Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

California: COPPA v. CAADC - strength lies in knowing the differences

Assembly Bill 2273 for the California Age Appropriate Design Code Act ('CAADC') was signed into law on 15 September 2022 and will become effective on 1 July 2024. The CAADC will impose new requirements and prohibitions on a broad range of businesses beyond those that are included in the Children's Online Privacy and Protection of 1998 ('COPPA'), with the aim of better protection children's privacy and online safety. Nerissa Coyle McGinn, Partner at Loeb & Loeb LLP, provides a comparison between the provisions of the CAADC and COPPA, specifically looking at areas such as default privacy settings and privacy policy requirements.

olandesina / Signature collection / istockphoto.com

The breadth of the CAADC may sweep in many online services, products, and features (CAADC Online Services) that are now considered outside the scope of COPPA. These may include: children's websites that do not collect personal information; websites directed toward teens; and general audience sites that are routinely accessed by a significant number of children. In addition, the CAADC's requirements for compliance are much broader than COPPA because the CAADC focuses not only on the use and collection of personal information but also how the design of a CAADC Online Service may harm a child. Due to the breadth of the CAADC, even though businesses have over a year before the law is effective, they should consider determining how this law may affect their business as soon as possible. To help business determine how to comply with the CAADC, below is a list of the differences between COPPA and the CAADC.

 

COPPA

CAADC

Purpose

The primary goal of COPPA is to place parents in control of the information that is collected from their children.

The goal of the CAADC is broader than COPPA. While it is possible that parents may have control over the information that is collected from children under the CAADC, its primary focus is the overall safety and well-being of children while online.

Effective date

The original COPPA rule became effective on 21 April 2000. Then, an amended rule took effect on 1 July 2013.

The CAADC will become effective on 1 July 2024.

Types of websites

COPPA applies to online services that are directed to children under the age of 13 and online services that have actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

To determine whether an online service is directed towards children, COPPA considers the following factors:

  • the subject matter;
  • the visual content;
  • the use of animated characters or child-oriented activities and incentives;
  • music or other audio content;
  • the age of models;
  • the presence of child celebrities or celebrities who appeal to children;
  • language or other characteristics of the website or online service;
  • whether advertising, promoting, or appearing on the website or online is directed to children;
  • competent and reliable empirical evidence regarding audience composition; and
  • evidence regarding the intended audience of the site or service.

Please note that the 'collection' of information under COPPA is defined broadly and includes requesting, prompting, or encouraging a child to submit personal information online.

The CAADC covers online products, services, and features (CAADC Online Services) that are likely to be accessed by children. Under the CAADC, a CAADC Online Service is likely to accessed by children if it is reasonable to expect that the CAADC Online Service would be accessed by children. The factors reviewed to make this determination are broader than COPPA. Not only does the CAADC include COPPA's directed to children factors, but it also includes any CAADC Online Service that has a 'significant' audience of children and any CAADC Online Service that is substantially similar to another online service, product, or feature that is routinely accessed by a 'significant' number of children. 'Significant' is not defined in the CAADC and, therefore, it is difficult to determine which sites will have to comply with the CAADC at this time.

Below is a list of indicators considered when determining whether children are likely to access a CAADC Online Service:

  • the CAADC Online Service is directed to children as defined by COPPA;
  • the CAADC Online Service is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;
  • a CAADC Online Service with advertisements marketed to children;
  • a CAADC Online Service that is substantially similar or the same as an online service, product, or feature that is routinely accessed by a significant number of children;
  • a CAADC Online Service that has design elements which are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children; and
  • a significant amount of the audience of the CAADC Online Service is determined, based on internal company research, to be children.

Types of operators

COPPA applies to operators of commercial websites and online services (including mobile apps and Internet of Things devices). COPPA does not apply to online services run by not for profits.

Only businesses that meet the CPRA business thresholds must comply with the CAADC. To comply with the CAADC, you must be a for-profit organisation, doing business in California, use the personal data of California residents and meet at least one of the following criteria:

  • your annual gross revenue is $25 million or more;
  • you use the personal data of over 100,000 users for commercial purposes; and/or
  • you generate 50% or more of your revenue from the sale of personal data.

 

Similar to COPPA, the CAADC does not apply to online services.

Age

Children under the age of 13.

While COPPA does not apply to minors 13-17, the FTC has previously stated that it is concerned about teen privacy and does believe that 'strong, more flexible protections may be appropriate for this age group'. More recently, the Federal Trade Commission ('FTC') has arguably granted these protections to teens under its Section 5 powers in a settlement with a gaming company.

Consumers under the age of 18.

Triggering event

COPPA is triggered by the collection of personal information from children.

The CAADC does not have a triggering event. All CAADC Online Services that are likely to be accessed by children must comply with the CAADC.

What is personal information?

COPPA defines personal information to include the following:

  • first and last name;
  • a home or other physical address including street name and name of a city or town;
  • online contract information;
  • a screen or used name that functions as online contact information;
  • a telephone number;
  • a social security number;
  • a persistent identifier that can be used to recognise a user over time and across different websites or online services;
  • a photograph, video, or audio file, where such file contains a child's image or voice;
  • geolocation information sufficient to identify street name and name of a city or town; and/or
  • information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

Personal information under CAADC uses the same definition in Section 1798.140 of the California Privacy Rights Act of 2020. This definition arguably is broader than COPPA. Below is a list of differences:

  • COPPA is limited to information collected from children online. The CAADC does not have this limitation. It can include either information collected from parents or information collected off-line.
  • Biometric information is included in the definition of personal information under the CAADC but is not included in COPPA. Under the CAADC, 'biometric information' means an individual's physiological, biological or behavioral characteristics, including an individual's DNA, that can be used, singularly or in combination with each other or with other identifying data, to establish individual identity.
  • Unlike COPPA, the CAADC also includes 'education information' which is defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act 1974.
  • The CAADC also includes as personal information inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.

Privacy tools that must be provided for parents

Online service providers must provide a mechanism for parents to: review a child's personal information; have the child's personal information deleted; and refuse to permit its further collection or use.

The CAADC requires that a CAADC Online Service provide prominent, accessible, and responsive tools to help children, or if applicable, their parents or guardians, exercise their privacy rights and report concerns. The types of tools required is not defined by CAADC.

Privacy policy requirements

COPPA requires that the following information be included in a privacy policy:

  • name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, provide the contact information for one that will handle all inquiries from parents);
  • a description of what information the operator collects from children, including whether the operator enables children to make personal information publicly available, how the operator uses such information, and the operator's disclosure practices for such information; and
  • that the parent can review or have deleted the child's personal information and refuse to permit its further collection or use including the procedures for doing so.

The CAADC requires that a CAADC Online Service provide privacy information 'concisely, prominently, and using clear-language suited to the age of children likely to access that online service, product or feature'. It remains an open question whether operators will have to provide more than one privacy policy if children of varying age groups use the service, product, or feature.

These same requirements also apply to all terms of service, community standards, and any other policies provided as part of the CAADC Online Service.

Age estimator/age gate

COPPA does not require websites to estimate the ages of users. However, COPPA does allow websites to use age gates to stop children from accessing areas of the online service where personal information is being collected.

The CAADC requires businesses to estimate the age of child users with a reasonable level or certainty. If the business is unable to do this, then the business will have to provide the privacy and data protections afforded to children to all consumers. To avoid having to provide these privacy protections to all consumers, businesses may have to consider having age gates to determine ages for any CAADC Online Service that is likely to be accessed by children.

Default privacy settings

None.

The CAADC requires that CAADC Online Services that are likely to be accessed by children configure all default privacy settings provided to children at the highest level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children.

Monitoring of child by the parent or guardian

None.

If the CAADC allows the child's parent, guardian, or any other consumer to monitor the child's online activity or track the child's location, the business must provide an obvious signal to the child when the child is being monitored or tracked.

Businesses that are tracking activity in the background of an application will need to consider how they will communicate this signal to end users.

Protecting a child's physical health, mental health, and wellbeing

Not addressed.

The CAADC prohibits business from using personal information in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or wellbeing of a child.

Profiling

Not addressed.

The CAADC prohibits the profiling of a child by default unless both of the following criteria are met:

  • the business can demonstrate it has appropriate safeguards in place to protect children; and
  • either of the following is true:
    • profiling is necessary to provide the online service, product, or feature requested and only with respect to the aspects of the online service, product, or feature with which the child is actively and knowingly engaged; or
    • the business can demonstrate a compelling reason that profiling is in the best interests of children.

Geolocation information

Precise geolocation information only can be collected with verifiable parental consent.

Businesses cannot collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is strictly necessary for the business to provide the CAADC Online Service requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the CAADC Online Service.

In addition, businesses must provide an obvious sign to the child for the duration of the collection of the precise geolocation information.

Data Protection Impact Assessment ('DPIA')

Not addressed.

Businesses are required to conduct a DPIA before any new CAADC Online Service is offered to the public. Then, businesses must continuously review all DPIAs every other year.

Specifically, the DPIA must identify the purpose of the online product or service, how it uses information, and the risks of material determent to children that arise from the business's data management practices, by analysing whether the online product or service could do any of the following:

  • harm children, including by exposing children to harmful or potentially harmful content;
  • lead to children experiencing or being targeted by harmful or potentially harmful contacts;
  • permit children to witness, participate in, or be subject to harmful or potentially harmful conduct;
  • allow children to be party to or exploited by harmful contacts;
  • harm children by use of its algorithms; or
  • harm children by use of its targeted advertising.

Dark patterns

Not addressed.

Businesses cannot use dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide that online service, product, or feature, to forego privacy protections, or to take any action that the business knows or has reason to know is materially detrimental to a child's physical health, mental health, or wellbeing.

Limitations on collection

Subject to limited exceptions, online service providers can only collect personal information from children after receiving verifiable parental consent.

While the CAADC does not require verifiable parental consent, it does state that businesses should not collect, sell, share, or retain any personal information that is not necessary to provide the CAADC Online Service.

Penalties

COPPA gives states and certain federal agencies authority to enforce compliance. Under FTC enforcement, a court can hold operators who violate COPPA liable for civil penalties of up to $50,120 per violation. The amount of civil penalties the FTC seeks will depend on the type of violation.

Any violation of the CAADC is subject to an injunction and liable for a civil penalty of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation, if the violation is not cured within a 90-day period. While the penalties are limited to each child, it is possible that there are multiple violations per child, which could greatly increase the number of penalties imposed on businesses. The CAADC does not include a private right of action. The California Attorney General has exclusive jurisdiction to enforce the law.

Potential future of these laws

Several new federal privacy bills have been introduced in 2022 and 2023 which will potentially overhaul COPPA. However, until that happens, it appears that the FTC is attempting to expand its powers to protect the privacy of minors under the age of 18 through its Section 5 powers.

The future of the CAADC is murky. As part of the law, the CAADC created the California Children's Data Protection Working Group, which is supposed further develop the law to answer many of the outstanding questions children's privacy professionals have about the implementation of this law.

In the meantime, a conglomerate of technology companies are attempting to strike down the CAADC as unconstitutional. This challenge is in the beginning stages, and we may not have resolution before the 1 July 2024 effective date.


Nerissa Coyle McGinn Partner
[email protected]
Loeb & Loeb LLP, Chicago