California set to enact sweeping new restrictions on online services with users under 18 | Hogan Lovells
Context and main provisions
Supporters of AB 2273 argue that the bill is necessary for the safety and privacy of children. Importantly, the bill would prohibit companies from using children’s data in a way that the company knows or has reason to know “is materially harmful to the physical health, mental health or well-being of a child”.
The bill would also impose specific requirements on businesses, including:
- Data minimization – companies must limit the collection, sharing, sale and retention of children’s data, unless they can demonstrate a compelling reason that the processing is in the “best interests” of the child;
- Risk assessments – companies must assess, document and mitigate the risks of material harm to children;
- High privacy settings – default privacy settings for users under 18 must offer a “high level of privacy” (unless the company can demonstrate a compelling reason that a different setting is in the best interests of children );
- Revised Online Reviews – privacy notices and similar online notices must use age-appropriate language for children who may access the service; and
- Reporting rights and tools – Companies should provide tools for children and parents/guardians to exercise their right to privacy and report concerns.
The Attorney General can also pass regulations to clarify these requirements, and a new Children’s Data Protection Task Force will recommend best practices for companies implementing the bill’s provisions.
AB 2273 could create significant compliance challenges in its search for additional protections for children. For example, the bill’s “viewable by children” standard goes beyond COPPA’s “directed at children” standard. Under the current framework, COPPA requirements only apply to online services where a company actually knows the user is under 13 or if service offerings are “directed” to children by the bias of factors such as marketing, graphics or music that appeal to children.
Under AB 2273, companies must now also determine whether “a significant number of children” regularly access the service (or substantially similar services) “based on competent and reliable evidence regarding the composition of the hearing”. The law would also require companies to estimate the age of users under 18 “with a reasonable level of certainty”. Compliance with these provisions could require the collection of even more data on children and make understanding the applicability of the law a moving target for companies.
Violations of AB 2273 may result in injunctive or civil penalties against businesses up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation. Businesses that substantially comply with the data protection impact assessment requirements may, however, benefit from a 90-day processing period. AB 2273 also expressly prohibits a private right of action.
If passed, California’s AADC could further complicate compliance efforts for companies operating across the country. As with the California Consumer Privacy Act (CCPA), other state legislatures may look to California as a model for similar protections, creating another patchwork of potentially inconsistent state laws.
The effort comes as the US Senate considers the Kids Online Safety Act (S. 3663), similar legislation that also involves potential state preemption. But as with California’s opposition to the pre-emption provisions of the US Privacy and Data Protection Act (HR 8152), efforts to pre-empt state rules can result in significant backsliding, particularly because that the California Privacy Protection Agency would be responsible for enforcing AB 2273.
The bill is now eligible for a full Senate vote. Because the Senate and Assembly versions of AB 2273 differ, the Assembly (the original house of AB 2273) must accept the Senate amendments. If the Assembly agrees, the bill will go to Governor Newsom for signature. If the Assembly disagrees, the bill will go to a conference committee to negotiate and reconcile the differences between the two versions. If they agree on a single version, it will come back to both floors for approval, then to the Governor for signature.
If passed, the bill will come into force on July 1, 2024.