California Enacts the California Age-Appropriate Design Code Act

On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). The Act, which takes effect July 1, 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.

The Act is modeled on the UK’s Age-Appropriate Design Code. The Act applies to businesses that provide an online service, product or feature “likely to be accessed by children” under the age of 18 (“covered businesses”). An online service, product or feature is “likely to be accessed by children” based on certain indicators, including whether:

• It is “directed to children,” as defined by the federal Children’s Online Privacy Protection Act (“COPPA”);
• It is determined to be routinely accessed by a significant number of children (based on competent and reliable evidence regarding audience composition);
• It has advertisements marketed to children;
• It is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children;
• It has design elements that are known to be of interest to children (including, but not limited to, games, cartoons, music, and celebrities who appeal to children); or
• A significant amount of the audience of the online service, product, or feature is determined, based on internal company research, to be children.

The “likely to be accessed by children” standard is much broader than COPPA, which applies to operators of websites or online services that (1) are either directed to children or (2) have actual knowledge are collecting personal information from children online. The Act also defines “child” more broadly; COPPA defines “child” as an individual under the age of 13, while the Act defines “child” as a consumer who is under the age of 18. Additionally, the Act imposes a number of requirements on covered businesses that are not included under COPPA.

New York Legislature Considers New York Child Data Privacy and Protection Act

On September 23, 2022, New York State Senator Andrew Gounardes introduced S9563, also known as the “New York Child Data Privacy and Protection Act.” The bill, which resembles the recently passed California Age-Appropriate Design Code Act, bans certain data collection and targeted advertising and requires data controllers to, among other obligations, assess the impact of their products on children.

The bill would impose obligations and restrictions related to the processing of “personal data,” which broadly includes “information that identifies, relates to, describes or is reasonably linked to a particular child user.” “Child user” is defined as a consumer under 18 years of age that accesses an online product with a device. Notably, the bill would not exclude pseudonymized data from its requirements. Key bill requirements include the following:



• Entities offering an online product targeted to child users in New York (“Covered Entities”) would be required to complete and submit to the New York Bureau of Internet and Technology (“Bureau”) a data protection impact assessment before the product could be made available to the public. After receiving initial approval for the online product, Covered Entities would be required to submit annual data impact assessments to the Bureau.