The California Age-Appropriate Design Code Act: Explained

Signed just this month, the California Age-Appropriate Design Code Act (“ADCA”) places responsibilities on businesses that provide a product or service likely to be accessed by children. The law will be adopted on July 1, 2024, placing new obligations that Trust & Safety teams should begin preparing for now. ActiveFence spoke with Michal Brand - Gold, our General Counsel VP, to understand who the act will apply to, what the obligations are, and how companies can prepare.

What is the purpose of the ADCA?

The ADCA seeks to protect children’s data. Specifically, the act aims to mitigate the following risks:

• The influence of a product’s design on the well-being and safety of children
• Children accessing products that are inappropriate for their age and development
• Collection of children’s personal information without parental consent
• Profiling children to offer detrimental material
• The vulnerability of children to the abuse of their privacy rights

Which platforms will be impacted?

The ADCA will apply to businesses that provide an online service, product, or feature likely to be accessed by children in California. These companies:

• Collect consumer’s personal information
• Operate for financial profit
• Conduct business in the State of California and meet one of the following three thresholds:
  1. Had a granular gross revenue of over $25M in the previous calendar year
  2. Buy, sell, or share personal information for cross-context behavioral advertising of 100,000 or more consumers or households.
  3. Derive 50% or more of annual revenue from selling or sharing consumers’ personal information for behavioral advertising

A Q&A With ActiveFence VP General Counsel, Michal Brand-Gold

What is the bottom line for platforms?

Platforms that the ACDA applies to must comply with the following requirements:

• Configure all default privacy settings to offer a high level of privacy for children’s data unless a business can provide a compelling reason that different settings are in children's best interests.
• Provide privacy information, terms of service, policies, and community standards using clear language suited for children that are likely to access that online service
• Complete a Data Protection Impact Assessment (“DPIA”) before offering the public new services, products, or features and maintain ongoing documentation of DPIAs.
• Only use a child’s personal information for a reason it was collected unless a business can offer a compelling reason that different settings are in the children's best interests.

What is the risk for the companies?

The CA Age-Appropriate Design Code can hold violators liable for a fine of up to $2,500 per affected child for each negligent violation and up to $7,500 per affected child for each intentional violation. However, businesses that comply with the law will be given notice before any actions are initiated. The business will have 90 days to rectify any violations before penalties are given.

Will this legislation be enforced and make a difference for platforms?

An essential piece of the ADCA is creating a working group whose purpose is to develop best practices for implementing the law, as well as identify services that are required to comply with it. Additionally, the working group has been given access to leverage California's Privacy Protection Agency (CPPA) which has years of experience developing data privacy policies. Given that the law establishes a Working Group and previously established the CPPA, it seems likely that the ADCA will be enforced.

How does this compare to other policies that protect children?

The California act is modeled after the UK's Age Appropriate Design Code which took effect in September 2021. Given their similar requirements, many major tech companies have already implemented measures to meet the UK’s code and, therefore, California’s requirements.

Has the UK seen an impact from this type of law?

Major tech companies redesigned online platforms to comply with the Children’s Code. However, we haven’t yet seen enforcement or fines from the code. Instead, the focus of the UK’s code authority, the ICO, has been to help companies find solutions. As such, the ICO issues design guidance, a self-assessment risk tool, and transparency best practices.In the evolving legal landscape of online liability, preparedness is key for online platforms to stay compliant. To do so, teams must remain up to date on legislation worldwide that affects the internet. Check out our Trust & Safety Compliance Center and help ensure your platform is compliant.