Earlier this month, the world witnessed another win for the protection of children’s personal information in the online world. On the 15th of September 2022, California’s Age-Appropriate Design Code Act was passed and signed by Governor Newsom.

What this means for companies with online products and services

The Act imposes new requirements on organisations that offer online services, products, or features that are likely to be accessed by children (people under 18) and covers a number of interesting developing topics, including:

  • Age estimation: the age of child users must be estimated with a reasonable level of certainty.
  • Disclosures: proper privacy disclosures must be provided prominently and in clear language, suitable for children.
  • Geolocation: companies cannot collect, sell, or share children’s precise geolocation by default unless it is strictly necessary to provide the service, product, or feature. Even so, the collection must be for a limited time and necessary for that purpose.
  • Monitoring signals: companies must provide obvious signals to the children if their parents or guardians can monitor the child’s online activity or location.
  • Dark patterns: companies are not allowed to use these as they would encourage minors to give away personal information that is unnecessary to the service, product, or feature.
  • Exercising rights: perhaps most importantly, companies must provide prominent and accessible tools to help children and parents or guardians exercise their privacy rights.

Timeline to comply (and penalties for non-compliance)

Another interesting obligation imposed by the Act is the completion of data protection impact assessments (DPIA). Organisations that are subject to the Act must complete a DPIA before 1 July 2024. If not, organisations must complete one before any new online features, products or services likely to be accessed by children can form part of their offerings. Upon written request, the DPIA must be provided to California Attorney General within five business days.

The Act will be effective from 1 July 2024. It covers unique concepts related to children’s data protection that have not yet been seen in the US. This will bring significant change in regulating technology where minors are concerned. The UK’s Information Commissioner’s code of practice for age-appropriate design gave rise to this Act and it will be interesting to see which countries follow suit. Because of the Act, organisations will need to give extra attention to design, legal, privacy and policy to ensure that they comply with the new requirements. If companies violate the Act, they could face penalties of $2,500 per child for negligent violations and up to $7,500 per child for intentional violations.

Actions you can take:

  • You can dive into the details of the Act by reading the full text.
  • Keep up to date with child privacy laws and regulations by joining our data protection programme. We summarise the key learnings we come across and update the programme frequently.
  • Contact us for any further help on processing child personal information, we are keen to help you.

This post was written by Michelle Jonker and Thabile Themba