December 1, 2022

Volume XII, Number 335

Advertisement

December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

Impact on Companies of California’s Children’s Privacy Law – Effective 2024

The California governor recently signed into law the California Age-Appropriate Design Code Act, which will go into effect July 1, 2024. The law applies to “businesses” (as defined by CCPA) that provide online services or features “likely to be accessed by children.” To understand if the product or service is likely to be accessed by children, companies should look at factors like audience composition, if there are child-directed ads, or elements known to be of interest to children. Children are those who are under 18 (as opposed to the federal Children’s Online Privacy Protection Act, applicable to collection of personal information of those under 13).

Unlike COPPA, the law is not focused on parental consent. Its prohibitions and requirements are much broader. By way of example, the law prohibits companies from several activities, including:

  1. Using information in a way that harms children

  2. Profiling children (subject to certain exceptions)

  3. Collecting or using children’s precise geo-location information (again, subject to some exceptions)

  4. Use “dark patterns” to get children to provide too much information or engage in activities detrimental to their health or well-being

The law contains data minimization provisions, and will require entities to conduct a data protection impact assessment before launching a product or service “likely to be accessed” by children. That assessment needs to examine whether the product or service will be “harmful” to children or could exploit children, among other things. These assessments must be made available to the Attorney General upon request. The law calls for a working group to provide a report on (among other things) how to best protect children, which report will be provided on January 1, 2024 and every two years thereafter until January 2030.

Putting It Into Practice: Companies who are subject to CCPA can take two steps now to begin preparing for this law. First, begin to assess if their sites are likely to be accessed by those under 18. If so, then second, companies can look to the laws data protection impact assessment requirements, and begin now in thinking through how they would conduct such an assessment for their online products and services.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 271
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement
Advertisement