California recently enacted the California Age-Appropriate Design Code Act (“AADA”) with the intent of curbing online and social media risks to children. See the NYTimes media report here and see here for the text of the AADA. As noted in the media report, some of the problems that are intended to be addressed by the AADA include the following:
- Use by gaming, internet, and social media platforms of various tools — like “recommendations,” find-a-friend tools, audible notices, etc. — can cause users to exhibit addictive behavior that is particularly problematic for children
- Internet platform designs that allow third parties to determine a person’s exact physical location — very problematic with respect to children
- Designs that allow unregulated and unsupervised access to children — like allowing third-party strangers to direct message a child
- Lack of protections and firewalls that prevent children from receiving destructive images and content — such as explicitly sexual images or images of self-harm
- Use of default settings that minimize privacy and protections for children
The general effective date of the AADA is July 1, 2024. However, businesses should begin preparing now because certain provisions of the AADA must be COMPLETED by July 1, 2024. These provisions relate to the AADA’s requirement that businesses prepare what are termed “Data Protection Impact Assessments” (“DPIA”), which must be prepared for “any online service, product, or feature likely to be accessed by children.” For existing online services, products, or features likely to be accessed by children, all DPIA are due by July 1, 2024. So, as noted, businesses should begin preparing such DPIAs now. DPIAs must be reviewed every two years. Note that, with a three-day notice, the California Attorney General can demand copies of all DPIAs prepared by a business.
What is Required for DPIAs?
The AADA has a long list of requirements for what must be contained in a DPIA. Generally, a DPIA must “identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business.” More specifically, a DPIA shall address the following: whether the design of the online product, service, or feature
- Could harm children, including by exposing children to harmful, or potentially harmful, content
- Could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts
- Could permit children to witness, participate in, or be subject to harmful, or potentially harmful, conduct
- Could allow children to be a party to or exploited by a harmful, or potentially harmful, contact
In addition, a DPIA must address the following:
- Whether algorithms used by the online product, service, or feature could harm children.
- Whether targeted advertising systems used by the online product, service, or feature could harm children
- Whether and how the online product, service, or feature uses system design features to increase, sustain, or extend the use of the online product, service, or feature by children, including the automatic playing of media, rewards for time spent, and notifications.
- Whether, how, and for what purpose the online product, service, or feature collects or processes sensitive personal information of children.
Other Affirmative Requirements of the AADA
In addition to requiring DPIAs, the AADA has a long list of prohibited practices and mandatory requirements, including the following:
- A business cannot use the personal information of any child in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.
- Cannot profile a child by default unless appropriate safeguards are in place to protect children and other requirements
- Cannot collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged
- Cannot collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is strictly necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary
- Cannot collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.
- Cannot use dark patterns – undefined by the AADA – to lead or encourage children to provide personal information beyond what is reasonably expected to provide that online service, product, or feature to forego privacy protections, or to take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health, or well-being
- Must configure all default privacy settings provided to children by the online service, product, or feature to settings that offer a high level of privacy
- Must provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to be accessing the service, product, or feature
- Must provide an obvious signal to the child when the child is being monitored or tracked by the child’s parent, guardian, or any other consumer
- Must provide prominent, accessible, and responsive tools to help children (or their parents or guardians) exercise their privacy rights and report concerns