Public concerns over data privacy are at an all-time high in the United States — and they’re especially acute when it comes to protecting children. In response, California has recently passed a new law called the California Age-Appropriate Design Code Act (CA AADC), which will require any website used by children to implement stricter privacy measures.
Read on to find out if this will impact your business and how to prepare.
What is the CA AADC?
The CA AADC is a law geared toward tech companies that provide online services likely to be accessed by children under age 18, such as Meta’s Instagram and Google’s YouTube. This age limit is one of the biggest differences from the 1998 Children’s Online Privacy Protection Act (COPPA), which only covered minors under age 13.
The law takes effect on July 1, 2024. Companies that fall under CA AADC’s jurisdiction must follow new age-appropriate design code principles, such as limiting the use of manipulative algorithms that push kids into spending hours online and blocking other users from sending private messages to minors.
Companies must also complete Data Protection Impact Assessments (DPIAs) before offering any new online services, products, or features that are likely to be accessed by children. Once completed, DPIAs must be reviewed every two years, and the state Attorney General can require a business to provide copies of the DPIAs.
These regulations prohibit businesses from collecting, selling, sharing, or retaining personal information of children under 18 that is not necessary to provide the online service, function, or feature unless the business can demonstrate a compelling reason that doing so is in the best interest of the child. Geolocation data is subject to even stricter standards. This is a significant departure from COPPA, which allowed companies to collect children’s data with parental consent and after providing notice.
Companies that fail to comply with these regulations could face fines of up to $2,500 for every affected child if the violation was due to negligence, and $7,500 per impacted child if the violation was willful.
These penalties reflect CA AADC’s explicit direction for businesses to “prioritize the privacy, safety, and well-being of children over commercial interests," though companies that are in substantial compliance with key aspects of the law will receive a 90-day cure period to fix violations after receiving notice from the Attorney General’s office.
Who does the CA AADC apply to?
The CA AADC applies to any online business that meets the definition of a “business” under the California Consumer Privacy Act (CCPA) and that provides online products, services, or features “likely to be accessed” by children. If any of the following six indicators are true of the online service, product, or feature, there is a high probability that it’s likely to be accessed by children:
- Direction toward children as defined by the Children’s Online Privacy Protection Act.
- Routine access by a significant number of children.
- Advertisements marketed to children.
- Substantial similarity to an online service, product, or feature routinely accessed by a significant number of children.
- Design elements that are known to be of interest to children.
- The audience contains a significant percentage of children.
If your business offers services including games, music, TV and movie streaming services, pop culture content, social media, voice-assistants, or news, it’s likely that a significant number of children and teenagers access your site and the AADC may apply to you. Companies selling only age-restricted products, such as alcohol and tobacco, are less likely to be affected.
Though the CA AADC only applies to California businesses, several other states have introduced similar legislation. The Protecting Kids on Social Media Act, a bi-partisan bill, was introduced in the Senate in April 2023, adding another layer of potential compliance complexity if passed.
How can businesses prepare for CA AADC?
There are several steps businesses can take to prepare for when California AADC comes into effect in July 2024:
1. Conduct internal research
Go over your privacy policy and design elements and make a list of what will need to change under CA AADC. Consider how many of your current users are under the age of 18, and how much of your business will need to shift to prioritize their data privacy and protection.
2. Begin preparing a Data Protection Impact Assessment (DPIA)
If CA AADC applies to you, you must prepare a DPIA for each affected service, product, or feature, and you must review the DPIA every two years. The California Attorney General can request DPIAs from your company at any time.
DPIAs look at several things: the purpose of the data you’re processing, the categories of data you process, any risks that might arise from this processing, and how you plan to mitigate or eliminate those risks before children can access your service.
3. Start considering age verification
Specific age verification techniques are not strictly required under CA AADC, but you may want to begin verifying users’ ages to separate children’s experiences from those of adults over 18 as a precaution. For instance, CA AADC requires covered businesses to “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business….” Some advocates suggest the following age groups for determining privacy standards, based on similar privacy laws in the UK: 0-5, 6-9, 10-12, 13-15, and 16-17.
The CA AADC & age verification
Digital age verification comes in many forms, all with varying levels of effectiveness. The most common are:
- Age gating: A simple opt-in that asks users to verify their birth date. It’s easy to use, but also easy for children to circumvent by giving a false answer.
- Automated age verification: The best solutions enable reliable age verification to occur in just a matter of seconds, so that users’ privacy and data is kept safe in gaining access to age-appropriate products, content, and services.
Age verification through Persona
Persona’s automated identity verification system streamlines this process by leveraging several technologies: machine learning, computer vision, and automated algorithmic checks. This can take the form of clearing government issued IDs, checking a selfie for liveness, or cross-referencing information from other databases.
And the best part? Persona’s no-code verification system can be embedded straight into your web pages, enabling customers to verify themselves without ever leaving your brand’s experience.
While California AADC doesn’t come into effect for a year, it’s essential that businesses prepare now as it will affect many companies. If you haven’t already, it’s time to start enhancing your privacy and data collection policies and how they might need to change to comply with AADC.
Want to learn more? Read about how Lime uses Persona for age verification to prevent underage riding in more than 250 global cities and get a free custom demo of Persona’s automated age verification system to better prepare your business for CA AADC.