In addition to the numerous comprehensive privacy laws that have been proposed in at least 20 states thus far in 2023, legislative trends demonstrate an emerging focus on regulations that address specific types of information, including the personal information of children. To date, 19 such proposals have emerged across 15 states. Each of these bills imposes new requirements for the processing of children’s information, across online services, products, features, and social media platforms. These proposals both emulate and build upon existing requirements. Companies that process the personal information of children in the ordinary course of business (including children under the age of 18) should be aware of these proposals and how they may impact their business operations.
Other than the Children’s Online Privacy Protection Act (COPPA, which regulates the collection of personal information of children under the age of 13), there is no uniform approach to regulating the processing of children’s data. This is leading to a patchwork of requirements and proposals at the state level. The California Privacy Rights Act (CPRA), for example, creates specific requirements relating to the “selling” or “sharing” of personal information of children under the age of 16. Other states, such as Colorado and Connecticut, are regulating the processing of personal data from a known child as “sensitive” data that is subject to special processing requirements under their comprehensive privacy laws (though both laws also have some form of an exemption for data that is processed pursuant to COPPA).
On September 15, 2022, California became the first state to pass a law that will regulate the online activities of all children under the age of 18. California’s Age Appropriate Design Code (the “Design Act”) imposes additional compliance requirements for companies that offer their products and services to children, including data privacy provisions that go beyond those which companies already had to comply with under COPPA and the comprehensive state privacy laws. Specifically, the Design Act requires online services, features, or product operators to proactively consider children’s best interest at the design stage of production. The enactment of the Design Act represented an important legislative development and foreshadowed that a “California Effect” may drive other legislative bodies to consider enacting their own legislative scheme (similar to how the California Consumer Privacy Act inspired other states to consider their own privacy legislation). Further, it signaled to companies covered under the Design Act to consider expanding new compliance structures beyond California residents.
Although most provisions of the Design Act do not go into effect until 2024, the law has already sparked numerous copycat bills in state legislatures across the country. Much like the Design Act, these are standalone bills that regulate specific issues related to children’s interactions with online services and social media platforms, including in relation to the processing of personal information. Companies, particularly online service providers and social media platform operators, should be attentive to these emerging standalone regulatory schemes as most impose new requirements for regulatory compliance—such as additional disclosures for child users, data protection impact assessment obligations, and age verification requirements. Further, most bills give rise to monetary liability for violations, including civil penalties, administrative fees, and the potential for class action lawsuits.
In this alert, we offer a few key takeaways at the outset and provide a detailed breakdown of the bills that have been introduced in the 2023 legislative session. We are happy to answer any questions you may have on these issues.