Although you are likely breathing a sigh of relief after just finishing compliance efforts for the California Privacy Rights Act (“CPRA”), don’t relax just yet. California has another new privacy law going into effect on July 1, 2024: The California Age-Appropriate Design Code Act (“CAADCA”). The new law is aimed at enhancing privacy, data, and safety protections for children and teens who use online platforms. Businesses subject to the CPRA should review the requirements of CAADCA closely to determine how their data protection measures should be updated, as the new law expands upon existing laws geared towards minors, such as California’s Parent’s Accountability and Child Protection Act and the federal Children’s Online Privacy Protection Act (“COPPA”).
CAADCA defines “business” the same way as CPRA. But, CAADCA only applies to businesses that provide online services, products, or features that are “likely to be accessed by children” who are under age 18. Still, this is a very broad scope, and much broader, for example, than COPPA, which is limited to operators of websites “directed to children” under 13, or with “actual knowledge” that a website is collecting personal information of children under 13. CAADCA therefore expands both the age range (by 5 years) and the types of businesses and websites subject to regulation, since many online services, products, or features may be “likely to be accessed by children” under 18 even if they are not specifically directed at children or with actual knowledge of access by children. Whether a website is “likely to be accessed by children” will be determined based on various factors, including whether it is directed to children, routinely accessed by a significant number of children, has advertisements marketed to children, has design elements that are known to be of interest to children (i.e., games, cartoons, music, and celebrities who appeal to children), and has a significant audience that is determined to be children.
CAADCA requires covered businesses to implement the following affirmative actions:
CAADCA also prohibits covered businesses from engaging in the following actions:
There is no private right of action under CAADCA, but the law authorizes the Attorney General to seek an injunction or civil penalty against any business that violates its provisions. The Attorney General can hold violators liable for a civil penalty of up to $7,500 per affected child. The new law gives companies an opportunity to cure any alleged violation within 90 days so that they can avoid these penalties.
While CAADCA does not go into effect until July 1, 2024, it is vital that California businesses take steps to ensure their compliance with the new law in advance of the effective date. These steps may include the following:
Please contact the Coblentz Privacy Team with any questions about CAADCA or other privacy issues.
To view a PDF version of this article, please click here.
 The CPRA defines a “business” as any for-profit entity operating in California that collects personal information of California residents and satisfies one of three requirements: (i) the company has annual gross revenues of more than $25 million; (ii) the company buys, sells, or shares personal information of at least 100,000 California residents; or (iii) the company derives at least 50% of its annual revenues from selling or sharing California residents’ personal information.