Getty Images/iStockphoto

California privacy law might push online age verification

The California Age-Appropriate Design Code Act goes into effect in 2024, meaning businesses with users under the age of 18 should start preparing to comply soon.

A new California privacy law protecting children online could usher in fundamental changes to online platform, website and app design as it focuses on integrating privacy and safety features into the foundational technology.

The California Age-Appropriate Design Code Act (AADC), which goes into effect in July 2024, requires businesses providing an online service or product that is "likely to be accessed by children" to configure the service or product settings to offer a "high level of privacy," according to the law. It is similar to the United Kingdom's Children's Code, which sets data protection standards for the design of online services accessed by children.

The California privacy law stands to significantly affect businesses because it sets the age range for children to 18 and under. Federal law protecting children online -- the Children's Online Privacy Protection Act -- only applies to children ages 13 and under.

Not only does the AADC apply to a wider age range, but it will also require businesses to conduct biennial data protection impact assessments that go beyond what a business might consider in a typical privacy assessment, said Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals (IAPP) in Washington, D.C.

The AADC wants businesses to identify the purpose of their online service, how they plan to use children's personal data, risks children could face from the businesses' data management practices and whether algorithms the online service uses could harm children.

It will apply to a lot of companies that don't think of themselves as doing business with children.
Cobun Zweifel-KeeganManaging director, International Association of Privacy Professionals

"It will apply to a lot of companies that don't think of themselves as doing business with children, especially because the younger teen demographic is one that probably uses a lot of the same services adults use," Zweifel-Keegan said. "It won't be uncommon to trigger these obligations."

How the AADC could affect businesses

The AADC will likely end up applying to "more companies than it doesn't apply to," which means businesses should start determining whether they need to comply with the law and what counts as "likely to be accessed by children," Zweifel-Keegan said. Companies that violate the law face penalties of up to $7,500 per child, per violation.

The law is ambiguous about how many children need to be accessing the online service for the company to fall under the privacy law's obligations, said Jennifer King, privacy and data policy fellow at the Stanford University Institute for Human-Centered Artificial Intelligence (HAI). She said if a company sees roughly 10% to 15% of users under the age of 18, the company should likely start thinking about how to comply with the new law.

"I think the thing some folks are worried about is, 'What if I'm a news site and there are teenagers visiting my news site?'" she said. "Again, I think you'd have to have a pretty substantial audience of children visiting before that would kick in."

The AADC will require companies to have general knowledge regarding the age of users accessing their online service.

"It doesn't require there to be age verification, but it asks companies to have a reasonable understanding of the age of their users that's proportionate to the level of risk of the service they're providing," IAPP's Zweifel-Keegan said.

But the requirement might nonetheless push more companies toward age verification tools -- something most companies don't currently offer on their websites, he said. It's also raised some concern among critics who worry that requiring more data to verify users' ages only increases a company's data collection on minors.

A social media company, for example, will likely need to have a higher level of certainty about the ages of its users versus a retail establishment, since the risk posed to children is higher, Zweifel-Keegan said. However, the AADC would still require retail establishments to have some level of certainty of user age if users under the age of 18 are accessing their services online.

Privacy by design

Once user age is identified, it triggers other aspects of the new privacy law, such as privacy-protective default setting requirements like turning off geolocation data collection for children, Zweifel-Keegan said.

He said the new privacy law is a "privacy by design mentality," a concept that focuses on integrating privacy standards with technology as it's built.

Indeed, Stanford HAI's King said the privacy law does a good job outlining what privacy by design means for companies by giving specific requirements for privacy design codes, such as limiting data collection on minors.

"This says your business design basically can't be to collect as much data from your visitors as possible, in particular kids," King said.

Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget Editorial, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.

Dig Deeper on Risk management and governance