CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
March 10, 2023
On September 25th, 2022, California passed a new law—the California Age-Appropriate Design Code Act (CAADCA). It goes into effect on July 1st, 2024, but compliance may feel challenging for many.
Inspired by the UK Age-Appropriate Design Code, the CAADCA regulates the collection, storage, and processing of personal data of children under 18. Here’s everything you need to know about it.
The CAADCA will regulate the collection, storage, processing, and transfer of children’s data. It expands upon the existing Children’s Online Privacy Protection Act (COPPA) and California’s Parent Accountability and Child Protection Act.
Discussions regarding the blind spots of COPPA and other regional laws are not new. CAADCA comes with a stricter set of rules and a wider range of applicability. Notably, CAADCA broadens the scope of COPPA significantly. Where COPPA applied only to data of minors 13 and under, CAADCA applies to those under the age of 18.
CAADCA applies to any business that is subject to the CCPA/CPRA and whose services could be used by minors under 18.
You need to comply with the CCPA if you are a for-profit organization doing business in California, use the personal data of California residents, and meet at least one of the following criteria:
For CAADCA, you need to look further at your services and the data you collect. You’ll need to comply with it if you:
So, you’ve determined that you need to comply with the California Age-Appropriate Design Code Act. But what exactly does it mean to be compliant? Here are the main requirements.
Look at all the online services and products you offer that are likely to be used by children and conduct a DPIA for each. DPIAs are nothing new for any company that has kept an eye on the CCPA/CPRA or its European cousin, the GDPR. They’re a central element in the CAADCA as well, so businesses should become well-versed in carrying out DPIAs.
What should such an assessment include? You need to look at the purposes of the processing, the categories of data you process, and any risks that may arise. Plus, for any risk you identify, you should have a plan to mitigate it, or eliminate it entirely if possible, before children can access the service.
Of course, you’ll need to update your DPIAs regularly. CAADCA requires businesses to review and update their DPIAs every two years. However, if you offer any new products or services during the interim, you’ll need to immediately conduct a DPIA for that product or service.
Regularly conducting and maintaining your DPIAs is especially important as the California Attorney General can request your DPIAs at any time.
Like DPIAs, adhering to privacy-by-default principles is not a new concept and one that will be very familiar to those who already comply with the GDPR and the CPRA. What “privacy by default” means in practice will vary from business to business. Examples include turning geolocation off and limiting tracking to only what is strictly necessary.
You’ll also need to turn off any features that profile children unless you can provide compelling evidence the processing is in the child’s best interest.
Unless your products are 100% directed at children, this requirement might feel a little daunting. After all, people can lie about their age when online.
Imposing restrictions that make lying impossible, such as requesting proof of their date of birth, is not always the best idea. Unless you need their ID to provide services, it would result in the collection of a lot of personal data. The solution? Use the same privacy measures you’d apply for children to all your users.
Your notices, policies, and terms should be easy to find, access, and read by the children that access your products. Be sure those policies are comprehensive and describe all the data you're collecting, the purposes, and more.
Again, this is a requirement you should strive for even if you aren’t certain whether children are accessing your product or service. After all, it can’t hurt to have simple and easy-to-understand disclosures.
Do your products allow parents or guardians to monitor their child’s activity? Then you need to provide a clear signal to the child when this tracking occurs.
This should go without saying whether you collect data from adults or children, but limit yourself only to what you need to provide the services. Once you get the data, don’t use it for any other purpose than the one outlined in the initial notice.
Violating the CAADCA will cost you a civil penalty of up o $2,500 for every affected child if the violation was negligent. On the other hand, if the violation was intentional, the fine can go up to $7,500 per affected child.
There is some good news though. The California Attorney General may offer you up to 90 days to rectify the violations before enforcing the penalties. Also, the CAADCA doesn’t include a private right of action, so you don’t need to worry about individual citizens attempting to sue your organization.
If your business is located in California and you meet the thresholds for the CPRA, the CAADCA will apply to you. Even though the law won’t go into effect until July 1st, 2024, children’s privacy is not something you want to tackle at the last possible minute—it’s safe to say you need to start preparing now.
Remember, even if none of your services are targeting children directly, they might still access the service. You can do some market research or investigate the issue internally to determine the approximate age of your customers. Or, you might forgo this step and simply assume that children are accessing your products and services and therefore comply with CAADCA by default.
This can be time-consuming and complex, but fortunately, there are solutions that can help you manage the assessment process. Osano Assessments provides ready-to-use templates, automates associated workflows, reduces the risk of human error, and centralizes your assessments along with all the other compliance functions you need to complete.
Make sure they’re comprehensive and explain what data you collect and why. Don’t forget to make them easy to understand for children who may access your services.
The entire process may sound complicated at first, but it doesn’t have to be. The Osano Platform simplifies and streamlines your compliance activities, so you can have more time to dedicate to the niche requirements of laws like CAADCA. Schedule a demo today.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”