California Age-Appropriate Design Code Act: Application, Assessments
Melissa Krasnow | January 27, 2023
The California Age-Appropriate Design Code Act (Act) becomes operative on July 1, 2024, subject to specified exceptions. As the Act furthers the purposes and intent of the California Privacy Rights Act (CPRA), the Act applies to a business subject to the CPRA.
More specifically, the Act applies to a business (as defined in Cal Civ. Code § 1798.140) that provides an online service, product, or feature likely to be accessed by children, meaning California residents who are under 18 years of age. This article discusses the Act's application and definitions and Data Protection Impact Assessment requirements. The California attorney general enforces the Act.
Application and Definitions
The Act applies to a business that provides an online service, product, or feature likely to be accessed by children, meaning California residents who are under 18 years of age. "Online service, product or feature" does not mean a broadband Internet access service (as defined in Cal Civ. Code § 3100), a telecommunications service (as defined in 47 U.S.C. § 153), or the delivery or use of a physical product. "Likely to be accessed by children" means it is reasonable to expect, based on the following indicators, that the online service, product, or feature would be accessed by children.
- The online service, product, or feature is directed to children as defined by the Children's Online Privacy Protection Act.
- The online service, product, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children.
- An online service, product, or feature that has advertisements marketed to children.
- An online service, product, or feature that is substantially similar or the same as an online service, product, or feature that is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children.
- An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.
- A significant amount of the audience of the online service, product, or feature is determined, based on internal company research (as defined in Cal Civ. Code § 1798.140), to be children.
The Act does not apply to the information or entities described in Cal Civ. Code § 1798.145(c).
If a conflict arises between commercial interests and the best interests of children, companies should prioritize the privacy, safety, and well-being of children over commercial interests.
The definitions in Cal Civ. Code § 1798.140 shall apply for purposes of the Act unless otherwise specified in the Act.
Data Protection Impact Assessment Requirements
"Data Protection Impact Assessment" means a systematic survey to assess and mitigate risks that arise from the data management practices of the business to children who are reasonably likely to access the online service, product, or feature at issue that arises from the provision of that online service, product, or feature.
A business shall complete a Data Protection Impact Assessment on or before July 1, 2024, for any online service, product, or feature likely to be accessed by children offered to the public before July 1, 2024 (other than an online service, product, or feature that is not offered to the public on or after July 1, 2024).
Starting July 1, 2024, a business that provides an online service, product, or feature likely to be accessed by children shall do all of the following.
Before any new online services, products, or features are offered to the public, such business shall complete a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by children and biennially review all Data Protection Impact Assessments.
Such a Data Protection Impact Assessment shall identify the purpose of the online service, product, or feature; how it uses children's personal information (as defined in Cal Civ. Code § 1798.140); and the risks of material detriment to children that arise from the data management practices of the business.
Such a Data Protection Impact Assessment shall address, to the extent applicable, all of the following.
- Whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature.
- Whether the design of the online product, service, or feature could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts on the online product, service, or feature.
- Whether the design of the online product, service, or feature could permit children to witness, participate in, or be subject to harmful, or potentially harmful, conduct on the online product, service, or feature.
- Whether the design of the online product, service, or feature could allow children to be party to or exploited by a harmful, or potentially harmful, contact on the online product, service, or feature.
- Whether algorithms used by the online product, service, or feature could harm children.
- Whether targeted advertising systems used by the online product, service, or feature could harm children.
- Whether and how the online product, service, or feature uses system design features to increase, sustain, or extend the use of the online product, service, or feature by children, including the automatic playing of media, rewards for time spent, and notifications.
- Whether, how, and for what purpose the online product, service, or feature collects or processes sensitive personal information (as defined in Cal Civ. Code § 1798.140) of children.
A Data Protection Impact Assessment conducted by a business for the purpose of compliance with any other law complies with Cal Civ. Code § 1798.99.31 if the Data Protection Impact Assessment meets the requirements of the Act. A single Data Protection Impact Assessment may contain multiple similar processing operations that present similar risks only if each relevant online service, product, or feature is addressed.
Such business shall document any risk of material detriment to children that arises from the data management practices of such business identified in such Data Protection Impact Assessment and create a timed plan to mitigate or eliminate the risk before the online service, product, or feature is accessed by children.
Within 3 business days of a written request by the California attorney general, such business shall provide to the California attorney general a list of all Data Protection Impact Assessments the business has completed. For any such Data Protection Impact Assessment completed, such business shall make such Data Protection Impact Assessment available, within 5 business days, to the California attorney general pursuant to a written request.
Notwithstanding any other law, a Data Protection Impact Assessment is protected as confidential and shall be exempt from public disclosure, including under the California Public Records Act. To the extent any information contained in a Data Protection Impact Assessment disclosed to the California attorney general includes information subject to attorney-client privilege or work product protection, the disclosure pursuant to Cal Civ. Code § 1798.99.31(a)(4) shall not constitute a waiver of that privilege or protection.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
