Northern District of California Court Finds CA AADC Violates Firs

Table Of Content

• FPF Develops Checklist & Guide to Help Schools Vet AI Tools for Legal Compliance
• Age Assurance and Knowledge Standard
• Court blocks California’s online child safety law
• A Trial Lawyer’s Trial Lawyer: Paul Callan On Trial
• Prince Harry: world needs new digital laws like California proposal to protect children
• California teen: “I hated being me” on social media. Simple reforms can change that

Most digital policymaking leaves little middle ground for stakeholder views and AB 2273 is no different. The bill and its new standard for protecting youth online has the complete support of civil society while industry is grappling with potentially over-broad compliance measures that it thinks may ultimately put kids in a different type of risk. Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation. OAKLAND — California Attorney General Rob Bonta today filed a brief in the Ninth Circuit Court of Appeals in defense of California’s law requiring companies to prioritize the online privacy, safety, and well-being of children over commercial interests. In the brief, Attorney General Bonta seeks to overturn a preliminary injunction blocking the California Age-Appropriate Design Code Act from going into effect.

FPF Develops Checklist & Guide to Help Schools Vet AI Tools for Legal Compliance

The privacy laws and safety protections impacting children vary from country to country and across industries and data types, making it hard to apply a singular global approach. This comprehensive treatise is intended to provide reliable and substantive background on children’s privacy, data protection, and safety issues. AB 2273 requires businesses with an online presence to complete a Data Protection Impact Assessment before offering new online services, products, or features likely to be accessed by children. The bill mandates that strong privacy protections should be provided by design and default for online services, products, or features that are likely to be used by children. This includes disabling features that use a child's past behavior, browsing history, or assumptions about their similarity to other children to profile them and present harmful content.

Age Assurance and Knowledge Standard

Additionally, if a business has foregone conducting applicable DPIAs for whatever reason, then the Act should provide the necessary impetus (and business case) to reassess this position and integrate them into product builds. Continuous customer engagement by companies through branded messaging tends to increase customer trust. The California Age-Appropriate Design Code Act states that children or, if necessary, their parents or guardians should be given accessible and responsive tools which assist them in exercising their right to privacy and report concerns.

Court blocks California’s online child safety law

Evaluating the Argument Over the California Age Appropriate Design Code Act TechPolicy.Press - Tech Policy Press

Evaluating the Argument Over the California Age Appropriate Design Code Act TechPolicy.Press.

Posted: Fri, 20 Oct 2023 07:00:00 GMT [source]

California’s new online privacy and safety law for children under the age of 18 is modeled on the UK Age-Appropriate Design Code, which became enforceable on September 2, 2021. "This is absolutely a massive shift in what many — if not most — companies will be required to do," Public Interest Privacy Consulting founder and President Amelia Vance said. "'General audience' companies have largely avoided having any responsibilities under the Children's Online Privacy Protection Act. This is a whole new ballgame, and compliance is likely to be a nightmare for any company that hasn’t already started to bring their products into compliance with the U.K. Children's Code." The bill, which awaits enactment by Gov. Gavin Newsom, D-Calif., after unanimously passing the State Assembly and Senate, is an online safety bill containing unique privacy requirements to protect minors age 17 and under. Although it is not yet clear exactly how these categories will come into play, companies should consider these developmental categories as they start to evaluate the safety of their data practices and, in particular, where there are specific requirements to take the age of the user into account. Countries across the world have drafted or are in the process of drafting their own versions of data protection legislation.

Among other things, the ruling takes issue with the requirement that sites estimate visitors’ ages to detect underage users. The provision is ostensibly meant to cut down on the amount of data collected about young users, but Freeman notes that it could involve invasive technology like face scans or analyzing biometric information — ironically requiring users to provide more personal information. Unless the company can prove convincingly that a different option is in children's best interests, all default privacy settings offered to children by the online service, product, or feature should be configured to settings that offer a high level of privacy. The application to users below the age of 18 is significant since the federal Children’s Online Privacy Protection Act of 1998 only applies to users below the age of 13 (and is generally focused on online services directed at children).

The EU’s tough new moderation rules are about to cover a lot more of the internet

A covered entity under the bill is defined as a business "that provides an online service, product, or feature likely to be accessed by children shall take all," but application relies on thresholds defined under the California Privacy Rights Act. Specific privacy requirements include privacy-by-default settings, data protection impact assessments within a 72-hour window upon request from the California attorney general, and standards to assess whether services are likely to be accessed by minors. The ADCA would apply to businesses that provide “an online service, product, or feature likely to be accessed by a child.” This casts a wider net than COPPA’s “directed to children” standard. Under COPPA, under-age-13 users’ personal data is not typically afforded higher protection unless the service has actual knowledge that the user is a child or if the service’s offerings are deemed as child-directed through factors such as direct marketing, graphics, or music that appeals to children.

The California Age-Appropriate Design Code Act Enjoined - The National Law Review

The California Age-Appropriate Design Code Act Enjoined.

Posted: Sat, 09 Mar 2024 08:00:00 GMT [source]

While the size of a covered business is clearly defined, whether or not a company is building a product "likely to be accessed" by children may present the most uncertainty. Age verification and inference for kids online has been an ongoing debate due in large to loopholes with COPPA's "actual knowledge" standard. Future of Privacy Forum Youth and Education Privacy Policy Counsel Bailey Sanchez said the California bill won't help bring a resolution to the verification issue. The ADCA would also require covered entities to undertake a Data Protection Impact Assessment (DPIA) for any product, service, or feature likely to be accessed by a child.

The California Kids Code refers to legislation that enhances online privacy and protection for children, particularly regarding personal information. Organizations must clearly indicate to the child when they are being tracked or monitored if the online service, product, or feature has permitted the parent, legal guardian, or any other consumer to keep an eye on the child's online behavior. Organizations must conduct a Data Protection Impact Assessment for every online service, product, or feature that is likely to be used by children before making it available to the public, and keep the documentation of this assessment for as long as the online service, product, or feature is likely to be used by children. In its definitions of covered businesses, the California Age-Appropriate Design Code Act (AB-2273) extends beyond the reach of COPPA.

States looking to 2024 to pass revised kids’ online safety bills

House has provisions for minors age 17 and under while attempting to better address the COPPA actual knowledge issues. "This will be difficult for many businesses to operationalize and reduce the quality of online services for adults," Sanchez said. "The exact implications are unclear because the bill leaves many important questions unanswered. It is challenging to verify someone’s age without collecting sensitive personal information."

Lawmakers in California and around the world have prioritized legislation that would establish individual protections, limit the potential harmful consequences of large-scale data collection and processing, and curtail abuses of targeted advertising and automated decision making. California has passed multiple bills designed to regulate online content, and challenges to others — including a suit filed by X, formerly Twitter, over a law governing how sites moderate hate speech — remain ongoing. But courts elsewhere have determined that several state-level laws are probably unconstitutional. In August, a different court blocked a law requiring age verification for online pornography, saying that it would similarly require invasive data collection and limit adults’ access to constitutionally protected speech. It will require companies to assess and assuage the damage that their products could potentially do to children— like exposing them to predators or addicting them with algorithms that lead to eating disorders.

Online Safety Bill, and state bills in Maryland, New Jersey, New Mexico, and Utah also seek to make service providers responsible for keeping minors safe online. Companies that fail to implement appropriate privacy and design product changes will continue to risk sizable fines, particularly in the EU and United States. The Kids Code requires companies to consider the privacy and protection of children in the design of any digital product or service that children in California are likely to access. You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website.

However, for businesses in substantial compliance the Attorney General shall provide written notice to the business before initiating an action and allow the business 90 days from such notice to cure any potential violations. In September 2023, the District Court for the Northern District of California granted a preliminary injunction against the Kids Code, preventing the law from going into enforcement. California Attorney General Rob Bonta has appealed and a decision is expected in the Ninth Circuit Court of Appeals in Spring 2024.

While the litigation presses forward, children’s data privacy remains a pressing issue as state and federal legislators continue to introduce bills. The Act also created a working group to advise government and businesses on best practices for prioritizing children’s best interests (privacy and safety) online. As California is home to some of the world’s biggest technology and social media companies, which have already made changes under the UK code, the CA Kids Code is expected to have global influence.

On September 15, 2022, the California Age-Appropriate Design Code Act (CAADCA) was signed into law. The CAADCA recognizes that “children need special safeguard[s] and care in all aspects of their lives.”  Importantly, the CAADCA requires online service providers to offer a high level of privacy by design and by default to children under the age of 18. Data protection impact assessments are a key protective requirement that businesses must conduct and document for any new online service, product, or feature likely to be accessed by children before it is offered to the public.

The Working Group will consist of ten persons having expertise in areas such as, children’s data privacy, mental health, computer science and children’s rights. Strong data minimization standards would be established by the ADCA, making it illegal to collect, sell, share, or keep personal data that is not required to deliver the product or service. Children’s Online Privacy Protection Act (COPPA), which provides protections for children aged 13 or under, the CA Kids Code is designed to protect all children under 18 in California. The result of months of hearings and a congressional investigation into tech companies’ handling of children’s safety, after documents were disclosed last year by Facebook whistleblower Frances Haugen.

The UK AADC requires online providers to comply with a series of privacy and product design obligations and extends to websites that are likely to be accessed by children. In September 2022, California became the first state to adopt similar protections for children’s online privacy with the adoption of the California Age-Appropriate Design Code Act (CA AADC). The CA AADC largely mirrors the UK AADC’s privacy requirements and builds on its product design and online safety requirements for kids under age 18.