California Age-Appropriate Design Code Act

The Ninth Circuit recently issued a decision partially lifting a broad preliminary injunction staying enforcement of the California Age-Appropriate Design Code Act (“CAADCA”). As a result, portions of the law are now in effect and create ongoing obligations for businesses that provide online services, products, or features “likely to be accessed by children.” Those provisions are described below.

By way of background, the California legislature in 2022 enacted the California Age-Appropriate Design Code Act (“CAADCA”), which established certain standards to protect children’s privacy online. Importantly, the law defined a child as anyone under 18 years old. This creates a separate age threshold from the CCPA, which imposes certain obligations for children under 13 and under 16 years old. Practically since the CAADCA was enacted, the law has faced legal challenges and has been preliminarily enjoined by courts, but as a result of the recent Ninth Circuit decision, the preliminary injunction as to the entire law has been lifted and portions of the law are now in effect.

Although litigation is ongoing and the implementation of the law continues to develop, the CAADCA imposes the following obligations for businesses:

Estimate the age of child users or apply a “high level” of privacy protection to all users;
Set privacy settings for children to the highest level by default;
Use age-appropriate language for privacy policies aimed at children;
Allow parents to monitor the child’s online activity and provide a signal to the child when being tracked;
Provide tools to help users exercise their privacy rights;
Minimize and limit the usage of personal information collected to estimate a child’s age; and
Not process a child’s precise geolocation by default or absent a signal that the geolocation is being collected.

There are also a number of provisions that are not in effect and remain subject to the Ninth Circuit’s preliminary injunction:

Businesses are not presently required to conduct Data Protection Impact Assessments (“DPIA”) for any product or service likely to be accessed or used by children. The Ninth Circuit held that this was a violation of First Amendment rights.
There are a number of prohibitions in the CAADCA on collecting or using children’s personal information (1) that the business knows “is materially detrimental to the physical health, mental health, or well-being of a child” or (2) absent a compelling reason that the collection or use “is in the best interests of children.” The Ninth Circuit held that the quoted language was unconstitutionally vague and those prohibitions are not enforceable.

In addition to the evolving legal landscape in California, other state legislatures have started drafting their own child privacy laws. Similar laws have been enacted in Arkansas, Colorado, Louisiana, Maryland, Mississippi, Montana, Nebraska, New York, Texas, Utah, and Vermont, although no two laws are the same. And while legal challenges have been raised with respect to many of these laws, the focus on children’s privacy rights remains clear. We expect these laws to be the focus of state regulators and privacy advocates for the foreseeable future.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Phillip Wiese at pwiese@coblentzlaw.com for further information or assistance.