California curbs big tech with child data privacy bill

Governor of California Gavin Newsom signed a new bill into law on Thursday, that will work to bind social media firms to a series of data protection agreements pertaining to minors.

The bipartisan bill, titled AB2273, will bring into effect the California Age Appropriate Design Code Act (CAADCA). This legislates against the collection, selling or retaining of children’s personal information without the company attempting to do so having provided a persuasive reason that said activity is in the best interests of the children involved.

Social media firms will also be required to provide children on their platforms with accounts set to the highest available privacy level, in order to provide children with data protection by design. Additionally, terms of service, privacy policies and other such notices will be required to be provided in what the bill defines as “clear language suited to the age of children likely to access that online service, product, or feature.”

Tech companies will have until July 1 2024 to ensure that they are compliant with the bill’s data protection requirements, and will be required in advance to conduct a data protection impact assessment (DPIA) for any service that a child can access. Those that negligently violate the legislation could face a fine of up to $2,500 per affected child, or up to $7,500 per affected child in the case of intentional violation.

Unlike the EU and UK, which have legislation such as General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) respectively, the USA lacks federal data protection laws. As a result, the privacy legislation and precedent that firms must follow varies state-by-state.

However, given the importance of California within the US as a tech hub, as well as the relative strictness of its privacy and consumer protection laws, it is often regarded as a data protection beacon that other states follow. In 2020, the California Consumer Privacy Act (CCPA) was brought into effect, giving Californian consumers the right to know what data is being collected about them, and to opt out of data collection and request deletion at any time.

The CCPA also sets out a broad definition of personal information, including data that can uniquely identify an individual, biometric information, geolocation, or any “inferences” drawn from data within the definition to create a profile on a consumer’s individual needs or behaviour. The final category impacts upon AdTech practice most directly.

The CAADCA will also force social media firms to explain the necessity and safety of systems such as their recommendation algorithms, stating that DPIAs undertaken by firms in line with the legislation need to question “whether algorithms used by the online product, service, or feature could harm children.” Some legislators in the UK have been similarly concerned, and earlier this year a group of watchdogs assessing algorithms were announced.

The UK government’s proposed Online Safety Bill includes several clauses that address the use of algorithms, both in regards to their use in spreading disinformation and the risks that they present to children’s safety. However, this bill is currently ‘on ice’, and has not been re-introduced to parliament since new PM Liz Truss announced plans to amend the bill to prioritise free speech.

“We’re taking aggressive action in California to protect the health and wellbeing of our kids,” said Newsom, in a statement to the press.

“As a father of four, I’m familiar with the real issues our children are experiencing online, and I’m thankful to Assembly members Wicks and Cunningham and the tech industry for pushing these protections and putting the wellbeing of our kids first.”