California’s New Rules on Online Privacy for Kids 

Article by Tsaaro

7 min read

California’s New Rules on Online Privacy for Kids 

Introduction 

The pandemic and the post-pandemic world have seen a manifold increase in the number of young users on the internet. As more and more children have access to the internet, concerns are bound to arise. The harmful effects of social media, online games, etc., are now well documented. Increased screen time is also now allegedly causing problems like eating disorders.   

Some businesses have come under fire for abusing children’s data. The year 2019 saw the settlement of allegations that Google and the owners of the well-known video-sharing app TikTok had improperly and without parental consent acquired children’s personal information and agreed to pay multimillion-dollar government fines. US Federal authorities said that Google had made money by utilising children’s data to target them with YouTube advertisements. Separately, regulators expressed concern over TikTok’s practice of by default making children’s profile images, and other private information public could have allowed adult strangers to approach younger members.  

On 29th August 2022, California Senate passed The California Age-Appropriate Design Code Act (AB- 2273) unanimously. The landmark legislation was introduced by members of the major parties- Democrats and Republicans. The dangers children face online are highlighted as a reason for introducing this legislation. The bill will be enacted in 2024 if it receives the assent of Governor Gavin Newsom. Unlike the famous US legislation, The Children’s Online Privacy Protection Act of 1998, which protects children under the age of 13, the Californian bill aims to safeguard all children below the age of 18.   

California has already set high standards in terms of data privacy, especially in protecting children’s data. The Assembly Bill 2408 of California aims to hold social media companies responsible for causing children to become addicted to their services and imposes a duty not to cause such an addiction. It also prohibits the use and sale of a child’s data. 

 

Salient Features 

This bill provides that companies operating online must provide children’s safety a top priority when developing their products or services for customers under the age of 18. It mandates that data collection is limited, privacy settings are enhanced by default, and efforts to persuade children to change such settings back are prohibited, among other things.  

Principle of data minimization (which means limiting the collection of personal information to what is relevant and absolutely necessary to accomplish a specific purpose) is also applied here since it prohibits any personal data or geolocation information that is not required to deliver an online service, product, or feature that a child is actively and knowingly using should not be collected, sold, shared, or kept.  

It also stipulates that companies with online services or products that are likely to be used by kids, conduct a Data Protection Impact Assessment that looks at issues like whether the service or product could expose children to inappropriate contacts, content, or behaviour; whether any algorithms or targeted ads could endanger children; and whether the service or product employs any retention techniques that prolong usage 

A company that offers an online service, product, or feature that children are likely to use is also forbidden by the bill from engaging in certain activities, such as using a child as the end user’s personal data for purposes other than those for which it was originally collected, unless the company can prove that doing so is in the children’ best interests.  

Businesses must also uphold the terms, rules, and community standards they have published, including, but not limited to, those pertaining to minors and privacy. Additionally, it requires businesses to give children—or, if relevant, their parents or guardians—accessible, visible, and responsive means to enable them exercise their right to privacy and report issues.  

Additionally, it prohibits the use of “dark patterns” to persuade children to divulge more personal information than is necessary to provide an online service, product, or feature, to forego privacy protections, or to take any other action that the company knows or has reason to believe will seriously harm the child’s physical health, mental health, or general wellbeing. 

According to the bill, companies could face fines as high as $7,500 per user if found to be violating the protective measures for children. 

Concerns   
 
However, In order to achieve its objectives, the Californian bill mandates that websites either determine the age of users or grant adults the same amount of increased privacy as minors. Its critics thus feel that this precludes surveillance capitalism. As age verification is required, it would mean additional data would have to be collected, and this would mean more risks with regard to data privacy. To assuage previous fears, the bill provides that any personal information gathered to estimate age or a range of age cannot be used for any other purpose or kept longer than required. An online business, product, or feature’s age assurance must be in line with its risks and data practices. However, Age verification mechanisms are challenging to implement, and the U.K. has dropped plans to mandate age verification while accessing certain websites. Such measures also become concerning since they take away the right to read and write anonymously. Adopting technologies for age verification also increases costs for businesses 

Conclusion  
The bill, however, is not the first of its kind in the world. The United Kingdom, with its Age Appropriate Design Code – which was written into law as part of the 2018 Data Protection Act, which also implemented GDPR in the UK – mandates websites and apps to take the “best interests” of their child users into account, or face fines of up to 4% of annual global turnover. It also stipulates Data Protection Impact Assessments, data minimisation, making the highest privacy ensuring setting as default etc. Experts claim that such legislations are necessary for protecting children from the manipulative and dangerous practices employed by internet giants.   

According to Californian law, internet services that cater to general audiences must proactively develop their features and products to safeguard young users. In reality, this means that websites and applications must assess and reduce any dangers that using their services could present to children, such as exposing them to explicit material or using coercive tactics to get them to spend hours online.  

The legislation adopts a practical, product-safety stance rather than becoming involved in contentious political debates over the internet. It intends to subject online businesses to the exact fundamental safety requirements of the auto industry, effectively mandating that sites and apps install the digital equivalent of seatbelts and airbags for younger users.   

This legislation is a testament that now, online safety of children covers not only cases of bullying and exposure to sexually explicit content but also issues of mental health and data privacy. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today.

Tsaaro Consulting

In today’s fast-paced business environment, organisations are constantly seeking innovative methods to adapt and scale efficiently. Staff Augmentation Consulting services, …

Tsaaro Consulting

INTRODUCTION: In today’s interconnected world, businesses operate across borders, serving customers globally. This inevitably leads to the transfer of personal …

Shubham Bansal

INTRODUCTION: The Personal Data Protection Law No. 6698, known as Kişisel Verileri Koruma Kanunu (KVKK), is Türkiye’s landmark data protection …

Tsaaro Consulting

At the Singapore International Cyber Week 2024, The Cyber Security Agency (CSA) of Singapore released Guidelines on Securing Artificial Intelligence …

Tsaaro Consulting

The European Data Protection Board (EDPB) on 8th October 2024, issued draft Guidelines 1/2024 on processing of personal data based …

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them