What is the California Age-Appropriate Design Code Act (CAADCA)?

On September 25th, 2022, California passed a new law—the California Age-Appropriate Design Code Act (CAADCA). It goes into effect on July 1st, 2024, but compliance may feel challenging for many.   

Inspired by the UK Age-Appropriate Design Code, the CAADCA regulates the collection, storage, and processing of personal data of children under 18. Here’s everything you need to know about it.  

Understanding the CAADCA 

The CAADCA will regulate the collection, storage, processing, and transfer of children’s data. It expands upon the existing Children’s Online Privacy Protection Act (COPPA) and California’s Parent Accountability and Child Protection Act. 

Discussions regarding the blind spots of COPPA and other regional laws are not new. CAADCA comes with a stricter set of rules and a wider range of applicability. Notably, CAADCA broadens the scope of COPPA significantly. Where COPPA applied only to data of minors 13 and under, CAADCA applies to those under the age of 18.  

Who needs to comply? 

CAADCA applies to any business that is subject to the CCPA/CPRA and whose services could be used by minors under 18.  

You need to comply with the CCPA if you are a for-profit organization doing business in California, use the personal data of California residents, and meet at least one of the following criteria:  

• Your annual gross revenue is $25 million or more. 
• You use the personal data of over 50,000 users for commercial purposes. 
• You generate 50% or more of your revenue from the sale of personal data. 

For CAADCA, you need to look further at your services and the data you collect. You’ll need to comply with it if you:  

• Offer services directed to minors under 18. This includes products or websites geared solely toward teenagers. 
• Offer services that are routinely accessed by children. 
• Use advertisements that target children. 
• Have elements that appeal to children, such as music or design containing cartoons. 

• Have products that are similar to others geared toward children. 
• Discover through research that a significant number of your audience consists of children. 
  

Navigating the requirements of the CAADCA 

So, you’ve determined that you need to comply with the California Age-Appropriate Design Code Act. But what exactly does it mean to be compliant? Here are the main requirements. 

1. Conduct a data protection impact assessment (DPIA)

Look at all the online services and products you offer that are likely to be used by children and conduct a DPIA for each. DPIAs are nothing new for any company that has kept an eye on the CCPA/CPRA or its European cousin, the GDPR. They’re a central element in the CAADCA as well, so businesses should become well-versed in carrying out DPIAs. 

What should such an assessment include? You need to look at the purposes of the processing, the categories of data you process, and any risks that may arise. Plus, for any risk you identify, you should have a plan to mitigate it, or eliminate it entirely if possible, before children can access the service. 

Of course, you’ll need to update your DPIAs regularly. CAADCA requires businesses to review and update their DPIAs every two years. However, if you offer any new products or services during the interim, you’ll need to immediately conduct a DPIA for that product or service. 

Regularly conducting and maintaining your DPIAs is especially important as the California Attorney General can request your DPIAs at any time. 

2. Privacy by default

Like DPIAs, adhering to privacy-by-default principles is not a new concept and one that will be very familiar to those who already comply with the GDPR and the CPRA. What “privacy by default” means in practice will vary from business to business. Examples include turning geolocation off and limiting tracking to only what is strictly necessary.  

You’ll also need to turn off any features that profile children unless you can provide compelling evidence the processing is in the child’s best interest. 

3. Estimate the age of the users

Unless your products are 100% directed at children, this requirement might feel a little daunting. After all, people can lie about their age when online.  

Imposing restrictions that make lying impossible, such as requesting proof of their date of birth, is not always the best idea. Unless you need their ID to provide services, it would result in the collection of a lot of personal data. The solution? Use the same privacy measures you’d apply for children to all your users. 

4. Create notices so that children can understand them

Your notices, policies, and terms should be easy to find, access, and read by the children that access your products. Be sure those policies are comprehensive and describe all the data you're collecting, the purposes, and more.  

Again, this is a requirement you should strive for even if you aren’t certain whether children are accessing your product or service. After all, it can’t hurt to have simple and easy-to-understand disclosures. 

5. Notify children that they may be tracked

Do your products allow parents or guardians to monitor their child’s activity? Then you need to provide a clear signal to the child when this tracking occurs. 

6. Collect only data that is strictly necessary

This should go without saying whether you collect data from adults or children, but limit yourself only to what you need to provide the services. Once you get the data, don’t use it for any other purpose than the one outlined in the initial notice. 

Penalties for non-compliance 

Violating the CAADCA will cost you a civil penalty of up o $2,500 for every affected child if the violation was negligent. On the other hand, if the violation was intentional, the fine can go up to $7,500 per affected child. 

There is some good news though. The California Attorney General may offer you up to 90 days to rectify the violations before enforcing the penalties. Also, the CAADCA doesn’t include a private right of action, so you don’t need to worry about individual citizens attempting to sue your organization. 

How privacy professionals can work toward CAADCA compliance 

If your business is located in California and you meet the thresholds for the CPRA, the CAADCA will apply to you. Even though the law won’t go into effect until July 1st, 2024, children’s privacy is not something you want to tackle at the last possible minute—it’s safe to say you need to start preparing now. 

To start, determine which of your products are likely to be accessed by minors under 18.

Remember, even if none of your services are targeting children directly, they might still access the service. You can do some market research or investigate the issue internally to determine the approximate age of your customers. Or, you might forgo this step and simply assume that children are accessing your products and services and therefore comply with CAADCA by default. 

Once you have this list of relevant products or services, start working on your DPIA.

This can be time-consuming and complex, but fortunately, there are solutions that can help you manage the assessment process. Osano Assessments provides ready-to-use templates, automates associated workflows, reduces the risk of human error, and centralizes your assessments along with all the other compliance functions you need to complete. 

Next, review and update your policies.

Make sure they’re comprehensive and explain what data you collect and why. Don’t forget to make them easy to understand for children who may access your services. 

The entire process may sound complicated at first, but it doesn’t have to be. The Osano Platform simplifies and streamlines your compliance activities, so you can have more time to dedicate to the niche requirements of laws like CAADCA. Schedule a demo today.