California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act (the Act) into law last week. This new law will require those online service providers likely to be accessed by children under 18 years old to comply with heightened privacy requirements, including incorporating privacy-by-default and privacy-by-design into their products. The 18-year age threshold for defining a child online is several years higher than the federal standard set by the Children’s Online Privacy Protection Act, which protects data collected from online users under 13. The bulk of the new bill requires online service providers to complete a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children. The bill additionally prohibits businesses from using children’s data for any purpose other than the reason for which it was originally collected and requires them to prioritize children’s well-being over business considerations.

Notably, the Act requires businesses to declare whether their product, service, or algorithms could “harm” children without defining the scope of “harm.” At this point, the statute could be read to either require material harm or to treat violations as damage per se. It’s also unclear which group(s) would be responsible for clarifying these new rules and regulations. The Act establishes the California Children’s Data Protection Working Group to advise the Legislature on issues involving technology and child welfare, which will likely release policy statements. However, the Act vests enforcement power with the Attorney General, who may seek injunctions and fines of up to $2,500 for each negligent breach and $7,500 for each intentional breach. Finally, the Act’s findings declare that this law should be read in concert with the California Privacy Rights Act, which also established the California Privacy Protection Agency responsible for regulating and enforcing consumer privacy in the state. The California Age-Appropriate Design Code Act will take effect on July 1, 2024.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Photo of Blair Robinson Blair Robinson

Blair Robinson has experience in data privacy and security, cybersecurity, information security governance, information technology (IT), and General Data Protection Regulation (GDPR).  Read her full rc.com bio here.