Other States Take Note: California State Assembly Passes AB 2273
The California assembly recently passed a comprehensive age-appropriate privacy legislation– the California Age-Appropriate Design Code Act, also known as AB 2273. If approved by Governor Newsom, the Act would require businesses that “provide online services, products, or features that are likely to be accessed by children” to increase their level of privacy and safety protections.
Modeled after the United Kingdom’s Age-Appropriate Design Code (also known as the Children’s Code), AB 2273 uses similar all-encompassing language when referring to services, products, or features that are “likely to be accessed by children.” This can cover a wide range of businesses: apps, online games, social media platforms, news or educational websites, and online marketplaces – just to name a few.
The bill aims to protect minors, with its requirements extending past the federal Children’s Online Privacy Protection Act, known as COPPA. If the California Governor signs the bill, the legislation would come into effect on July 1, 2024.
How Does AB 2273 Compare to COPPA?
COPPA is the federal law restricting the collection of information from children under the age of 13 and sets requirements for websites that are targeted specifically at children. COPPA was passed by congress in 1998 and came into effect in April 2000.
Snapshot of COPPA Requirements:
- Provide notice and gain parental consent before collecting information from children
- Have a “clear and comprehensive” privacy policy
- Keep any collected information confidential and secure
If approved, AB 2273 would be applicable to any child under the age of 18.
AB 2273 Requirements for Online Covered Businesses:
- Online covered businesses that are subject to the Act would need to complete a Data Protection Impact Assessment. The assessment must include:
- The risk of harm from content, contacts, conduct, algorithms, and targeted advertising used;
- Features that increase use, such as rewards, autoplay media, and notifications; and
- The collection and processing of sensitive personal data
- Any identified risk(s) in the assessment will require a plan with deadlines to mitigate or eliminate risk before children access the product or service. The contents of the assessment must be provided to the California Attorney General within 5-business days of a written request.
- Configuration of all default privacy settings needs to offer a high-level of privacy
- Privacy information, terms of service, policies, and community standards must be written “concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature”
- Create “prominent, accessible, and responsive tools to help children, or if applicable their parents or guardians, exercise their privacy rights and report concerns”
- If the service/product/feature allows tracking to monitor online activity or location, the child must receive an “obvious signal” that they are being monitored. The Act also prohibits the collection, selling, or sharing of any precise geolocation information by default unless strictly necessary (and only for the time necessary) for the business to provide the requested service, product, or feature
How Would AB 2273 Be Enforced?
The California Attorney General would have jurisdiction to enforce violations through civil action. Fines for violations could be detrimental, ranging from $2,500 per affected child for negligent violations, up to $7,500 per affected child for intentional violations.
The Act is receiving a mix of opposition and support and it will be interesting to see which way the Governor leans with his decision.
California Continues to Lead the Nation in Consumer Privacy Protection
This won’t be the first or the last time that we could see California’s privacy legislation supersede federal regulation.
Earlier this month, Nancy Pelosi issued a statement on the American Data Privacy and Protection Act (ADPPA) relaying that she would not hold a vote on its current form.
She shared, “Governor Newsom, the California Privacy Protection Agency and top state leaders have pointed out the American Data Privacy and Protection Act does not guarantee the same essential consumer protections as California’s existing privacy laws. Proudly, California leads the nation not only in innovation, but also in consumer protection.”
Pelosi continued, “California’s landmark privacy laws and the new kids age-appropriate design bill, both of which received unanimous and bipartisan support in both chambers, must continue to protect Californians — and states must be allowed to address rapid changes in technology.”
When it comes to the federal privacy act, it’s a continued uphill battle. We will all be waiting to see if there will be a preemption compromise.
We’ve Said it Before, Consumer Privacy Laws Take the Front Seat in 2022
The privacy landscape is constantly evolving, just as the world around us advances with current technology. Legislators are playing catch-up when it comes to protecting online anonymity, as we saw multiple states pass new legislation this year alone.
And internationally, we recently witnessed the biggest GDPR fine served to Instagram for failing to protect children’s privacy – a whopping €405 million.
Fines and regulations are increasing. For businesses offering products and services globally, it’s a challenge and a burden to keep up with this changing landscape.
Luckily, there’s an intelligent solution to help navigate this rocky terrain. RadarFirst helps accelerate efficiency by mapping all current state, federal, and global breach laws through a patented algorithm that drives an automated risk assessment in a matter of seconds. No matter the complexities, your privacy team can rely on consistent and reliable breach decisioning, every time.