California passes online child data protection act
Technology for Lawyers
Published: October 21, 2022
California Governor Gavin Newsome has signed the California Age-Appropriate Design Code Act (“CAADCA”; AB2273), a law intended to strengthen data privacy for minors. This law follows on the heels of California’s other data privacy laws, particularly the CCPA and the new AB 587, which requires sites to post moderation rules online.
A press release from the governor’s office said that the law will make sites “consider the best interest of child users and to default to privacy and safety settings that protect children’s mental and physical health and wellbeing.”
And, of course, I know we’re in Ohio and this is a California law, but a plethora of the companies that house the data of Ohio children are headquartered in California, and the law will apply to anyone who does any business in California, including any Ohio company that does so.
The law covers “any business… that provides an online service, product (etc.)’, specifically excluding land-based businesses. But there isn’t any business that doesn’t have a website, really. It covers any product specifically or reasonably aimed at children.
Covered businesses are required under the law to privacy-by-default settings, impact statements of a breach within five days, and standards to assess whether or not the product impacts children.
The California Attorney general office will enforce the law. There will be no private right of action or criminal penalties. Max fines range from $2,500 per child per incident to $7,500.
The law (of course) is getting a lot of pushback from various critics and litigious interest groups. You know the drill—some say it doesn’t go far enough; some say it goes too far. One certainly valid criticism is that the law does not take into consideration the amount of resources needed to conform to it, which might unfairly affect smaller companies. The industry group Net Choice, which has sued over these kinds of law in other states, will probably file something in some court somewhere.
The CAADCA is slated to go into effect on July 1, 2024, which should give plenty of time for data companies to figure out how to comply with it and for the Cali AG to figure out how to enforce it.