California Enacts Stronger Protections for Children’s Online Privacy | Media Pyro

For years, California has led the way in setting the standard for privacy and data protection regulation in the United States. Recently — and as calls for greater control over the addictive nature of social media grow louder — lawmakers in the Golden State moved closer to passing a new, first-of-its-kind privacy law that would prohibit the development and use of “addictive” devices. ” on social media platforms. At the same time, state lawmakers also introduced a second bill that would provide strict protections for the privacy of minors online.

Businesses should closely monitor the development of these bills, as their passage—combined with increased attention to children’s privacy by both federal lawmakers and the Federal Trade Commission (“FTC”)—could have a ripple effect in other states and municipalities with legislators. look to enact similar laws on children’s online privacy.

The Law on Social Media Platform Responsibilities to Children

Earlier this year, California lawmakers introduced the Social Media Platform Duty to Children Act, AB 2408 (“SMPDCA”), a targeted privacy bill aimed at curbing social media addiction and its increasingly negative impact on children. In late June, the California Senate Judiciary Committee passed an amended version of the bill, which now goes to the Senate Appropriations Committee. While the original version of the SMPDCA included a private right of action that allowed parents to sue tech companies for violating the law, the amended bill eliminates the ability to file a class action lawsuit, leaving enforcement solely in the hands of the California Attorney General and the state’s district attorneys, district attorneys, and city ​​prosecutors.

According to the SMPDCA, social media platforms are prohibited from using “a design, feature or feature that the platform knew or, if it exercised reasonable care, should have known would cause children to become addicted to the platform.”

Importantly, however, the bill would allow platforms to protect themselves from liability under the bill’s safe harbor provision, which requires platforms to meet two conditions: (1) implement and maintain a program for regular auditing to identify practices or features that could potentially cause or facilitate the addition of child users; and (2) within 30 days after the completion of any audit, correct any practices or features identified during the audit that represent more than de minimis the risk of breaking the law.

Violations of the SMPDCA will subject social media platforms to civil penalties of up to $2,500 for negligent violations and $7,500 for willful violations. In addition, any platform that knowingly and willfully violates the law will be subject to an additional civil penalty of up to $250,000 per violation, as well as attorneys’ fees and court costs.

California Age Appropriate Design Law

Also this year, state lawmakers introduced a second piece of proposed legislation, California’s Age-Friendly Design Act, AB 2273 (“AADC”), which would impose a number of requirements and restrictions on online businesses that offer accessible services, products or features access children In late June, the California State Senate Judiciary Committee advanced an amended version of the AADC, and it is now scheduled for a Senate Appropriations Committee hearing in early August. If passed, the AADC would take effect on January 1, 2024.

Modeled after the UK’s Age-Friendly Design Code, the AADC, which aims to “enhance child-centred design in online products and services that children can access”, requires companies to consider the best interests of children when designing, developing and provide services, products or features that children can access, while requiring companies to “prioritize the privacy, safety and well-being of children” when there is a conflict between the company’s commercial interests and the best interests of children.

Under the AADC, companies will be required to: (1) conduct a data protection impact assessment and submit an assessment report to the California Privacy Protection Agency (“CPPA”); (2) adjust all default privacy settings associated with any online service or product to provide a high level of privacy protection; (3) provide any privacy notices, such as the privacy policy and terms of service, concisely, prominently, and using clear language that is appropriate for the age of children likely to access that online service/product/feature; (4) if the parent or guardian has the ability to monitor the child’s online activity or location, provides an obvious signal to the child that the child is being watched/tracked; and (5) provide visible, accessible, and responsive tools to help children, or where possible, their parents or guardians, exercise their privacy rights and report concerns.

However, the AADC also prohibits: (1) using any child’s personal information in a manner that is likely to cause or contribute to “more than de minimis” the risk of harming the child’s physical health, mental health or well-being; (2) child profiling by default; (3) collecting precise geolocation information from children by default or without providing obvious indications to children that such information is being collected; and (4) use dark patterns to induce or encourage children to provide personal information beyond what is reasonably expected to provide a service, product, or feature.

Violations of the AADC will subject companies to civil penalties on the injured child up to $2,500 for negligent violations and up to $7,500 for willful violations.

Analysis and conclusions

Both bills in California come amid growing calls from privacy advocates for greater protections for children online. In addition, both President Biden and federal lawmakers have voiced the growing need for stronger regulation of companies that cater to children’s online activities. Meanwhile, this May, the FTC adopted a policy statement to increase scrutiny of violations of the Children’s Online Privacy Protection Act (“COPPA”), which President Biden noted during recent remarks demonstrates that the FTC will focus on “hacking companies that persistently exploiting our children to make money,” for the foreseeable future.

Collectively, companies that offer services or products to children online should closely monitor the progress of California’s children’s online privacy bills while reevaluating their own privacy practices and compliance programs to mitigate the increased control they are likely to face. from all levels of government moving forward.

Printing: