Whilst the American Data Privacy and Protection Act (which intends to regulate how personal data is processed by US companies) is still being discussed and voted by the US Congress, the US data protection regulatory landscape has been under constant development, with five states having enacted comprehensive consumer data privacy laws, including California, Colorado, Connecticut, Utah, and Virginia.
With the aim of protecting children’s privacy rights in an increasingly digitalised world, California has recently unanimously passed the California Age-Appropriate Design Code Bill (Assembly Bill 2273). This was subsequently signed into law on 15th September 2022 and will enter into force on 1st of July 2024.
The newly approved legislation, which was inspired by the UK Age-Appropriate Design Code and is already in force in the UK – will expand the provisions and safeguards brought in by the California Consumer Privacy Act (CCPA). It will do this by creating child-friendly safeguards that will provide children and their parents/guardians with more transparency and control in relation to how children’s personal data is used. As well as this, it will ensure that other core data protection principles such as purpose limitation and data minimisation are adhered to.
In this article, we compare the California Age-Appropriate Design Code Act with the UK Age-Appropriate Design Code, an exercise that is particularly interesting for businesses aiming to target children with their digital products, services, or goods on a global scale. That said, the California Code does not only apply to businesses targeting children. It has a much wider scope than this, as set out below.
Scope and application
The California Code applies to businesses that provide online services, features, or products likely to be accessed by children age 17 or under, as long as they also fit into the CCPA criteria: i.e businesses based inside or outside California that have a gross annual revenue of over $25million, or that commercially buy, receive, sell or share the personal information of 50,000 or more Californian residents, households, or devices, or that derive more than 50% of their annual revenue from sharing the personal information of Californian residents.
The UK Code, on the other hand, applies to all companies, UK-based or not, that provide online services, features, or products likely to be accessed by children under 18, regardless of their gross revenue or volume of personal data processed.
In practical terms, both the California and the UK Codes impose requirements on businesses that offer services, features or products to children such as apps, connected toys, programs, search engines, social media platforms, messaging applications, online marketplaces, streaming channels, online games, and news or educational websites.
Standards of Age-Appropriate Design: DPIAs
With the best interests of the child adopted as a primary consideration and guiding principle, both California and the UK Codes establish similar standards and requirements for designing digital platforms, products, and services that could be accessed by children.
For instance, both Codes provide that businesses must carry out a Data Protection Impact Assessment (DPIA) before any online service, products, or features are offered or made available to children. The DPIA will help the organisation to identify, assess and mitigate any risks to the rights and freedoms of children, including taking into consideration how children of different ages could be negatively impacted by the data processing activity. This will include not only compliance and data protection risks but also possible broader social, material, physical or social harms that may arise, such as sexual harassment or exploitation, social anxiety, self-esteem issues, bullying or peer pressure, access to harmful or inappropriate content, unhealthy or risky behaviours, attention deficit disorders, excessive screen time, economic exploitation and physical or cognitive development issues.
The California Code also makes it mandatory for businesses to disclose their DPIAs to the State Attorney General, upon the authority’s request, within five business days, and keep the DPIAs under review at least on a biennial basis, for as long as the processing activity is taking place.
In all cases and under both Codes, businesses must adopt sufficient controls and protections to reduce, eliminate or mitigate the identified risks, for example, by adopting technical adjustments on how the product and service are advertised, presented and configured, by adopting parental controls, by avoiding relying on nudging or misleading digital design, or by providing children and their parents with more information and control about how personal data is being processed.
Standards of Age-Appropriate Design: Transparency
Both the California and UK Codes require businesses to be transparent about their data protection practices and create comprehensive and children-friendly privacy notices, written in simple and educative language, and displayed where children can easily read them, including by relying on just-in-time popups, which allows children to understand how their personal data is being processed, for what purposes, and what their choices are.
Companies must also make sure that parents and guardians are well informed about how their children’s data is processed and how they can monitor and control usage they believe is not appropriate, for instance, through parental controls and a communication channel where they can exercise their child’s data subject rights on their behalf.
Standards of Age-Appropriate Design: data protection by design and default
Many children accept whatever default settings are provided and do not change their privacy settings, due to a lack of understanding and interest in data protection matters.
Importantly, both the California and UK Codes require businesses to design their products, platforms, and services by taking into consideration how children will behave, navigate, and interact with the features of the platform, website, or app.
In practical terms, the regulations require that all digital platforms, products, and services be offered to children with the highest standards of data protection controls already configured by default, including by disabling features that track children’s location through GPS, and profile or monitor children through using their previous online behaviour, browsing history, assumptions, and comparison with other children’s behaviour.
Additionally, digital platforms must be visually designed to be easy for children to use and navigate through preference and functionalities pages, buttons, and icons, allowing them to have a better user experience whilst mitigating the risks to their privacy rights and allowing more control of their personal data.
Fines and penalties
Companies should be aware that the California Age-Appropriate Design Code authorises the Attorney General to seek an injunction or civil penalty against any business that violates the code, meaning violators can receive fines of up to $2,500 per affected child for each negligent violation and up to $7,500 per affected child for each intentional violation.
A breach of the UK Code can also result in serious penalties if such a breach constitutes a breach of the UK GDPR. In such circumstances, fines can be imposed of up to £17.5 million or 4% of the total annual worldwide turnover of a business in the preceding financial year, whichever is higher. The Information Commissioner’s Office (ICO) can also impose other sanctions, such as warnings, reprimands, enforcement notices and orders prohibiting the processing of data, which certainly would cause major operational impacts for any digital businesses affected.
Social media and tech companies are constantly under the spotlight of regulators regarding non-compliance and have started adopting additional safeguards for children with a view to avoiding an enforcement action.
For example, TikTok was recently fined by the Dutch Data Protection Authority for violating the privacy rights of Dutch children by failing to provide them with a privacy notice in their native language. The privacy notice was only available in English and, therefore, may not have been easily understood by the child users. This resulted in modifications being adopted by TikTok.
The ICO has also prompted changes adopted by social media platforms, gaming websites and video streaming services like YouTube, Facebook, Instagram, Google, and Nintendo. Measures adopted by the companies include banning targeted and personalised ads for children, imposing strict privacy-by-default settings, blocking adults from messaging children directly and turning off notifications at bedtime.
Therefore, whilst the California Age-Appropriate Design Code is not structured into 15 distinct standards like its UK counterpart, its content is, nonetheless, strikingly similar.
If you need help understanding and mitigating the risks your products or services may bring to children, or simply want to discuss how you could approach child-friendly data protection design in accordance with the applicable regulations and codes of practice, then please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.
"*" indicates required fields