The California Age-Appropriate Design Code Act Cybertraps 135

News Item – On August 29, 2022, the California Senate unanimously passed the Age-Appropriate Design Act. It previously received unanimous approval in the State Assembly

  • It is currently awaiting Gov. Gavin Newsom’s signature

  • People expect him to sign it but it could anger tech companies, who might then be less inclined to support a Newsom run for president in 2028

  • Earlier this summer, the legislature rejected a proposed bill called the Social Media Platform Duty to Children Act

  • It “would have allowed the state attorney general and local prosecutors to sue social media companies for knowingly incorporating features into their products that addicted children.”

  • The California law firm Akin Gump Strauss Hauer & Feld LLP (see resources) has an excellent summary article regarding the Age-Appropriate Design Act

  • The California Age-Appropriate Design Code Act is modeled after the United Kingdom’s Age Appropriate Design Code, which went into effect in September 2021

  • If signed, it will be the first piece of U.S. legislation “that imposes a number of novel restrictions and data protection obligations on businesses providing services to users under the age of 18, including:

  • requirements to conduct a data protection impact assessment before any new services are offered,

  • configure all default privacy settings to a high level of privacy (unless there are compelling reasons to suggest it is otherwise in the best interests of children), and

  • provide an obvious signal to the child when they are being monitored or tracked by their parent, guardian or another consumer.”

  • The bill prohibits businesses from:

  • profiling a child by default unless certain criteria are satisfied

  • using the personal information of any child in a way that is materially detrimental to their well-being and

  • using dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected.

  • Motivations

  • Legislative and parental concern over impact of online services and products on children’s wellbeing

  • The desire to create safer online spaces for children

  • “The Act emphasizes that the best interests of the child should be taken into consideration by all businesses that develop and provide online services, products or features (“Services”) that children are likely to access and, in the event of a conflict between the businesses’ commercial interests and the best interests of children, the privacy and well-being of children must be prioritized.”

  • Key features of the Act:
    • It’s very broad in its application. Applies to online products and services “(i) specifically directed at children and (ii) that are “likely to be accessed” by children.”
    • Prior to any new Services being offered to the public which are likely to be accessed by children, the Act requires that the business complete a Data Protection Impact Assessment and maintain documentation of this assessment for as long as the Services are likely to be accessed by children.
    • Default privacy settings must be high
    • Business must provide clear, age-appropriate privacy information
    • There must be an “obvious sign” that a business or service is tracking a child’s activity or geolocation
    • Businesses are required to provide prominent and effective tools “to help children exercise their rights and report concerns.”
    • Restrictions on the use of collected data, including:
    • Cannot be used in any way that is “materially detrimental” to a child’s mental or physical health
    • Profiling only under limited circumstances
    • No use of “dark patterns,” i.e., design choices that trick a user into performing some unintended behavior
    • Businesses are required to estimate the age of child users “with a ‘reasonable’ level of certainty
    • The Act establishes the California Children’s Data Protection Working Group, aimed at developing best practices
    • Penalties
    • Negligent violations can result in civil penalties of up to $2,500 per affected child
    • Penalties for Intentional violations are $7,500 per affected child
    • Businesses in substantial compliance otherwise have 90 days to cure
    • No private right of action
  • National Relevance
    • As with so many other things, California is so large that the states rules and regulations have ripple effects around the country
  • Resources

– #2022–09–06 California Senate Approves Landmark California Age-Appropriate Design Code Act
“https://www.akingump.com/en/news-insights/california-senate-approves-landmark-california-age-appropriate-design-code-act.html”
– #2022–09–06 California lawmakers approve groundbreaking internet privacy law for kids
“https://www.ijpr.org/media-society/2022–09–06/california-lawmakers-approve-groundbreaking-internet-privacy-law-for-kids”
– #2022–09–01 Twit.tv Episode with Leo Laporte, Jeff Jarvis, Stacey Higginbotham, and Ant Pruitt, with guest Mike Masnick
“https://www.youtube.com/watch?v=AvpjSoFiu-g”
– #2022–08–25 Op-Ed: Regulate social media? California still has a plan for that
“https://www.latimes.com/opinion/story/2022–08–25/social-media-kids-safety-california”
– #2021–06–30 The [UK] Age Appropriate Design Code: A quick, practical guide for games businesses
“https://www.gamesindustry.biz/the-age-appropriate-design-code-a-quick-practical-guide-for-games-businesses”
– [n.d.] Introduction to the [UK] Age appropriate design code
“https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-code/”

Share this!

Leave Comment

Your email address will not be published. Required fields are marked *