EDPS issues opinion on draft smart metering regulation

View All

Case Studies

NHS Digital Commercial Strategy Case Study

View All

Upcoming Events



View All


Trick or treat? California enacts Age-Appropriate Design Code

27th Oct, 2022

October is known as the start of autumn and the month of Halloween — ever popular among children for parties and ‘trick or treating’. Retailers around the world typically use this, and the subsequent festive season, to market and advertise products, including costumes and toys appealing to children.

On 15th September 2022, in time for the run-up to Halloween, the Governor of California, Gavin Newson, signed the California Age-Appropriate Design Code Act (‘the Children’s Code’) into law, although it will not take effect until 1st July 2024. This law expands the state’s protection around online transparency and consent requirements for children and imposes limitations on spooky activities such as profiling. This article explores the aim of this legislation and its new protections for children’s rights in the state.

What nightmares are the children’s privacy law aiming to thwart?

Readers may already be familiar with California’s comprehensive, GDPR-style data protection law introduced in 2018, known as the Californian Consumer Privacy Act (CCPA). Whilst laws such as the CCPA and GDPR provide consumers with a general level of data protection, regulators around the world have considered that particularly haunting areas of data processing necessitate further guidance and regulation.

Given the sensitivity and susceptibility of young people to the ghoulish effects of online advertising and other web-based tricks, one particularly scary area has been the collection and processing of children’s data online. This is why the CCPA and GDPR require specific language and notice for children’s data processing, and parental consent where the data of children below the age of 13 is processed online or ‘sold’ respectively.

Aiming to maintain privacy standards with similar initiatives in European countries, the Californian legislative assembly has developed a bipartisan code covering the processing of children’s data. In particular, the new Children’s Code is filled with goodies for kids, including:

  • Configure default privacy settings to offer a high level of privacy for children (such as by ensuring that geolocation and other fiendish features are turned off on children’s apps)
  • Require Data Protection Impact Assessments (DPIAs) to be conducted before online products are launched, to help assess and prevent against any ghoulish tricks before they occur
  • Shine a transparency jack-o-lantern on any data collection, including a child-specific privacy policy, and ‘prominent, accessible and responsive’ tools to avoid the chance of children being presented with nightmarish scares
  • Apply privacy controls (such as transparency or default settings related to age or consent) to all online users, or estimate ‘with a reasonable level of certainty’ the age of website visitors and selectively apply privacy controls to evade the wrath of regulators
  • Avoid profiling children online, unless a business can demonstrate it has appropriate safeguards for children, and either i) the profiling is necessary for the product or treat as requested by a child, or ii) there is a compelling reason for it being in the interests of children, absent any unnecessary eeriness.

What tricks and treats are in store for organisations?

Many online businesses in California are likely to be covered by The Children’s Code. It uses a lower threshold than other laws, applying mainly to online services that are likely to be used by children, compared to the narrower standards of needing ‘actual knowledge’ that websites are directed at children, under the CCPA and federal Children’s Online Privacy Protection Act (COPPA) legislation. This would apply where a product, advertisement or other mysterious activity is likely to appeal to children (such as through the inclusion of cartoons, monsters or graphics), or where a significant part of the audience composition is likely to be children. It remains to be seen how and whether organisations will be required to actively monitor their user base in the latter case.

The law’s impact is likely to be minimised for organisations that have already aligned with both COPPA and the CCPA. However, compliance with the Children’s Code will send many shivers down the spines of organisations, including:

  • With the requirement for DPIAs, organisations will need to prepare their Compliance, IT and Product teams to examine any potential horrors for individuals from a privacy and security perspective and sweeties that can be introduced as risk mitigations
  • Requiring an estimation of a child’s age to adhere to the Code’s regulations will be a notable scare. Methods of age verification are either open to fiendish manipulation (e.g., those that rely on birth date self-declaration) or involve more data collection (such as tools that rely on ID document upload)
  • The limitation on online profiling will be a horrifying chill for advertising conducted by retailers, games developers and others operating online. To demonstrate the ‘compelling interests’ standard, organisations will likely require a detailed DPIA looking at the scope of the advertising, or avoid targeting advertisements at children entirely.

Ultimately, the Children’s Code is likely to further protect children from unwanted advertising and other data-related beasts and horrors online. Given that particularly fiendish violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation, and $7,500 for each intentional violation, compliance with the Code is paramount for retailers and games developers indulging in spooky activities. Although it may not come in time for this Halloween, young Californians can look forward to less privacy invasive ‘tricks’ from online businesses in the future!


Kaveh Cope-Lahooti

Principal Consultant - Data Protection

Read Bio