CA’s Child Protection Website Law Will Have A Long Reach

A recently passed California law will dramatically expand a company’s obligations with regard to any of its online presence that is “likely to be accessed by children.” That turns out to be a big bucket, as defined in the “Age-Appropriate Design Code Act,” which was signed into law by Governor Gavin Newsom in September. It includes far more than is covered in the current federal framework as defined by the Children’s Online Privacy Protection Rule of 1998 (“COPPA”), explains a post from law firm Sidley Austin. For one thing, the CA law defines children as persons under 18 years old, rather than COPPA’s age 13. It also includes sites – social media, video communication and online – that are not specifically “directed” at children. The California law is similar in many respects to the UK’s “Age Appropriate Design Code,” and together, says the Sidley post, these laws “represent a significant shift in the regulatory landscape of children’s digital services.”

Factors to be considered in determining whether the online product or service is “likely to be accessed by children,” includes not only whether it is directed to children, but whether it’s routinely accessed by a significant number of children, and whether it includes design elements that are known to be of interest to children.

Businesses that intend to offer any new online product that fits that definition will have to submit a Data Protection Impact Assessment (“DPIA”), in which they must consider such questions as whether the design of the product could harm children, whether it could lead to them being targeted or exploited by potentially harmful online contacts, and whether algorithms used could harm children.

Penalties under the California law (which will not take effect until July of 2024) are serious, and  some will no doubt argue “draconian.” For a negligent violation, liability can be $2500, but that’s “per child affected.” For an intentional violation, it can be up to $7500 per child affected. However, the Sidley post notes, if a business is in substantial compliance with the law and its DPIA obligations, the law stipulates that before any fines are imposed the attorney general will provide written notice of the violations, and the company may have the opportunity to correct them without penalty.