Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

The California Age Appropriate Design Code Act Navigating the New Requirements for Child Privacy

TrustArc
TrustArc

The California Age-Appropriate Design Code Act (CAADCA) was signed into law by Governor Gavin Newsom in September 2022. Starting on July 1, 2024, the bill will mandate businesses providing online services or features that are "likely to be accessed by children" take certain measures, such as conducting a data protection impact assessment. In this webinar, experts explore the intersection between CAADCA and existing children's privacy laws, and provide guidance on how companies, especially those in the gaming and child data handling app industries, can achieve compliance well in advance of the effective date.

1 of 17
Download to read offline
1 © 2023 TrustArc Inc. Proprietary and Confidential Information. The California Age-Appropriate Design Code Act: Navigating the New Requirements for Child Privacy
2 Speakers Joanne B. Furtsch Director Privacy Intelligence, Development, TrustArc Cody Venzke Senior Policy Counsel Surveillance, Privacy, Technology, ACLU Hailun Ying Senior Lead Counsel, Privacy Roblox
3 Agenda ▪ Review of current trends and why this matters ▪ An overview of CA ADCA bill, its key provisions, and implementation timelines ▪ A comparison between CA ADCA and the UK’s AADC ▪ A tour of what is happening at the US State and Federal level ▪ What steps you need to take to get into compliance with CA ADCA ▪ Q&A throughout
4 Legal Disclaimer The information provided during this webinar does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented during this webinar are for general informational purposes only. Anything discussed in the webinar is the speaker's opinion and does not represent that of their employer.
5 Why does this matter? ● Increasing regulatory scrutiny ● More children’s privacy regulations at the state level ● Expanded scope of laws protecting minors online ● New protections cover minors age 13-17.
6 Current Trends ● Children’s information is seen as particularly sensitive ● Increasing concerns to protect children and teens ● Greater regulatory scrutiny of large online platforms ● Limit monetization of information collected from children ● Extended reach of child protection requirements ● Increased legislative activity at the US state level
7 What Happens Next? Sept 2, 2020 UK AADC in force Sept 2, 2021 Companies expected to comply with UK AADC May 17, 2023 Montana governor signs law banning Tik Tok from being offered in app stores within the state Sept 1, 2023 Arkansas Social Media Safety Act goes into effect Jan 1, 2024 Montana Tik Tok ban goes into effect March 1, 2024 Utah Social Media Regulation Act goes into effect (3 laws now) July 1, 2024 CA ADCA goes into effect
8 What is the California Age-Appropriate Design Code Act (CA ADCA)? ● Modeled after the UK Age Appropriate Design Code ● Goes into effect July 2024 ● Applies to businesses that provide online products, services, or features that likely to be accessed by children (defined as any individual under age 18). ● Key provisions ○ High level privacy by default (with exceptions) ○ Clear and concise privacy statements, terms of service, and community standards ○ Estimate the age of child users with a reasonable level of certainty ○ Provide signals if monitoring usage ○ Provide prominent, accessible, and responsive tools to help children (or parents/guardian) to exercise privacy rights ○ Conduct impact Assessments (DPIA’s) Quick Overview
9 How Did We Get To the CA ADCA? Started with the UK Quick Overview of UK Age Appropriate Design Code (AADC) ● Applies to relevant information society services which are likely to be accessed by children. ● Child is defined as an individual under age 18 ● In force since September 2, 2020 requiring businesses to be in compliance by September 2, 2021 ● Includes 15 standards for safeguarding children’s privacy ● Designed to work with UK GDPR. If not in compliance with the Code, it will be difficult to demonstrate compliance with UK GDPR
10 Differences between the CA ADCA and UK AADC CA ADCA UK AADC Regulatory Framework CA ADCA is a standalone law that is independently enforced. UK AADC works together with GDPR. Best Interests of the Child/Best Interests of Children Used in exemptions to default privacy settings and legislative findings. UN convention not recognized in the US making the CA ADCA reference unclear Based on the UN Convention on the Rights of the Child Default Privacy Settings CA ADCA has an exception for when the highest level of privacy is the default setting UK AADC does not include an exception Conducting DPIAs A timeline for providing DPIAs upon request is codified for CA ADCA. The UK AADC only requires DPIAs be available upon request. Age Assurance CA ADCA does include what risk to consider when balancing data minimization against age assurance Take a risk-based approach to recognize the age of individuals to apply the UK AADC or apply the code to all individuals
11 What is Happening in Other States ● Privacy Bills ○ Enacted Legislation — CA, IA, TN, TX ○ Bills Introduced — KY ● Age Appropriate Design Codes ○ Enacted — CA, FL ○ Introduced — IL, MA, MN, NM, NJ, NV, NY, OR, TX ● Social Media Age Minimums and Parental Consent Requirements ○ Enacted — AR, UT ○ Introduced — CT, KS, LA, MN, NC, NJ, SC, TX ● Addictive Design Bills ○ Enacted — UT ○ Introduced — CA, TX
12 COPPA 2.0 ● Reintroduced COPPA 2.0 bill in the US Senate early May 2023 ● Extends COPPA protections to teens ● Key Provisions ○ Require consent of teens aged 13-16 prior to collecting their personal information ○ Ban targeted advertising to children and minors ○ Expand the scope of online services covered under the law by replacing the “actual knowledge” standard with the “reasonably likely to be used” standard (similar to CA ADCA and UK AADC) ○ Create an Eraser button (similar to GDPR RTBF) for all users to eliminate personal information submitted by the user about children and minors when technologically feasible ○ Establish a Digital Marketing Bill of Rights for teens to limit the collection of personal information ○ Establish the Youth Marketing and Privacy Division at the FTC
13 Kids Online Safety Act ● Introduced in the US Senate in early May 2023 ● Creates online tools for minors and parents and imposes obligations on “covered platforms” that are “likely to be used” by minors ● “Covered platforms” are social media, video games, educational games, messaging applications, video streaming services, and “online platforms” ● Key Provisions ○ Imposes a duty of care of “covered platforms” to mitigate certain harms like addiction, mental health disorders, and anxiety ○ Provide minors options to protect their information, disable addictive features, and opt-out of algorithmic recommendations ○ Provides parents with tools to view or change minors’ account settings ○ Strongest settings to be enabled by default ○ Requires social media platforms to conduct annual independent audits to assess risks to minors, compliance with the Act, and how they are mitigating those risks ○ Provides academia and public interest organizations with access to social media platform data sets to research harms to the safety and well-being of minors
14 Actions to take now to comply with CA ADCA Actions to take now ● Assess whether children will be visiting your online services ● Estimate the age of child users accessing your online services ○ Understand how well you know the users of your online services. ○ Use a risk-based approach ● Leverage UK ICO’s guidance on how to comply with the UK AADC as a starting point ● Determine which DPIAs need to be completed before July 2024 ○ Assess features for dark patterns ○ Use of real-time geo-location ○ Automated processing
15 How TrustArc Can Help
16 16 Q&A
17 17 Thank You! See http://www.trustarc.com/insightseries for the 2023 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with privacy and data security compliance, please reach out to sales@trustarc.com for a free demo.

More Related Content

The California Age Appropriate Design Code Act Navigating the New Requirements for Child Privacy

  • 1. 1 © 2023 TrustArc Inc. Proprietary and Confidential Information. The California Age-Appropriate Design Code Act: Navigating the New Requirements for Child Privacy
  • 2. 2 Speakers Joanne B. Furtsch Director Privacy Intelligence, Development, TrustArc Cody Venzke Senior Policy Counsel Surveillance, Privacy, Technology, ACLU Hailun Ying Senior Lead Counsel, Privacy Roblox
  • 3. 3 Agenda ▪ Review of current trends and why this matters ▪ An overview of CA ADCA bill, its key provisions, and implementation timelines ▪ A comparison between CA ADCA and the UK’s AADC ▪ A tour of what is happening at the US State and Federal level ▪ What steps you need to take to get into compliance with CA ADCA ▪ Q&A throughout
  • 4. 4 Legal Disclaimer The information provided during this webinar does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented during this webinar are for general informational purposes only. Anything discussed in the webinar is the speaker's opinion and does not represent that of their employer.
  • 5. 5 Why does this matter? ● Increasing regulatory scrutiny ● More children’s privacy regulations at the state level ● Expanded scope of laws protecting minors online ● New protections cover minors age 13-17.
  • 6. 6 Current Trends ● Children’s information is seen as particularly sensitive ● Increasing concerns to protect children and teens ● Greater regulatory scrutiny of large online platforms ● Limit monetization of information collected from children ● Extended reach of child protection requirements ● Increased legislative activity at the US state level
  • 7. 7 What Happens Next? Sept 2, 2020 UK AADC in force Sept 2, 2021 Companies expected to comply with UK AADC May 17, 2023 Montana governor signs law banning Tik Tok from being offered in app stores within the state Sept 1, 2023 Arkansas Social Media Safety Act goes into effect Jan 1, 2024 Montana Tik Tok ban goes into effect March 1, 2024 Utah Social Media Regulation Act goes into effect (3 laws now) July 1, 2024 CA ADCA goes into effect
  • 8. 8 What is the California Age-Appropriate Design Code Act (CA ADCA)? ● Modeled after the UK Age Appropriate Design Code ● Goes into effect July 2024 ● Applies to businesses that provide online products, services, or features that likely to be accessed by children (defined as any individual under age 18). ● Key provisions ○ High level privacy by default (with exceptions) ○ Clear and concise privacy statements, terms of service, and community standards ○ Estimate the age of child users with a reasonable level of certainty ○ Provide signals if monitoring usage ○ Provide prominent, accessible, and responsive tools to help children (or parents/guardian) to exercise privacy rights ○ Conduct impact Assessments (DPIA’s) Quick Overview
  • 9. 9 How Did We Get To the CA ADCA? Started with the UK Quick Overview of UK Age Appropriate Design Code (AADC) ● Applies to relevant information society services which are likely to be accessed by children. ● Child is defined as an individual under age 18 ● In force since September 2, 2020 requiring businesses to be in compliance by September 2, 2021 ● Includes 15 standards for safeguarding children’s privacy ● Designed to work with UK GDPR. If not in compliance with the Code, it will be difficult to demonstrate compliance with UK GDPR
  • 10. 10 Differences between the CA ADCA and UK AADC CA ADCA UK AADC Regulatory Framework CA ADCA is a standalone law that is independently enforced. UK AADC works together with GDPR. Best Interests of the Child/Best Interests of Children Used in exemptions to default privacy settings and legislative findings. UN convention not recognized in the US making the CA ADCA reference unclear Based on the UN Convention on the Rights of the Child Default Privacy Settings CA ADCA has an exception for when the highest level of privacy is the default setting UK AADC does not include an exception Conducting DPIAs A timeline for providing DPIAs upon request is codified for CA ADCA. The UK AADC only requires DPIAs be available upon request. Age Assurance CA ADCA does include what risk to consider when balancing data minimization against age assurance Take a risk-based approach to recognize the age of individuals to apply the UK AADC or apply the code to all individuals
  • 11. 11 What is Happening in Other States ● Privacy Bills ○ Enacted Legislation — CA, IA, TN, TX ○ Bills Introduced — KY ● Age Appropriate Design Codes ○ Enacted — CA, FL ○ Introduced — IL, MA, MN, NM, NJ, NV, NY, OR, TX ● Social Media Age Minimums and Parental Consent Requirements ○ Enacted — AR, UT ○ Introduced — CT, KS, LA, MN, NC, NJ, SC, TX ● Addictive Design Bills ○ Enacted — UT ○ Introduced — CA, TX
  • 12. 12 COPPA 2.0 ● Reintroduced COPPA 2.0 bill in the US Senate early May 2023 ● Extends COPPA protections to teens ● Key Provisions ○ Require consent of teens aged 13-16 prior to collecting their personal information ○ Ban targeted advertising to children and minors ○ Expand the scope of online services covered under the law by replacing the “actual knowledge” standard with the “reasonably likely to be used” standard (similar to CA ADCA and UK AADC) ○ Create an Eraser button (similar to GDPR RTBF) for all users to eliminate personal information submitted by the user about children and minors when technologically feasible ○ Establish a Digital Marketing Bill of Rights for teens to limit the collection of personal information ○ Establish the Youth Marketing and Privacy Division at the FTC
  • 13. 13 Kids Online Safety Act ● Introduced in the US Senate in early May 2023 ● Creates online tools for minors and parents and imposes obligations on “covered platforms” that are “likely to be used” by minors ● “Covered platforms” are social media, video games, educational games, messaging applications, video streaming services, and “online platforms” ● Key Provisions ○ Imposes a duty of care of “covered platforms” to mitigate certain harms like addiction, mental health disorders, and anxiety ○ Provide minors options to protect their information, disable addictive features, and opt-out of algorithmic recommendations ○ Provides parents with tools to view or change minors’ account settings ○ Strongest settings to be enabled by default ○ Requires social media platforms to conduct annual independent audits to assess risks to minors, compliance with the Act, and how they are mitigating those risks ○ Provides academia and public interest organizations with access to social media platform data sets to research harms to the safety and well-being of minors
  • 14. 14 Actions to take now to comply with CA ADCA Actions to take now ● Assess whether children will be visiting your online services ● Estimate the age of child users accessing your online services ○ Understand how well you know the users of your online services. ○ Use a risk-based approach ● Leverage UK ICO’s guidance on how to comply with the UK AADC as a starting point ● Determine which DPIAs need to be completed before July 2024 ○ Assess features for dark patterns ○ Use of real-time geo-location ○ Automated processing
  • 17. 17 17 Thank You! See http://www.trustarc.com/insightseries for the 2023 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with privacy and data security compliance, please reach out to sales@trustarc.com for a free demo.