Amended IN Assembly April 26, 2022 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 2273Introduced by Assembly Members Wicks and Cunningham Wicks, Cunningham, and Petrie-Norris(Coauthors: Senators Allen and Newman)February 16, 2022 An act to add Title 1.81.46 (commencing with Section 1798.99.28) to Part 4 of Division 3 of the Civil Code, relating to consumer privacy. LEGISLATIVE COUNSEL'S DIGESTAB 2273, as amended, Wicks. The California Age-Appropriate Design Code Act.(1) Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes the California Privacy Protection Agency. Existing law vests the agency with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018, and requires the agency to be governed by a board. Existing law requires businesses to protect consumer privacy and information, make certain disclosures to consumers regarding a consumers rights under the act in a specified manner, and disclose to consumers that a consumer has the right to request specific pieces of information, including the categories of information those businesses have collected about that consumer.Existing law, the Parents Accountability and Child Protection Act, requires a person or business that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase or delivery, including verifying the age of the purchaser. Existing law prohibits a person or business that is required to comply with these provisions from retaining, using, or disclosing any information it receives in an effort to verify age from a purchaser or recipient for any other purpose, except as specified, and subjects a business or person that violates these provisions to a civil penalty.Commencing This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, this bill would require a business that creates goods, services, or product features provides an online service, product, or feature likely to be accessed by children a child to comply with specified standards, including considering the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, requirements, including configuring all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business, and providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product that online service, product, or feature. The bill would prohibit a business that provides a good, service, or product an online service, product, or feature likely to be accessed by children a child from taking proscribed action, such as collecting or using data it collects on consumers who are children. including using the personal information of a child for any reason other than the reason or reasons for which the personal information was collected.This bill would require the agency California Privacy Protection Agency to establish and convene the California Childrens Data Protection Taskforce to evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified. The bill would require the agencys board to appoint the members of the taskforce by April 1, 2023, and would require those members to have certain expertise, including in the areas of privacy and childrens rights. The bill would require the taskforce to make prescribed recommendations on best practices, including identifying goods, services, and product online services, products, or features likely to be accessed by children. By April 1, 2024, the bill would require the agency, in consultation with the taskforce, to adopt regulations and publish guidelines, regulations, as necessary.This bill would state the intent of the Legislature to subsequently create legislation to enforce this title.(2) The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. (a) The Legislature hereby finds and declares all of the following:(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.(2) As children spend more of their time interacting with the digital online world, the impact of the design of digital online products and services on childrens well-being has become a focus of significant concern.(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.(5) Children should be afforded protections not only by digital online products and services specifically directed at them, but by all digital online products and services they are likely to access.(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and digital online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.(8) Products and services that are likely to be accessed by children should offer high strong privacy protections by design and by default. default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.SEC. 2.Title 1.81.46 (commencing with Section 1798.99.30) is added to Part 4 of Division 3 of the Civil Code, immediately following Title 1.81.45, to read:SEC. 2. Title 1.81.46 (commencing with Section 1798.99.28) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. For (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(a)(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(b)(2) Board means the agencys board, as established in Section 1798.199.10. (c)(3) Child or children, unless otherwise specified, mean a consumer or consumers who is under 18 years of age.(d)Dark pattern has the same meaning as defined in subdivision (l) of Section 1798.140.(e)(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the good, service, or product service, product, or feature at issue that arises from the provision of that good, service, or product service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(f)(6) Likely to be accessed by a child means it is reasonable to expect, based on the known audience, the nature of the content, the associated marketing, or the online context, or academic or internal research, that the good, service, or product feature is more likely than not to service, product, or feature would be accessed by children.(g)Personal information has the same meaning as defined in subdivision (v) of Section 1798.140.(h)Sensitive personal information has the same meaning as defined in subdivision (ae) of Section 1798.140.(i)(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1)Consider the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, and, when in conflict with commercial interests, design, develop, and provide that good, service, or product feature in the manner that prioritizes the privacy, safety, and well-being of children.(2)(1) Undertake a Data Protection Impact Assessment for any good, service, or product online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the good, service, or product online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(3)(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(4)Maintain the highest level of privacy possible for children by default, including, but not limited to, disabling profiling, unless the business can demonstrate a compelling reason that a different default setting is in the best interests of children likely to access that good, service, or product feature.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(5)(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product online service, product, or feature.(6)(5) If the good, service, or product online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(7)Universally uphold(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(8)(7) Provide prominent, accessible, and responsive tools to help children children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that is demonstrably harmful the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(2)Collect and(3) Collect, sell, share, or retain any personal information that is not necessary to provide a good, service, or product a service, product, or feature with which a child is actively and knowingly engaged.(3)(4) If a business does not have actual knowledge of the age of a consumer, it shall neither collect nor not collect, share, sell, or retain any personal information that is not necessary to provide a good, service, or product service, product, or feature with which a consumer is actively and knowingly engaged.(4)(5) Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(5)(6) Notwithstanding Section 1798.120, disclose share or sell the personal information of any child unless the business can demonstrate a compelling reason that disclosure of that personal information is in the best interests of the child. the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(6)Collect any precise geolocation information by default, unless the business can demonstrate a compelling reason that doing so would be in the best interests of the child.(7) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(7)Collect(8) Collect, sell, or share any precise geolocation information without providing an obvious sign to the consumer child for the duration of that collection that precise geolocation information is being collected.(8)Collect any sensitive personal information by default, unless the business can demonstrate a compelling reason that the collection of sensitive personal information by default is in the best interests of a child.(9) Use dark patterns or other techniques to lead or encourage consumers to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide that good, service, or product feature, service or product to forego privacy protections, or to otherwise take any action that is demonstrably harmful to the consumers the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying goods, services, and product online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how to incorporate those interests into those interests may be furthered by the design, development, and implementation of a good, service, or product an online service, product, or feature.(3)Determining the level of certainty with which it is necessary to establish the age of a consumer appropriate to the risks that arise from the data management practices of a business.(4)Determining whether a reason is sufficiently compelling to warrant practices that are not consistent with the default setting, data collection, and data disclosure practices prescribed by this title. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(5)(4) Assessing and mitigating risks to children that arise from the use of a good, service, or product an online service, product, or feature, including specific items for the systematic survey necessary issues businesses must address to perform a Data Protection Impact Assessment.(6)(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that good, service, or product feature. service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations and publish guidelines, regulations, as necessary, to effectuate the purposes of this title in a manner consistent, and to the extent possible, with international frameworks for the protection of the privacy and well-being of children. title.1798.99.33.It is the intent of the Legislature to create subsequent legislation to enforce this title.SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
Amended IN Assembly April 26, 2022 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 2273Introduced by Assembly Members Wicks and Cunningham Wicks, Cunningham, and Petrie-Norris(Coauthors: Senators Allen and Newman)February 16, 2022 An act to add Title 1.81.46 (commencing with Section 1798.99.28) to Part 4 of Division 3 of the Civil Code, relating to consumer privacy. LEGISLATIVE COUNSEL'S DIGESTAB 2273, as amended, Wicks. The California Age-Appropriate Design Code Act.(1) Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes the California Privacy Protection Agency. Existing law vests the agency with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018, and requires the agency to be governed by a board. Existing law requires businesses to protect consumer privacy and information, make certain disclosures to consumers regarding a consumers rights under the act in a specified manner, and disclose to consumers that a consumer has the right to request specific pieces of information, including the categories of information those businesses have collected about that consumer.Existing law, the Parents Accountability and Child Protection Act, requires a person or business that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase or delivery, including verifying the age of the purchaser. Existing law prohibits a person or business that is required to comply with these provisions from retaining, using, or disclosing any information it receives in an effort to verify age from a purchaser or recipient for any other purpose, except as specified, and subjects a business or person that violates these provisions to a civil penalty.Commencing This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, this bill would require a business that creates goods, services, or product features provides an online service, product, or feature likely to be accessed by children a child to comply with specified standards, including considering the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, requirements, including configuring all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business, and providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product that online service, product, or feature. The bill would prohibit a business that provides a good, service, or product an online service, product, or feature likely to be accessed by children a child from taking proscribed action, such as collecting or using data it collects on consumers who are children. including using the personal information of a child for any reason other than the reason or reasons for which the personal information was collected.This bill would require the agency California Privacy Protection Agency to establish and convene the California Childrens Data Protection Taskforce to evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified. The bill would require the agencys board to appoint the members of the taskforce by April 1, 2023, and would require those members to have certain expertise, including in the areas of privacy and childrens rights. The bill would require the taskforce to make prescribed recommendations on best practices, including identifying goods, services, and product online services, products, or features likely to be accessed by children. By April 1, 2024, the bill would require the agency, in consultation with the taskforce, to adopt regulations and publish guidelines, regulations, as necessary.This bill would state the intent of the Legislature to subsequently create legislation to enforce this title.(2) The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
Amended IN Assembly April 26, 2022
Amended IN Assembly April 26, 2022
CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION
Assembly Bill
No. 2273
Introduced by Assembly Members Wicks and Cunningham Wicks, Cunningham, and Petrie-Norris(Coauthors: Senators Allen and Newman)February 16, 2022
Introduced by Assembly Members Wicks and Cunningham Wicks, Cunningham, and Petrie-Norris(Coauthors: Senators Allen and Newman)
February 16, 2022
An act to add Title 1.81.46 (commencing with Section 1798.99.28) to Part 4 of Division 3 of the Civil Code, relating to consumer privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 2273, as amended, Wicks. The California Age-Appropriate Design Code Act.
(1) Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes the California Privacy Protection Agency. Existing law vests the agency with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018, and requires the agency to be governed by a board. Existing law requires businesses to protect consumer privacy and information, make certain disclosures to consumers regarding a consumers rights under the act in a specified manner, and disclose to consumers that a consumer has the right to request specific pieces of information, including the categories of information those businesses have collected about that consumer.Existing law, the Parents Accountability and Child Protection Act, requires a person or business that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase or delivery, including verifying the age of the purchaser. Existing law prohibits a person or business that is required to comply with these provisions from retaining, using, or disclosing any information it receives in an effort to verify age from a purchaser or recipient for any other purpose, except as specified, and subjects a business or person that violates these provisions to a civil penalty.Commencing This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, this bill would require a business that creates goods, services, or product features provides an online service, product, or feature likely to be accessed by children a child to comply with specified standards, including considering the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, requirements, including configuring all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business, and providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product that online service, product, or feature. The bill would prohibit a business that provides a good, service, or product an online service, product, or feature likely to be accessed by children a child from taking proscribed action, such as collecting or using data it collects on consumers who are children. including using the personal information of a child for any reason other than the reason or reasons for which the personal information was collected.This bill would require the agency California Privacy Protection Agency to establish and convene the California Childrens Data Protection Taskforce to evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified. The bill would require the agencys board to appoint the members of the taskforce by April 1, 2023, and would require those members to have certain expertise, including in the areas of privacy and childrens rights. The bill would require the taskforce to make prescribed recommendations on best practices, including identifying goods, services, and product online services, products, or features likely to be accessed by children. By April 1, 2024, the bill would require the agency, in consultation with the taskforce, to adopt regulations and publish guidelines, regulations, as necessary.This bill would state the intent of the Legislature to subsequently create legislation to enforce this title.(2) The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.
(1) Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes the California Privacy Protection Agency. Existing law vests the agency with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018, and requires the agency to be governed by a board. Existing law requires businesses to protect consumer privacy and information, make certain disclosures to consumers regarding a consumers rights under the act in a specified manner, and disclose to consumers that a consumer has the right to request specific pieces of information, including the categories of information those businesses have collected about that consumer.
Existing law, the Parents Accountability and Child Protection Act, requires a person or business that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase or delivery, including verifying the age of the purchaser. Existing law prohibits a person or business that is required to comply with these provisions from retaining, using, or disclosing any information it receives in an effort to verify age from a purchaser or recipient for any other purpose, except as specified, and subjects a business or person that violates these provisions to a civil penalty.
Commencing
This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, this bill would require a business that creates goods, services, or product features provides an online service, product, or feature likely to be accessed by children a child to comply with specified standards, including considering the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, requirements, including configuring all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business, and providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product that online service, product, or feature. The bill would prohibit a business that provides a good, service, or product an online service, product, or feature likely to be accessed by children a child from taking proscribed action, such as collecting or using data it collects on consumers who are children. including using the personal information of a child for any reason other than the reason or reasons for which the personal information was collected.
This bill would require the agency California Privacy Protection Agency to establish and convene the California Childrens Data Protection Taskforce to evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified. The bill would require the agencys board to appoint the members of the taskforce by April 1, 2023, and would require those members to have certain expertise, including in the areas of privacy and childrens rights. The bill would require the taskforce to make prescribed recommendations on best practices, including identifying goods, services, and product online services, products, or features likely to be accessed by children. By April 1, 2024, the bill would require the agency, in consultation with the taskforce, to adopt regulations and publish guidelines, regulations, as necessary.
This bill would state the intent of the Legislature to subsequently create legislation to enforce this title.
(2) The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.
This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. (a) The Legislature hereby finds and declares all of the following:(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.(2) As children spend more of their time interacting with the digital online world, the impact of the design of digital online products and services on childrens well-being has become a focus of significant concern.(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.(5) Children should be afforded protections not only by digital online products and services specifically directed at them, but by all digital online products and services they are likely to access.(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and digital online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.(8) Products and services that are likely to be accessed by children should offer high strong privacy protections by design and by default. default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.SEC. 2.Title 1.81.46 (commencing with Section 1798.99.30) is added to Part 4 of Division 3 of the Civil Code, immediately following Title 1.81.45, to read:SEC. 2. Title 1.81.46 (commencing with Section 1798.99.28) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. For (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(a)(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(b)(2) Board means the agencys board, as established in Section 1798.199.10. (c)(3) Child or children, unless otherwise specified, mean a consumer or consumers who is under 18 years of age.(d)Dark pattern has the same meaning as defined in subdivision (l) of Section 1798.140.(e)(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the good, service, or product service, product, or feature at issue that arises from the provision of that good, service, or product service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(f)(6) Likely to be accessed by a child means it is reasonable to expect, based on the known audience, the nature of the content, the associated marketing, or the online context, or academic or internal research, that the good, service, or product feature is more likely than not to service, product, or feature would be accessed by children.(g)Personal information has the same meaning as defined in subdivision (v) of Section 1798.140.(h)Sensitive personal information has the same meaning as defined in subdivision (ae) of Section 1798.140.(i)(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1)Consider the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, and, when in conflict with commercial interests, design, develop, and provide that good, service, or product feature in the manner that prioritizes the privacy, safety, and well-being of children.(2)(1) Undertake a Data Protection Impact Assessment for any good, service, or product online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the good, service, or product online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(3)(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(4)Maintain the highest level of privacy possible for children by default, including, but not limited to, disabling profiling, unless the business can demonstrate a compelling reason that a different default setting is in the best interests of children likely to access that good, service, or product feature.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(5)(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product online service, product, or feature.(6)(5) If the good, service, or product online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(7)Universally uphold(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(8)(7) Provide prominent, accessible, and responsive tools to help children children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that is demonstrably harmful the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(2)Collect and(3) Collect, sell, share, or retain any personal information that is not necessary to provide a good, service, or product a service, product, or feature with which a child is actively and knowingly engaged.(3)(4) If a business does not have actual knowledge of the age of a consumer, it shall neither collect nor not collect, share, sell, or retain any personal information that is not necessary to provide a good, service, or product service, product, or feature with which a consumer is actively and knowingly engaged.(4)(5) Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(5)(6) Notwithstanding Section 1798.120, disclose share or sell the personal information of any child unless the business can demonstrate a compelling reason that disclosure of that personal information is in the best interests of the child. the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(6)Collect any precise geolocation information by default, unless the business can demonstrate a compelling reason that doing so would be in the best interests of the child.(7) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(7)Collect(8) Collect, sell, or share any precise geolocation information without providing an obvious sign to the consumer child for the duration of that collection that precise geolocation information is being collected.(8)Collect any sensitive personal information by default, unless the business can demonstrate a compelling reason that the collection of sensitive personal information by default is in the best interests of a child.(9) Use dark patterns or other techniques to lead or encourage consumers to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide that good, service, or product feature, service or product to forego privacy protections, or to otherwise take any action that is demonstrably harmful to the consumers the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying goods, services, and product online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how to incorporate those interests into those interests may be furthered by the design, development, and implementation of a good, service, or product an online service, product, or feature.(3)Determining the level of certainty with which it is necessary to establish the age of a consumer appropriate to the risks that arise from the data management practices of a business.(4)Determining whether a reason is sufficiently compelling to warrant practices that are not consistent with the default setting, data collection, and data disclosure practices prescribed by this title. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(5)(4) Assessing and mitigating risks to children that arise from the use of a good, service, or product an online service, product, or feature, including specific items for the systematic survey necessary issues businesses must address to perform a Data Protection Impact Assessment.(6)(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that good, service, or product feature. service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations and publish guidelines, regulations, as necessary, to effectuate the purposes of this title in a manner consistent, and to the extent possible, with international frameworks for the protection of the privacy and well-being of children. title.1798.99.33.It is the intent of the Legislature to create subsequent legislation to enforce this title.SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. (a) The Legislature hereby finds and declares all of the following:(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.(2) As children spend more of their time interacting with the digital online world, the impact of the design of digital online products and services on childrens well-being has become a focus of significant concern.(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.(5) Children should be afforded protections not only by digital online products and services specifically directed at them, but by all digital online products and services they are likely to access.(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and digital online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.(8) Products and services that are likely to be accessed by children should offer high strong privacy protections by design and by default. default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.
SECTION 1. (a) The Legislature hereby finds and declares all of the following:(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.(2) As children spend more of their time interacting with the digital online world, the impact of the design of digital online products and services on childrens well-being has become a focus of significant concern.(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.(5) Children should be afforded protections not only by digital online products and services specifically directed at them, but by all digital online products and services they are likely to access.(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and digital online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.(8) Products and services that are likely to be accessed by children should offer high strong privacy protections by design and by default. default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.
SECTION 1. (a) The Legislature hereby finds and declares all of the following:
### SECTION 1.
(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.
(2) As children spend more of their time interacting with the digital online world, the impact of the design of digital online products and services on childrens well-being has become a focus of significant concern.
(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.
(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.
(5) Children should be afforded protections not only by digital online products and services specifically directed at them, but by all digital online products and services they are likely to access.
(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.
(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and digital online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.
(8) Products and services that are likely to be accessed by children should offer high strong privacy protections by design and by default. default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.
(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.
(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.
SEC. 2. Title 1.81.46 (commencing with Section 1798.99.28) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. For (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(a)(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(b)(2) Board means the agencys board, as established in Section 1798.199.10. (c)(3) Child or children, unless otherwise specified, mean a consumer or consumers who is under 18 years of age.(d)Dark pattern has the same meaning as defined in subdivision (l) of Section 1798.140.(e)(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the good, service, or product service, product, or feature at issue that arises from the provision of that good, service, or product service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(f)(6) Likely to be accessed by a child means it is reasonable to expect, based on the known audience, the nature of the content, the associated marketing, or the online context, or academic or internal research, that the good, service, or product feature is more likely than not to service, product, or feature would be accessed by children.(g)Personal information has the same meaning as defined in subdivision (v) of Section 1798.140.(h)Sensitive personal information has the same meaning as defined in subdivision (ae) of Section 1798.140.(i)(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1)Consider the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, and, when in conflict with commercial interests, design, develop, and provide that good, service, or product feature in the manner that prioritizes the privacy, safety, and well-being of children.(2)(1) Undertake a Data Protection Impact Assessment for any good, service, or product online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the good, service, or product online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(3)(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(4)Maintain the highest level of privacy possible for children by default, including, but not limited to, disabling profiling, unless the business can demonstrate a compelling reason that a different default setting is in the best interests of children likely to access that good, service, or product feature.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(5)(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product online service, product, or feature.(6)(5) If the good, service, or product online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(7)Universally uphold(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(8)(7) Provide prominent, accessible, and responsive tools to help children children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that is demonstrably harmful the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(2)Collect and(3) Collect, sell, share, or retain any personal information that is not necessary to provide a good, service, or product a service, product, or feature with which a child is actively and knowingly engaged.(3)(4) If a business does not have actual knowledge of the age of a consumer, it shall neither collect nor not collect, share, sell, or retain any personal information that is not necessary to provide a good, service, or product service, product, or feature with which a consumer is actively and knowingly engaged.(4)(5) Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(5)(6) Notwithstanding Section 1798.120, disclose share or sell the personal information of any child unless the business can demonstrate a compelling reason that disclosure of that personal information is in the best interests of the child. the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(6)Collect any precise geolocation information by default, unless the business can demonstrate a compelling reason that doing so would be in the best interests of the child.(7) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(7)Collect(8) Collect, sell, or share any precise geolocation information without providing an obvious sign to the consumer child for the duration of that collection that precise geolocation information is being collected.(8)Collect any sensitive personal information by default, unless the business can demonstrate a compelling reason that the collection of sensitive personal information by default is in the best interests of a child.(9) Use dark patterns or other techniques to lead or encourage consumers to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide that good, service, or product feature, service or product to forego privacy protections, or to otherwise take any action that is demonstrably harmful to the consumers the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying goods, services, and product online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how to incorporate those interests into those interests may be furthered by the design, development, and implementation of a good, service, or product an online service, product, or feature.(3)Determining the level of certainty with which it is necessary to establish the age of a consumer appropriate to the risks that arise from the data management practices of a business.(4)Determining whether a reason is sufficiently compelling to warrant practices that are not consistent with the default setting, data collection, and data disclosure practices prescribed by this title. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(5)(4) Assessing and mitigating risks to children that arise from the use of a good, service, or product an online service, product, or feature, including specific items for the systematic survey necessary issues businesses must address to perform a Data Protection Impact Assessment.(6)(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that good, service, or product feature. service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations and publish guidelines, regulations, as necessary, to effectuate the purposes of this title in a manner consistent, and to the extent possible, with international frameworks for the protection of the privacy and well-being of children. title.1798.99.33.It is the intent of the Legislature to create subsequent legislation to enforce this title.
SEC. 2. Title 1.81.46 (commencing with Section 1798.99.28) is added to Part 4 of Division 3 of the Civil Code, to read:
### SEC. 2.
TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. For (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(a)(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(b)(2) Board means the agencys board, as established in Section 1798.199.10. (c)(3) Child or children, unless otherwise specified, mean a consumer or consumers who is under 18 years of age.(d)Dark pattern has the same meaning as defined in subdivision (l) of Section 1798.140.(e)(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the good, service, or product service, product, or feature at issue that arises from the provision of that good, service, or product service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(f)(6) Likely to be accessed by a child means it is reasonable to expect, based on the known audience, the nature of the content, the associated marketing, or the online context, or academic or internal research, that the good, service, or product feature is more likely than not to service, product, or feature would be accessed by children.(g)Personal information has the same meaning as defined in subdivision (v) of Section 1798.140.(h)Sensitive personal information has the same meaning as defined in subdivision (ae) of Section 1798.140.(i)(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1)Consider the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, and, when in conflict with commercial interests, design, develop, and provide that good, service, or product feature in the manner that prioritizes the privacy, safety, and well-being of children.(2)(1) Undertake a Data Protection Impact Assessment for any good, service, or product online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the good, service, or product online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(3)(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(4)Maintain the highest level of privacy possible for children by default, including, but not limited to, disabling profiling, unless the business can demonstrate a compelling reason that a different default setting is in the best interests of children likely to access that good, service, or product feature.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(5)(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product online service, product, or feature.(6)(5) If the good, service, or product online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(7)Universally uphold(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(8)(7) Provide prominent, accessible, and responsive tools to help children children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that is demonstrably harmful the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(2)Collect and(3) Collect, sell, share, or retain any personal information that is not necessary to provide a good, service, or product a service, product, or feature with which a child is actively and knowingly engaged.(3)(4) If a business does not have actual knowledge of the age of a consumer, it shall neither collect nor not collect, share, sell, or retain any personal information that is not necessary to provide a good, service, or product service, product, or feature with which a consumer is actively and knowingly engaged.(4)(5) Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(5)(6) Notwithstanding Section 1798.120, disclose share or sell the personal information of any child unless the business can demonstrate a compelling reason that disclosure of that personal information is in the best interests of the child. the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(6)Collect any precise geolocation information by default, unless the business can demonstrate a compelling reason that doing so would be in the best interests of the child.(7) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(7)Collect(8) Collect, sell, or share any precise geolocation information without providing an obvious sign to the consumer child for the duration of that collection that precise geolocation information is being collected.(8)Collect any sensitive personal information by default, unless the business can demonstrate a compelling reason that the collection of sensitive personal information by default is in the best interests of a child.(9) Use dark patterns or other techniques to lead or encourage consumers to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide that good, service, or product feature, service or product to forego privacy protections, or to otherwise take any action that is demonstrably harmful to the consumers the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying goods, services, and product online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how to incorporate those interests into those interests may be furthered by the design, development, and implementation of a good, service, or product an online service, product, or feature.(3)Determining the level of certainty with which it is necessary to establish the age of a consumer appropriate to the risks that arise from the data management practices of a business.(4)Determining whether a reason is sufficiently compelling to warrant practices that are not consistent with the default setting, data collection, and data disclosure practices prescribed by this title. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(5)(4) Assessing and mitigating risks to children that arise from the use of a good, service, or product an online service, product, or feature, including specific items for the systematic survey necessary issues businesses must address to perform a Data Protection Impact Assessment.(6)(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that good, service, or product feature. service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations and publish guidelines, regulations, as necessary, to effectuate the purposes of this title in a manner consistent, and to the extent possible, with international frameworks for the protection of the privacy and well-being of children. title.1798.99.33.It is the intent of the Legislature to create subsequent legislation to enforce this title.
TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. For (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(a)(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(b)(2) Board means the agencys board, as established in Section 1798.199.10. (c)(3) Child or children, unless otherwise specified, mean a consumer or consumers who is under 18 years of age.(d)Dark pattern has the same meaning as defined in subdivision (l) of Section 1798.140.(e)(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the good, service, or product service, product, or feature at issue that arises from the provision of that good, service, or product service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(f)(6) Likely to be accessed by a child means it is reasonable to expect, based on the known audience, the nature of the content, the associated marketing, or the online context, or academic or internal research, that the good, service, or product feature is more likely than not to service, product, or feature would be accessed by children.(g)Personal information has the same meaning as defined in subdivision (v) of Section 1798.140.(h)Sensitive personal information has the same meaning as defined in subdivision (ae) of Section 1798.140.(i)(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1)Consider the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, and, when in conflict with commercial interests, design, develop, and provide that good, service, or product feature in the manner that prioritizes the privacy, safety, and well-being of children.(2)(1) Undertake a Data Protection Impact Assessment for any good, service, or product online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the good, service, or product online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(3)(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(4)Maintain the highest level of privacy possible for children by default, including, but not limited to, disabling profiling, unless the business can demonstrate a compelling reason that a different default setting is in the best interests of children likely to access that good, service, or product feature.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(5)(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product online service, product, or feature.(6)(5) If the good, service, or product online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(7)Universally uphold(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(8)(7) Provide prominent, accessible, and responsive tools to help children children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that is demonstrably harmful the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(2)Collect and(3) Collect, sell, share, or retain any personal information that is not necessary to provide a good, service, or product a service, product, or feature with which a child is actively and knowingly engaged.(3)(4) If a business does not have actual knowledge of the age of a consumer, it shall neither collect nor not collect, share, sell, or retain any personal information that is not necessary to provide a good, service, or product service, product, or feature with which a consumer is actively and knowingly engaged.(4)(5) Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(5)(6) Notwithstanding Section 1798.120, disclose share or sell the personal information of any child unless the business can demonstrate a compelling reason that disclosure of that personal information is in the best interests of the child. the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(6)Collect any precise geolocation information by default, unless the business can demonstrate a compelling reason that doing so would be in the best interests of the child.(7) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(7)Collect(8) Collect, sell, or share any precise geolocation information without providing an obvious sign to the consumer child for the duration of that collection that precise geolocation information is being collected.(8)Collect any sensitive personal information by default, unless the business can demonstrate a compelling reason that the collection of sensitive personal information by default is in the best interests of a child.(9) Use dark patterns or other techniques to lead or encourage consumers to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide that good, service, or product feature, service or product to forego privacy protections, or to otherwise take any action that is demonstrably harmful to the consumers the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying goods, services, and product online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how to incorporate those interests into those interests may be furthered by the design, development, and implementation of a good, service, or product an online service, product, or feature.(3)Determining the level of certainty with which it is necessary to establish the age of a consumer appropriate to the risks that arise from the data management practices of a business.(4)Determining whether a reason is sufficiently compelling to warrant practices that are not consistent with the default setting, data collection, and data disclosure practices prescribed by this title. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(5)(4) Assessing and mitigating risks to children that arise from the use of a good, service, or product an online service, product, or feature, including specific items for the systematic survey necessary issues businesses must address to perform a Data Protection Impact Assessment.(6)(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that good, service, or product feature. service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations and publish guidelines, regulations, as necessary, to effectuate the purposes of this title in a manner consistent, and to the extent possible, with international frameworks for the protection of the privacy and well-being of children. title.1798.99.33.It is the intent of the Legislature to create subsequent legislation to enforce this title.
TITLE 1.81.46. The California Age-Appropriate Design Code Act
TITLE 1.81.46. The California Age-Appropriate Design Code Act
1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.
1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.
1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.
1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:
(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.
(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.
1798.99.30. For (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(a)(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(b)(2) Board means the agencys board, as established in Section 1798.199.10. (c)(3) Child or children, unless otherwise specified, mean a consumer or consumers who is under 18 years of age.(d)Dark pattern has the same meaning as defined in subdivision (l) of Section 1798.140.(e)(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the good, service, or product service, product, or feature at issue that arises from the provision of that good, service, or product service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(f)(6) Likely to be accessed by a child means it is reasonable to expect, based on the known audience, the nature of the content, the associated marketing, or the online context, or academic or internal research, that the good, service, or product feature is more likely than not to service, product, or feature would be accessed by children.(g)Personal information has the same meaning as defined in subdivision (v) of Section 1798.140.(h)Sensitive personal information has the same meaning as defined in subdivision (ae) of Section 1798.140.(i)(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.
1798.99.30. For (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.
(b) For the purposes of this title, the following terms apply:
(a)
(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.
(b)
(2) Board means the agencys board, as established in Section 1798.199.10.
(c)
(3) Child or children, unless otherwise specified, mean a consumer or consumers who is under 18 years of age.
(d)Dark pattern has the same meaning as defined in subdivision (l) of Section 1798.140.
(e)
(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the good, service, or product service, product, or feature at issue that arises from the provision of that good, service, or product service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.
(5) Default means a preselected option adopted by the business for the online service, product, or feature.
(f)
(6) Likely to be accessed by a child means it is reasonable to expect, based on the known audience, the nature of the content, the associated marketing, or the online context, or academic or internal research, that the good, service, or product feature is more likely than not to service, product, or feature would be accessed by children.
(g)Personal information has the same meaning as defined in subdivision (v) of Section 1798.140.
(h)Sensitive personal information has the same meaning as defined in subdivision (ae) of Section 1798.140.
(i)
(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.
1798.99.31. (a) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1)Consider the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, and, when in conflict with commercial interests, design, develop, and provide that good, service, or product feature in the manner that prioritizes the privacy, safety, and well-being of children.(2)(1) Undertake a Data Protection Impact Assessment for any good, service, or product online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the good, service, or product online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(3)(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(4)Maintain the highest level of privacy possible for children by default, including, but not limited to, disabling profiling, unless the business can demonstrate a compelling reason that a different default setting is in the best interests of children likely to access that good, service, or product feature.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(5)(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product online service, product, or feature.(6)(5) If the good, service, or product online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(7)Universally uphold(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(8)(7) Provide prominent, accessible, and responsive tools to help children children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that is demonstrably harmful the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(2)Collect and(3) Collect, sell, share, or retain any personal information that is not necessary to provide a good, service, or product a service, product, or feature with which a child is actively and knowingly engaged.(3)(4) If a business does not have actual knowledge of the age of a consumer, it shall neither collect nor not collect, share, sell, or retain any personal information that is not necessary to provide a good, service, or product service, product, or feature with which a consumer is actively and knowingly engaged.(4)(5) Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(5)(6) Notwithstanding Section 1798.120, disclose share or sell the personal information of any child unless the business can demonstrate a compelling reason that disclosure of that personal information is in the best interests of the child. the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(6)Collect any precise geolocation information by default, unless the business can demonstrate a compelling reason that doing so would be in the best interests of the child.(7) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(7)Collect(8) Collect, sell, or share any precise geolocation information without providing an obvious sign to the consumer child for the duration of that collection that precise geolocation information is being collected.(8)Collect any sensitive personal information by default, unless the business can demonstrate a compelling reason that the collection of sensitive personal information by default is in the best interests of a child.(9) Use dark patterns or other techniques to lead or encourage consumers to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide that good, service, or product feature, service or product to forego privacy protections, or to otherwise take any action that is demonstrably harmful to the consumers the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.
1798.99.31. (a) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall comply with all of the following:
(1)Consider the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, and, when in conflict with commercial interests, design, develop, and provide that good, service, or product feature in the manner that prioritizes the privacy, safety, and well-being of children.
(2)
(1) Undertake a Data Protection Impact Assessment for any good, service, or product online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the good, service, or product online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.
(3)
(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.
(4)Maintain the highest level of privacy possible for children by default, including, but not limited to, disabling profiling, unless the business can demonstrate a compelling reason that a different default setting is in the best interests of children likely to access that good, service, or product feature.
(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.
(5)
(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product online service, product, or feature.
(6)
(5) If the good, service, or product online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.
(7)Universally uphold
(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.
(8)
(7) Provide prominent, accessible, and responsive tools to help children children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.
(b) A business that provides a good, service, or product an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:
(1) Use the personal information of any child in a way that is demonstrably harmful the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.
(2) Profile a child by default.
(2)Collect and
(3) Collect, sell, share, or retain any personal information that is not necessary to provide a good, service, or product a service, product, or feature with which a child is actively and knowingly engaged.
(3)
(4) If a business does not have actual knowledge of the age of a consumer, it shall neither collect nor not collect, share, sell, or retain any personal information that is not necessary to provide a good, service, or product service, product, or feature with which a consumer is actively and knowingly engaged.
(4)
(5) Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.
(5)
(6) Notwithstanding Section 1798.120, disclose share or sell the personal information of any child unless the business can demonstrate a compelling reason that disclosure of that personal information is in the best interests of the child. the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.
(6)Collect any precise geolocation information by default, unless the business can demonstrate a compelling reason that doing so would be in the best interests of the child.
(7) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.
(7)Collect
(8) Collect, sell, or share any precise geolocation information without providing an obvious sign to the consumer child for the duration of that collection that precise geolocation information is being collected.
(8)Collect any sensitive personal information by default, unless the business can demonstrate a compelling reason that the collection of sensitive personal information by default is in the best interests of a child.
(9) Use dark patterns or other techniques to lead or encourage consumers to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide that good, service, or product feature, service or product to forego privacy protections, or to otherwise take any action that is demonstrably harmful to the consumers the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.
(10) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.
(c) This section shall become operative on July 1, 2024.
1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying goods, services, and product online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how to incorporate those interests into those interests may be furthered by the design, development, and implementation of a good, service, or product an online service, product, or feature.(3)Determining the level of certainty with which it is necessary to establish the age of a consumer appropriate to the risks that arise from the data management practices of a business.(4)Determining whether a reason is sufficiently compelling to warrant practices that are not consistent with the default setting, data collection, and data disclosure practices prescribed by this title. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(5)(4) Assessing and mitigating risks to children that arise from the use of a good, service, or product an online service, product, or feature, including specific items for the systematic survey necessary issues businesses must address to perform a Data Protection Impact Assessment.(6)(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that good, service, or product feature. service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations and publish guidelines, regulations, as necessary, to effectuate the purposes of this title in a manner consistent, and to the extent possible, with international frameworks for the protection of the privacy and well-being of children. title.
1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.
(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.
(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:
(1) Identifying goods, services, and product online services, products, or features likely to be accessed by children.
(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how to incorporate those interests into those interests may be furthered by the design, development, and implementation of a good, service, or product an online service, product, or feature.
(3)Determining the level of certainty with which it is necessary to establish the age of a consumer appropriate to the risks that arise from the data management practices of a business.
(4)Determining whether a reason is sufficiently compelling to warrant practices that are not consistent with the default setting, data collection, and data disclosure practices prescribed by this title.
(3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.
(5)
(4) Assessing and mitigating risks to children that arise from the use of a good, service, or product an online service, product, or feature, including specific items for the systematic survey necessary issues businesses must address to perform a Data Protection Impact Assessment.
(6)
(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that good, service, or product feature. service or product.
(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations and publish guidelines, regulations, as necessary, to effectuate the purposes of this title in a manner consistent, and to the extent possible, with international frameworks for the protection of the privacy and well-being of children. title.
It is the intent of the Legislature to create subsequent legislation to enforce this title.
SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
### SEC. 3.