Authors: Scott Hall and Bina Patel
Key Takeaways
- The Children’s Data Privacy Act (AB 1949) would require businesses to obtain affirmative authorization to collect, use or disclose personal data of children under 18 in California.
- Businesses should focus on understanding what data from children they may be collecting through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of children’s data.
Despite a court ruling late last year that blocked the California Age Appropriate Design Code Act (CAADCA) from going into effect in 2024, as scheduled, California’s Attorney General Rob Bonta is pressing forward with an amendment to the California Consumer Privacy Act (CCPA) aimed at protecting children’s data.
The Children’s Data Privacy Act (AB 1949), a bill introduced on January 29, 2024, would further amend the CCPA to prohibit businesses from collecting personal data of individuals under the age of 18, unless they receive affirmative authorization (i.e., opt-in consent) to do so. For individuals under the age of 13, the affirmative authorization must come from the parent. Specifically, the proposed amendment states that “a business shall not collect the personal information of a consumer less than 18 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 18 years of age, or the consumer’s parent or guardian, in the case of a consumer less than 13 years of age, has affirmatively authorized the collection of the consumer’s personal information.” (Proposed amendment to Cal. Civil Code § 1798.100(g).) The bill authorizes the Office of the Attorney General to enforce the law and seek injunctive relief, damages, or civil penalties of up to $5,000 per violation.
AB 1949 represents a significant change to the CCPA. The law currently only prohibits the selling or sharing (for cross-context behavioral advertising purposes) of minor’s data without affirmative opt-in consent and does not prohibit the collection of such data without informed consent. Notably, the changes proposed by AB 1949 will allow California to align its privacy law and increased focus on the protection of children’s data with the vast majority of other states. When the CCPA initially went into effect in January 2020, it was the first comprehensive state privacy law in the nation and blazed the trail for many other state laws that have followed in recent years. However, unlike the CCPA, the majority of other states that have passed privacy laws subsequent to the CCPA have defined “sensitive information” to include the data of minors and have required affirmative opt-in consent prior to collecting or processing sensitive information of minors. The proposed amendment would make California’s data collection requirements consistent with the majority of other states.
Beyond restricting collection of minor data, AB 1949 also proposes amendments to the CCPA to prohibit the “use or disclos[ure]” of the personal information of minors without affirmative consent by the consumer or guardian. (Proposed amendment to Cal. Civil Code § 1798.121(e)). The law would also require – on or before July 1, 2025 – the California Privacy Protection Agency to issue regulations to establish technical specifications for an opt-out preference signal that allows a consumer (or a parent or guardian) to specify that the consumer is less than 13 years of age or less than 18 years of age, and to establish regulations regarding age verification and when a business must treat a consumer as being less than 13 or 18 years of age for purposes of the CCPA. (Proposed amendment to Cal. Civil Code § 1798.185(e).)
Admittedly, AB 1949 is not as comprehensive as CAADCA, which would require businesses to perform data protection impact assessments upon request from the Attorney General for products or services “likely to be accessed by children,” as well as implement stricter default privacy settings and terms. Even so, AB 1949 is an important step towards greater privacy protection for children and will make the patchwork of standards regarding children’s data collection and use more consistent across the country.
Having said that, CAADCA is still alive and, while the legal challenge continues, businesses may eventually have to deal with that stricter law or some modified version of it. To learn more about the requirements of CAADCA, see our prior article. Until then, given that AB 1949 will likely be enacted to put California on equal footing with other state privacy laws, businesses should focus on understanding whether and what data from minors may be collected through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of minor data.
Please contact the Coblentz Data Privacy Team with any questions about AB 1949 or other privacy issues.