Update: Governor Newsom signed the California Age-Appropriate Design Code Act into law on September 14, 2022 and signed the Student Test Taker Privacy Protection Act into law on September 28, 2022.
California’s legislature adjourned for the year on August 31, 2022, after passing two notable children’s privacy bills: the California Age-Appropriate Design Code Act and the Student Test Taker Privacy Protection Act, both of which now await the governor’s signature.
California Age-Appropriate Design Code Act
Modeled on similar legislation adopted in the United Kingdom, the California Age-Appropriate Design Code Act is a sweeping children’s privacy and online safety law that both chambers of the legislature passed unanimously. It would apply to any business “that provides an online service, product, or feature likely to be accessed by children” and defines a child as a consumer under 18 years of age, diverging from the ages of children protected by the Children’s Online Privacy Protection Act (13 years of age) and the California Consumer Privacy Act (16 years of age).
Effective July 1, 2024, businesses governed by the age-appropriate design code would be required to:
- Complete and maintain documentation of a data protection impact assessment (DPIA) for any online service, product or feature likely to be accessed by children and offered to the public.
- Document risk of material detriment to children arising from practices identified in the DPIA and create a timed plan to eliminate or mitigate the risk.
- Provide to the California attorney general a list of DPIAs completed within three businesses days of its request and access to the DPIAs within five business days of its request.
- Estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or extend to all consumers the privacy and data protections afforded to children.
- Configure default privacy settings to offer a high level of privacy by default, absent a compelling reason why a different setting is in the best interest of children.
- Enforce and use clear language suited to the age of children in privacy policies, terms of service and community standards.
- Provide an obvious signal to children when they are being monitored or tracked by parents, guardians or others.
- Provide prominent tools to help children exercise their privacy rights and report concerns.
In addition, businesses would be prohibited from:
- Using personal information of children in a way that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health or well-being.
- Profiling by default unless certain criteria are met.
- Collecting, selling, sharing or retaining any personal information of a child that is not necessary to provide an online service, product or feature with which a child is actively and knowingly engaged, or for any reason other than the reason for which the personal information was collected, unless certain criteria are met.
- Collecting precise geolocation information of children by default, with certain exceptions, or without providing an obvious sign to the child that it is being collected.
- Using dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to allow an online service, product or feature to forego privacy protections, or to take any action that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health or well-being.
- Using any personal information collected to estimate age or age range for any other purpose or retain that personal information longer than necessary to estimate age.
The bill explicitly precludes a private right of action and gives the California attorney general power to enforce the law and adopt regulations to clarify its requirements. The attorney general may impose civil fines for violations of up to $2,500 per affected child or $7,500 for intentional violations if the violation is not cured within a 90-day cure period. The bill would also create a 10-person Children’s Data Protection Taskforce to assist with implementing the law.
Student Test Taker Privacy Protection Act
To address privacy concerns posed by the widespread adoption of online exam proctoring services during the COVID-19 pandemic, Senate Bill 1172, the Student Test Taker Privacy Protection Act, would prohibit businesses providing proctoring services in an educational setting from collecting, retaining, using or disclosing personal information except to the extent strictly necessary to provide those proctoring services or in other specified instances (such as to comply with law, a subpoena or a regulatory inquiry). Proctoring services include, but are not limited to, any services offered by a business to observe, monitor or administer an exam. While the bill aims to protect the privacy of all test takers and not only children, its stated policy objectives include supplementing existing K-12 privacy laws. If signed by the governor, the law will take effect on January 1, 2023.