Written by Robert H. Rotstein and James Berkley

On September 15, 2022, California Governor Gavin Newsom signed into law bill AB 2273, titled the “California Age-Appropriate Design Code Act” (“AADC”). With certain exceptions, the AADC requires all businesses providing “an online service, product, or feature likely to be accessed by children” to be in compliance with significant new legal obligations by July 1, 2024. “Children” under the AADC are defined as any “consumers” under the age of 18.

As enacted, a broad array of websites and other online products and services will become subject to the AADC, including those hosted and maintained in other states that have California users. The AADC defines an online service, product, or feature as being “likely to be accessed by children” if it is “reasonable to expect” that the service, product, or feature would be accessed by children. This test of “reasonable expectation” is based on a number of indicators. These indicators include: marketing or advertising to children; factual evidence or internal research showing routine access “by a significant number of children”; and “design elements that are known to be of interest to children,” including but not limited to “games, cartoons, music, and celebrities who appeal to children.”

The AADC requires businesses to take several measures, including most notably the following:

1. “DPIAs”: A business introducing any new online service, product, or feature to the public “likely to be accessed by children” – or that continues to offer such a service, product, or feature already existing as of July 1, 2024 – will be required to complete and maintain a detailed “Data Protection Impact Assessment” (“DPIA”). This DPIA must address the potential effects or harm upon children, including plans to mitigate or eliminate any assessed risks before the service, product, or feature is accessed by children. Such DPIAs will need to be made available to the Attorney General of California upon request. For a preexisting service, product, or feature, a DPIA must be created on or before July 1, 2024.
2. Age Estimation: Businesses will be required to estimate the age of child users with a “reasonable level of certainty,” or else to “apply the privacy and data protections afforded to children to all consumers.” This may require measures to obtain or estimate age information that most websites do not currently use, such as age verification tools.
3. Language of Terms and Policies: Businesses will be required to “[p]rovide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.”  This likely will require impacted websites to carefully review their existing policies and to either supplement or revise those policies to ensure that they are comprehensible to younger visitors or consumers.
4. Monitoring/Tracking: Where an “online service, product, or feature allows the child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location,” the business will be required to “provide an obvious signal to the child when the child is being monitored or tracked.”
5. Help to Children and Parents: Businesses will be required to “[p]rovide prominent, accessible, and responsive tools to help children, or if applicable their parents or guardians, exercise their privacy rights and report concerns.”
6. Non-Permitted Uses of a Child’s Personal Information:  In addition to the requirements already imposed by federal law on certain online services pursuant to the Children’s Online Privacy Protection Act (“COPPA”) (applicable to websites and services that target users under the age of 13), under the AADC, an impacted  business may not:

(a) use children’s personal information in a manner the business knows or has reason to know is materially detrimental to a child;

(b) apply default profiling to children’s personal information unless specific criteria apply;

(c) collect, sell, share, or retain children’s personal information beyond what is necessary, unless a compelling reason can be shown that doing so is in children’s best interest;

(d) collect, sell, share, or retain any precise geolocation information of children beyond what is strictly necessary for provision of the service, product, or feature, and only for the limited time necessary; and

(e) use personal information that estimates age or age range for any other purpose and for any time longer than necessary.

Websites and other online products, services, and features failing to comply with the AADC will be subject to civil actions brought in the name of the people of the State of California seeking an injunction and civil penalties of up to $7,500 per affected child for intentional violations, and up to $2,500 per affected child for negligent violations. However, where a business has substantially complied with threshold requirements of the Act including the DPIA process, the Attorney General must first provide notice and give the business a 90-day period to cure.

With the enactment of AB 2273, numerous questions are likely to arise regarding the applicability, its requirements, and the best practices for compliance with the AADC. Legal challenges to the law on constitutional or other grounds are also a possibility from interests inside and outside of California. MSK will continue to monitor developments and will provide further updates as necessary.