.npr.org/2022/09/06/1121353515/the-california-effect.
45 Natasha Singer, Charting the ‘California Effect’ on Tech Regulation, N.Y. Times (Oct. 12, 2022), https://www.nytimes.com/2022/10/12/us/california-tech-regulation.html; New York Child Data Privacy And Protection Act, S.B. 9563 (N.Y. 2022), https://assembly.state.ny.us/leg/?default_fld=&leg_video=&bn=S09563&term=&Text=Y.