Three Broad-Reaching Age-Appropriate Design Code Acts Are in Play Now: Are You Ready?

Today, we are discussing Maryland’s “Kids Code” (effective Oct. 1, 2024), Connecticut’s amendment to the CDPA that addresses minor data (effective Oct. 1, 2024), and parts of the California’s Age-Appropriate Design Code Act (“CAADCA”) (effective July 1, 2024).

In case you missed it: In August, the Ninth Circuit partially vacated the preliminary injunction on the CAADCA, which was put in place after a constitutional challenge brought by NetChoice LLC, a technology trade group. The panel affirmed the injunction in part, finding that NetChoice would likely succeed in proving that the law’s Data Protection Impact Assessment (DPIA) requirement to assess and mitigate the potential harms to children online violates the First Amendment by requiring businesses to censor online material available to children. As for the rest of the CAADCA, the court refused to uphold the injunction and remanded the case to the district court to reassess the constitutionality of the remaining provisions, which means those remaining provisions are in effect unless and until the court finds otherwise (although we note that enforcement is less likely until the court rules). In light of this procedural posture, we have included key CAADCA provisions in our analysis below.

Each of these statutes apply to users who are younger than 18 – a significant change from the regulation of data collection from users younger than 13 under the Childrens Online Privacy Protection Act (“COPPA”).

These laws are broad and will impact a wide variety of companies, including many that consider themselves general audience.  Compliance will take careful planning, product development, and implementation, so the compliance process should begin now. 

Below are five things you should be thinking about right now.

#1: Do you know the makeup of your audience and what portion of your users are younger than 18?

If your website, app, or a feature of them is clearly directed toward users younger than 18 (“Minors”), then you already know that these laws may be relevant to you.

If your business is not directed to Minors, you may be tempted to consider this legislation out of scope, but do not click away just yet! How likely are Minors to access your services anyway? These laws may apply in some unexpected circumstances.

To briefly illustrate: who recalls the charmingly named “attractive nuisance” doctrine? You know: the property-law principle that creates a duty of care for owners whose property has a feature that is interesting and alluring to children, such that those children are enticed to enter the property?

Well, there are some parallels between the “attractive nuisance” doctrine and these design laws. Case in point, Maryland states: “[c]hildren should be afforded protections not only by online products and services specifically directed at them, but by all online products they are likely to access.” (California’s law includes a similar declaration.) Even if you are not specifically inviting Minors to use your online services, they may be interested in using them, and as a result you may have additional duties to keep them safe under these laws.

So, some more specific questions are:

  • Do you have actual knowledge that some of your users are younger than 18? (CT)

  • Are your online services (reasonably) likely to be accessed by users younger than 18? (MD & CA) Namely:

    • Do Minors make up a “significant amount” of your audience – based on either your own research or reliable third-party evidence?  

    • Does any part of your service include ads that are directed to or content that is appealing to Minors?

    • Do you consider any part of your target audience to be younger than 18? Have you ever determined that your online service might be considered “directed to children” under the Children’s Online Privacy Protection Act (COPPA) – even if ultimately they were not your primary intended audience?

    • Among your competitors operating substantially similar services, do you know of any evidence indicating that a significant percentage of a competitor’s audience is comprised of Minors?  

    • Do you know (or should you know) that any of your users are Minors? (MD only)

 If you answered “yes” or “maybe,” then keep reading.

#2: Are your posted policies kid-friendly? And are you enforcing them?

Both California and Maryland require that online policies (e.g., privacy policy, terms of use, community standards) use “clear language suited to the age of children likely to access” the online services. That means your policies need to be clearly understandable, and impenetrable legalese needs to be explained in lay terms that make sense to children.

Additionally, California specifically requires that companies actively enforce their kid-friendly privacy policies. (For example, community standards or an “Acceptable Use Policy” regarding user-generated content would need to be enforced in CA – though the law is unclear on how much monitoring would be required and how much discretion could be applied for a policy to count as having been “enforced.”)

#3: Have you recently assessed your online services for Dark Patterns? What about Auto-Play?

Much like many US state consumer privacy laws, both California and Maryland expressly prohibit the use of dark patterns with respect to privacy protections – but also more broadly prohibit leading or encouraging Minors to take any action that you know, or have reason to know, “is materially detrimental to the child's physical health, mental health, or well-being” (CA) or using dark patterns to take any action you know or have reason to know “is not in the best interests of children who access or are reasonably likely to access the online product” (MD).

Specifically, Connecticut prohibits companies subject to its design code from using any “system design feature to significantly increase, sustain or extend any minor's use of such online service, product or feature,” which could apply to common features such as auto-play. Maryland also gets at this issue in its DPIA requirements, instructing businesses to determine whether their online services use, “system design features to increase, sustain, or extend the use of the online product, including the automatic playing of media, rewards for time spent, and notifications” which could lead to enumerated types of harm.

#4: Are you ready to conduct an internal Data Protection (Impact) Assessment?

While a similar requirement was enjoined in California, both Maryland and Connecticut require companies subject to their design codes to conduct an assessment to, among other things, identify the purpose of their online service(s), report on how Minors’ data is used, and detail the possible harm(s) that could come to Minors based on various factors and practices. Both states require steps to mitigate potential harm(s), continued documentation, and record-keeping.

#5: Are you prioritizing data minimization and purpose limitation?

All three of these laws include data minimization and purpose limitations requirements. For example, California prohibits precise geolocation data collection by default except where strictly necessary, and then, only for the limited time that collection is strictly necessary and with “an obvious sign” to the Minor for the duration of collection. Connecticut and Maryland have similar geolocation data requirements. In addition, Connecticut prohibits processing a Minor’s personal data for targeted advertising, sale, or profiling unless consent is first obtained, and Maryland requires that businesses configure their default settings to the highest privacy settings (which arguably must include data minimization techniques), and prohibits profiling unless the business has “appropriate safeguards in place to ensure that profiling is consistent with the best interests of children who access or are reasonably likely to access” the online service or it is “necessary to provide the requested online product, and is done only with respect to the aspects of the online product that the child is actively and knowingly engaged with…”.

Wrap Up

While this article hits the highlights, there are many nuances to work through in these laws.

In the fast-evolving world of privacy laws applicable to users younger than 18, you do not want to ignore these design laws. It is essential for all companies to determine if they may apply to any or all of its online products or services and, if so, to start getting into compliance as soon as possible. 

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.

Justine Young Gottshall & Sophia Allenonline services, COPPA