October is known as the start of autumn and the month of Halloween— ever popular among children for parties and ‘trick or treating’. Retailers around the world typically use this, and the subsequent festive season, to market and advertise products, including costumes and toys appealing to children.
On 15th September 2022, in time for the run-up to Halloween, the Governor of California, Gavin Newson, signed the California Age-Appropriate Design Code Act (‘the Children’s Code’) into law, although it will not take effect until 1st July 2024. The Children’s Code expands the state’s protection around online transparency and consent requirements for children and imposes limitations on spooky activities such as profiling. This article explores the aim of this legislation and its new protections for children’s rights in the state.
What frights is a children’s privacy law aiming to prevent?
Readers may already be familiar with California’s comprehensive, UK GDPR-style data protection law, the Californian Consumer Privacy Act (CCPA), which was introduced in 2018. Whilst laws such as the CCPA and UK GDPR provide consumers with a general level of data protection, regulators around the world have considered that particularly haunting areas of data processing necessitate further guidance and regulation.
One scary area has been the collection and processing of children’s data online, given the sensitivity and susceptibility of young people to the ghoulish effects of online advertising and other web-based tricks. This is why the CCPA and UK GDPR require specific language and notice for children’s data processing, and parental consent where the data of children below the age of 13 is processed online or ‘sold’ respectively. The UK also introduced its Age-Appropriate Design Code in September 2020, which includes a feast of treats for young people, including requirements for transparency tailored to children of different ages and technical measures to allow parents to give their consent and validate their identity.
Aiming to maintain privacy standards with those of the Europeans, the Californian legislative assembly developed a bipartisan code based on the UK’s model. In particular, the new Children’s Code is filled with goodies for kids, including:
- Default privacy settings must be configured to offer a high level of privacy for children (such as by ensuring that geolocation and other fiendish features are turned off on children’s apps)
- Requiring Data Protection Impact Assessments (DPIAs) to be conducted before online products are launched, to help assess and prevent against any ghoulish tricks before they occur
- A transparency jack-o-lantern should be shone on any data collection, including a child-specific privacy policy, and ‘prominent, accessible and responsive’ tools to avoid the chance of children being presented with nightmarish scares
- Organisations must either apply privacy controls (such as transparency or default settings related to age or consent) to all online users, or to estimate ‘with a reasonable level of certainty’ the age of website visitors and selectively apply privacy controls to evade the wrath of regulators
- Avoid profiling children online, unless a business can demonstrate it has appropriate safeguards for children, and either i) the profiling is necessary for the product or treat as requested by a child, or ii) there is a compelling reason for it being in the interests of children, absent any unnecessary eeriness.
What spooks are in store for organisations?
The Children’s Code is likely to cover many online businesses in California. It uses a lower threshold than other laws, where it applies to online services ‘likely to be used’ by children, compared to the narrower standards of needing ‘actual knowledge’ that websites are directed at children, under the CCPA and federal Children’s Online Privacy Protection Act (COPPA) legislation. This would apply where a product, advertisement or other mysterious activity is likely to appeal to children (such as through the inclusion of cartoons, monsters or graphics), or where a significant part of the audience composition is likely to be children. In the latter case, it remains to be seen how and whether organisations will be required to actively monitor their user base.
The law’s impact is likely to be minimised for organisations that have already aligned with both COPPA and the CCPA, or with the UK’s children’s code. However, compliance with the Children’s Code will send many shivers down the spines of organisations, including:
- With the requirement for DPIAs, organisations will need to prepare their Compliance, IT and Product teams to examine any potential horrors for individuals from a privacy and security perspective and sweeties that can be introduced as risk mitigations
- The Code’s regulations requiring an estimation of a child’s age will be a notable scare, due to the fact that methods of age verification are either open to fiendish manipulation (e.g., those that rely on birth date self-declaration) or involve more data collection (such as tools that rely on ID document upload)
- The limitation on online profiling will be a horrifying chill for online advertising conducted by retailers, online games developers and others. To demonstrate the ‘compelling interests’ standard, organisations will likely require a detailed DPIA looking at the scope of the advertising, or avoid targeting advertisements at children entirely.
Taken as a whole, the Children’s Code is likely to further protect children from beasts such as unwanted advertising and other data-related horrors online. Given that particularly fiendish violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation, and $7,500 for each intentional violation, compliance with the Code is paramount for retailers and games developers indulging in spooky activities. Although it may not come in time for this Halloween, young Californians can look forward to less privacy invasive ‘tricks’ from online businesses in the future!