The Future of Privacy Forum released a new policy brief, An Analysis of the California Age-Appropriate Design Code.
As federal and state legislators heighten their focus on children’s privacy online, California unanimously passed and signed the Age-Appropriate Design Code Act (California AADC) into law, marking a significant step in efforts to regulate tech companies’ approach to children’s data. Drawing inspiration from the United Kingdom’s Age Appropriate Design Code (UK AADC), the California AADC focuses on child-centered design for businesses with products, services, and features that are “likely to be accessed by a child.” This standard, along with other requirements that contain unclear terms, presents new questions and considerations for online service providers, including how to determine a user’s age and when privacy by design is required.
“While policymakers from both sides of the aisle are increasingly prioritizing efforts to secure new protections for children online, in the absence of federal action, California, as it did on consumer privacy, has taken a big step on its own,” said Chloe Altieri, Youth & Education Privacy policy counsel for FPF and an author of the report. “Big changes like this bring a lot of questions and there’s a lot we still don’t know – including exactly what services this bill would apply to. But as policymakers, online service providers, regulators, and others move towards implementation, we wanted to start with assessing what we do know – and flag some of the key unanswered questions.”
The California AADC is notable for extending far beyond the scope of the primary federal children’s online privacy law, the Children’s Online Privacy Protection Act (COPPA), in several key ways. For example, the California AADC raises the baseline age of protection to youth under age 18 (COPPA defines “child” as under age 13) and applies to online businesses with products, services, and features “likely to be accessed by a child,” casting a wider net than COPPA’s current standard of covering sites “directed to children” under 13.
The policy brief expands on those elements of the California AADC and others, including:
- Covered Entities
- Age Estimation
- Privacy by Design and Default
- General Business Obligations
- User-Centric Policies
- Data Minimization
- Data Protection Impact Assessments
- Enforcement and Guidance
“California has a long history of being a first-mover on consumer privacy protections in the U.S., and it seems very likely that we will start to see these types of child-centered design principles become an increasingly influential model for future legislation and regulation,” said Bailey Sanchez, Youth and Education Privacy policy counsel at FPF and an author of the report. “In fact, about a week after this bill was signed into law, we saw the first example of that, with a similar children’s code bill introduced in New York.”
Read the policy brief to learn about the key components of the CA AADC and the questions they raise for both technology regulation and user experiences.
FPF’s youth and education privacy team has closely tracked the progress of the California AADC; catch up on previous blog posts from June 28 and a September 1 update, and read our statement on the final bill here.