California’s bill would require companies that provide online services or products “likely to be accessed by children” – defined as any individual under the age of 18 – to adhere to heightened privacy and data protection standards.
The California Age-Appropriate Design Code Act, A.B. 2273, passed in the California Legislature. The bill is expected to be signed by the Governor and go into effect July 1, 2024.
The anticipated law applies to “businesses” which are for-profit organizations that do business in California and: (1) have revenue of more than $25 million, or (2) derive 50% or more of its annual revenue from selling consumers’ personal information, or (3) buys/receives for commercial purposes the personal information of more than 50,000 consumers/households/devices. In summary, A.B. 2273 requires:
- Default privacy settings: Companies must configure default privacy settings to the highest possible level of privacy and provide privacy information and other policies prominently in terms that children can understand.
- No use of minor’s personal information: Companies will be banned from using children’s personal information “for any reason other than a reason for which the personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the best interests of children,” according to the legislation.
- Attorney General’s authority: A.B. 2273 permits the Attorney General to seek an injunction or civil penalty against companies that violate the Act. Negligent violations could result in a penalty of up to $2,500 per affected child, and intentional violations could result in a penalty of up to $7,500 per affected child, according to the bill. Currently, the bill does not provide a private right of action.
In sum, the bill: (1) increases technology regulation, (2) aims to provide more online privacy protections for minors, and (3) will cause companies to increase privacy, legal, and engineering resources to meet the bill’s requirements.