Amended IN Senate June 30, 2022 Amended IN Assembly April 26, 2022 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 2273Introduced by Assembly Members Wicks, Cunningham, and Petrie-Norris(Coauthors: Senators Allen and Newman)February 16, 2022An act to add Title 1.81.46 (commencing with Section 1798.99.28) to Part 4 of Division 3 of the Civil Code, relating to consumer privacy. LEGISLATIVE COUNSEL'S DIGESTAB 2273, as amended, Wicks. The California Age-Appropriate Design Code Act.(1) Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes the California Privacy Protection Agency. Existing law vests the agency with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018, and requires the agency to be governed by a board. Existing law requires businesses to protect consumer privacy and information, make certain disclosures to consumers regarding a consumers rights under the act in a specified manner, and disclose to consumers that a consumer has the right to request specific pieces of information, including the categories of information those businesses have collected about that consumer.Existing law, the Parents Accountability and Child Protection Act, requires a person or business that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase or delivery, including verifying the age of the purchaser. Existing law prohibits a person or business that is required to comply with these provisions from retaining, using, or disclosing any information it receives in an effort to verify age from a purchaser or recipient for any other purpose, except as specified, and subjects a business or person that violates these provisions to a civil penalty. This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, would require a business that provides an online service, product, or feature likely to be accessed by a child to comply with specified requirements, including configuring all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business, and providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature. The bill would prohibit a business that provides an online service, product, or feature likely to be accessed by a child from taking proscribed action, including using the personal information of a child for any reason other than the reason or reasons for which the personal information was collected.This bill would require the California Privacy Protection Agency to establish and convene the California Childrens Data Protection Taskforce to evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified. The bill would require the agencys board to appoint the members of the taskforce by April 1, 2023, and would require those members to have certain expertise, including in the areas of privacy and childrens rights. The bill would require the taskforce to make prescribed recommendations on best practices, including identifying online services, products, or features likely to be accessed by children. By April 1, 2024, the bill would require the agency, in consultation with the taskforce, to adopt regulations, as necessary.This bill would authorize the Attorney General to seek an injunction or civil penalty against any business that violates it provisions. The bill would hold violators liable for a civil penalty of not more than $2,500 per affected child for each negligent violation, or not more than $7,500 per affected child for each intentional violation.(2) The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. (a) The Legislature hereby finds and declares all of the following:(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.(2) As children spend more of their time interacting with the online world, the impact of the design of online products and services on childrens well-being has become a focus of significant concern.(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.(5) Children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access.(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.(8) Products and services that are likely to be accessed by children should offer strong privacy protections by design and by default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.SEC. 2. Title 1.81.46 (commencing with Section 1798.99.28) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(2) Board means the agencys board, as established in Section 1798.199.10. (3) Child or children, unless otherwise specified, mean means a consumer or consumers who is under 18 years of age.(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the service, product, or feature at issue that arises from the provision of that service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(6) Likely to be accessed by a child means it is reasonable to expect, based on the nature of the content, the associated marketing, the online context, or academic or internal research, that the service, product, or feature would be accessed by children. following factors, that the online service, product, or feature would be accessed by children:(A) The online service, product, or feature is directed to children as defined by the Childrens Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).(B) The online service, product, or feature is determined to be routinely accessed by children through academic, market, or internal company research.(C) An online service, product, or feature advertises to children.(D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).(E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1) Undertake a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.(5) If the online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(7) Provide prominent, accessible, and responsive tools to help children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(3) Collect, sell, share, or retain any personal information that is not necessary to provide a service, product, or feature with which a child is actively and knowingly engaged. engaged, or as described in paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(4) Use personal information for any reason other than the reason or reasons for which that personal information was collected, where the end user is a child.(4)If a business does not have actual knowledge of the age of a consumer, it shall not collect, share, sell, or retain any personal information that is not necessary to provide a service, product, or feature with which a consumer is actively and knowingly engaged.(5)Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(6)Notwithstanding Section 1798.120, share or sell the personal information of any child unless the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(7)(5) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(8)(6) Collect, sell, or share Collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.(9)(7) Use dark patterns or other techniques to lead or encourage consumers children to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide thatservice or product online service, product, or feature to forego privacy protections, or to otherwise take any action that the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10)(8) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how those interests may be furthered by the design, development, and implementation of an online service, product, or feature. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(4) Assessing and mitigating risks to children that arise from the use of an online service, product, or feature, including specific issues businesses must address to perform a Data Protection Impact Assessment.(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations, as necessary, to effectuate the purposes of this title.1798.99.35. (a) Any business that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.(b) Nothing in this title shall be interpreted to serve as the basis for a private right of action under this title.SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
Amended IN Senate June 30, 2022 Amended IN Assembly April 26, 2022 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 2273Introduced by Assembly Members Wicks, Cunningham, and Petrie-Norris(Coauthors: Senators Allen and Newman)February 16, 2022An act to add Title 1.81.46 (commencing with Section 1798.99.28) to Part 4 of Division 3 of the Civil Code, relating to consumer privacy. LEGISLATIVE COUNSEL'S DIGESTAB 2273, as amended, Wicks. The California Age-Appropriate Design Code Act.(1) Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes the California Privacy Protection Agency. Existing law vests the agency with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018, and requires the agency to be governed by a board. Existing law requires businesses to protect consumer privacy and information, make certain disclosures to consumers regarding a consumers rights under the act in a specified manner, and disclose to consumers that a consumer has the right to request specific pieces of information, including the categories of information those businesses have collected about that consumer.Existing law, the Parents Accountability and Child Protection Act, requires a person or business that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase or delivery, including verifying the age of the purchaser. Existing law prohibits a person or business that is required to comply with these provisions from retaining, using, or disclosing any information it receives in an effort to verify age from a purchaser or recipient for any other purpose, except as specified, and subjects a business or person that violates these provisions to a civil penalty. This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, would require a business that provides an online service, product, or feature likely to be accessed by a child to comply with specified requirements, including configuring all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business, and providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature. The bill would prohibit a business that provides an online service, product, or feature likely to be accessed by a child from taking proscribed action, including using the personal information of a child for any reason other than the reason or reasons for which the personal information was collected.This bill would require the California Privacy Protection Agency to establish and convene the California Childrens Data Protection Taskforce to evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified. The bill would require the agencys board to appoint the members of the taskforce by April 1, 2023, and would require those members to have certain expertise, including in the areas of privacy and childrens rights. The bill would require the taskforce to make prescribed recommendations on best practices, including identifying online services, products, or features likely to be accessed by children. By April 1, 2024, the bill would require the agency, in consultation with the taskforce, to adopt regulations, as necessary.This bill would authorize the Attorney General to seek an injunction or civil penalty against any business that violates it provisions. The bill would hold violators liable for a civil penalty of not more than $2,500 per affected child for each negligent violation, or not more than $7,500 per affected child for each intentional violation.(2) The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
Amended IN Senate June 30, 2022 Amended IN Assembly April 26, 2022
Amended IN Senate June 30, 2022
Amended IN Assembly April 26, 2022
CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION
Assembly Bill
No. 2273
Introduced by Assembly Members Wicks, Cunningham, and Petrie-Norris(Coauthors: Senators Allen and Newman)February 16, 2022
Introduced by Assembly Members Wicks, Cunningham, and Petrie-Norris(Coauthors: Senators Allen and Newman)
February 16, 2022
An act to add Title 1.81.46 (commencing with Section 1798.99.28) to Part 4 of Division 3 of the Civil Code, relating to consumer privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 2273, as amended, Wicks. The California Age-Appropriate Design Code Act.
(1) Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes the California Privacy Protection Agency. Existing law vests the agency with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018, and requires the agency to be governed by a board. Existing law requires businesses to protect consumer privacy and information, make certain disclosures to consumers regarding a consumers rights under the act in a specified manner, and disclose to consumers that a consumer has the right to request specific pieces of information, including the categories of information those businesses have collected about that consumer.Existing law, the Parents Accountability and Child Protection Act, requires a person or business that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase or delivery, including verifying the age of the purchaser. Existing law prohibits a person or business that is required to comply with these provisions from retaining, using, or disclosing any information it receives in an effort to verify age from a purchaser or recipient for any other purpose, except as specified, and subjects a business or person that violates these provisions to a civil penalty. This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, would require a business that provides an online service, product, or feature likely to be accessed by a child to comply with specified requirements, including configuring all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business, and providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature. The bill would prohibit a business that provides an online service, product, or feature likely to be accessed by a child from taking proscribed action, including using the personal information of a child for any reason other than the reason or reasons for which the personal information was collected.This bill would require the California Privacy Protection Agency to establish and convene the California Childrens Data Protection Taskforce to evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified. The bill would require the agencys board to appoint the members of the taskforce by April 1, 2023, and would require those members to have certain expertise, including in the areas of privacy and childrens rights. The bill would require the taskforce to make prescribed recommendations on best practices, including identifying online services, products, or features likely to be accessed by children. By April 1, 2024, the bill would require the agency, in consultation with the taskforce, to adopt regulations, as necessary.This bill would authorize the Attorney General to seek an injunction or civil penalty against any business that violates it provisions. The bill would hold violators liable for a civil penalty of not more than $2,500 per affected child for each negligent violation, or not more than $7,500 per affected child for each intentional violation.(2) The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.
(1) Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes the California Privacy Protection Agency. Existing law vests the agency with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018, and requires the agency to be governed by a board. Existing law requires businesses to protect consumer privacy and information, make certain disclosures to consumers regarding a consumers rights under the act in a specified manner, and disclose to consumers that a consumer has the right to request specific pieces of information, including the categories of information those businesses have collected about that consumer.
Existing law, the Parents Accountability and Child Protection Act, requires a person or business that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase or delivery, including verifying the age of the purchaser. Existing law prohibits a person or business that is required to comply with these provisions from retaining, using, or disclosing any information it receives in an effort to verify age from a purchaser or recipient for any other purpose, except as specified, and subjects a business or person that violates these provisions to a civil penalty.
This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, would require a business that provides an online service, product, or feature likely to be accessed by a child to comply with specified requirements, including configuring all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business, and providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature. The bill would prohibit a business that provides an online service, product, or feature likely to be accessed by a child from taking proscribed action, including using the personal information of a child for any reason other than the reason or reasons for which the personal information was collected.
This bill would require the California Privacy Protection Agency to establish and convene the California Childrens Data Protection Taskforce to evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified. The bill would require the agencys board to appoint the members of the taskforce by April 1, 2023, and would require those members to have certain expertise, including in the areas of privacy and childrens rights. The bill would require the taskforce to make prescribed recommendations on best practices, including identifying online services, products, or features likely to be accessed by children. By April 1, 2024, the bill would require the agency, in consultation with the taskforce, to adopt regulations, as necessary.
This bill would authorize the Attorney General to seek an injunction or civil penalty against any business that violates it provisions. The bill would hold violators liable for a civil penalty of not more than $2,500 per affected child for each negligent violation, or not more than $7,500 per affected child for each intentional violation.
(2) The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.
This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. (a) The Legislature hereby finds and declares all of the following:(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.(2) As children spend more of their time interacting with the online world, the impact of the design of online products and services on childrens well-being has become a focus of significant concern.(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.(5) Children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access.(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.(8) Products and services that are likely to be accessed by children should offer strong privacy protections by design and by default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.SEC. 2. Title 1.81.46 (commencing with Section 1798.99.28) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(2) Board means the agencys board, as established in Section 1798.199.10. (3) Child or children, unless otherwise specified, mean means a consumer or consumers who is under 18 years of age.(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the service, product, or feature at issue that arises from the provision of that service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(6) Likely to be accessed by a child means it is reasonable to expect, based on the nature of the content, the associated marketing, the online context, or academic or internal research, that the service, product, or feature would be accessed by children. following factors, that the online service, product, or feature would be accessed by children:(A) The online service, product, or feature is directed to children as defined by the Childrens Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).(B) The online service, product, or feature is determined to be routinely accessed by children through academic, market, or internal company research.(C) An online service, product, or feature advertises to children.(D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).(E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1) Undertake a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.(5) If the online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(7) Provide prominent, accessible, and responsive tools to help children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(3) Collect, sell, share, or retain any personal information that is not necessary to provide a service, product, or feature with which a child is actively and knowingly engaged. engaged, or as described in paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(4) Use personal information for any reason other than the reason or reasons for which that personal information was collected, where the end user is a child.(4)If a business does not have actual knowledge of the age of a consumer, it shall not collect, share, sell, or retain any personal information that is not necessary to provide a service, product, or feature with which a consumer is actively and knowingly engaged.(5)Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(6)Notwithstanding Section 1798.120, share or sell the personal information of any child unless the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(7)(5) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(8)(6) Collect, sell, or share Collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.(9)(7) Use dark patterns or other techniques to lead or encourage consumers children to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide thatservice or product online service, product, or feature to forego privacy protections, or to otherwise take any action that the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10)(8) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how those interests may be furthered by the design, development, and implementation of an online service, product, or feature. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(4) Assessing and mitigating risks to children that arise from the use of an online service, product, or feature, including specific issues businesses must address to perform a Data Protection Impact Assessment.(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations, as necessary, to effectuate the purposes of this title.1798.99.35. (a) Any business that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.(b) Nothing in this title shall be interpreted to serve as the basis for a private right of action under this title.SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. (a) The Legislature hereby finds and declares all of the following:(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.(2) As children spend more of their time interacting with the online world, the impact of the design of online products and services on childrens well-being has become a focus of significant concern.(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.(5) Children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access.(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.(8) Products and services that are likely to be accessed by children should offer strong privacy protections by design and by default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.
SECTION 1. (a) The Legislature hereby finds and declares all of the following:(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.(2) As children spend more of their time interacting with the online world, the impact of the design of online products and services on childrens well-being has become a focus of significant concern.(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.(5) Children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access.(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.(8) Products and services that are likely to be accessed by children should offer strong privacy protections by design and by default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.
SECTION 1. (a) The Legislature hereby finds and declares all of the following:
### SECTION 1.
(1) The United Nations Convention on the Rights of the Child recognizes that children need special safeguards and care in all aspects of their lives.
(2) As children spend more of their time interacting with the online world, the impact of the design of online products and services on childrens well-being has become a focus of significant concern.
(3) There is bipartisan agreement at the international level, in both the United States and in the State of California, that more needs to be done to create a safer online space for children to learn, explore, and play.
(4) Lawmakers around the globe have taken steps to enhance privacy protections for children on the understanding that, in relation to data protection, greater privacy necessarily means greater security and well-being.
(5) Children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access.
(6) In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent, and a 2018 poll of Californian parents and teens found that only 36 percent of teenagers and 32 percent of parents say that social networking internet websites do a good job explaining what they do with users data.
(7) While it is clear that the same data protection regime may not be appropriate for children of all ages, children of all ages should nonetheless be afforded privacy and protection, and online products and services should adopt data protection regimes appropriate for children of the ages likely to access those products and services.
(8) Products and services that are likely to be accessed by children should offer strong privacy protections by design and by default, including by disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.
(9) Ensuring robust privacy protections for children by design is consistent with the intent of the Legislature in passing the California Consumer Privacy Act of 2018, and with the intent of the people of the State of California in passing the California Privacy Rights Act of 2020, which finds and declares that children are particularly vulnerable from a negotiating perspective with respect to their privacy rights.
(b) Therefore, it is the intent of the Legislature to promote privacy protections for children pursuant to the California Age-Appropriate Design Code Act.
SEC. 2. Title 1.81.46 (commencing with Section 1798.99.28) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(2) Board means the agencys board, as established in Section 1798.199.10. (3) Child or children, unless otherwise specified, mean means a consumer or consumers who is under 18 years of age.(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the service, product, or feature at issue that arises from the provision of that service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(6) Likely to be accessed by a child means it is reasonable to expect, based on the nature of the content, the associated marketing, the online context, or academic or internal research, that the service, product, or feature would be accessed by children. following factors, that the online service, product, or feature would be accessed by children:(A) The online service, product, or feature is directed to children as defined by the Childrens Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).(B) The online service, product, or feature is determined to be routinely accessed by children through academic, market, or internal company research.(C) An online service, product, or feature advertises to children.(D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).(E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1) Undertake a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.(5) If the online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(7) Provide prominent, accessible, and responsive tools to help children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(3) Collect, sell, share, or retain any personal information that is not necessary to provide a service, product, or feature with which a child is actively and knowingly engaged. engaged, or as described in paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(4) Use personal information for any reason other than the reason or reasons for which that personal information was collected, where the end user is a child.(4)If a business does not have actual knowledge of the age of a consumer, it shall not collect, share, sell, or retain any personal information that is not necessary to provide a service, product, or feature with which a consumer is actively and knowingly engaged.(5)Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(6)Notwithstanding Section 1798.120, share or sell the personal information of any child unless the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(7)(5) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(8)(6) Collect, sell, or share Collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.(9)(7) Use dark patterns or other techniques to lead or encourage consumers children to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide thatservice or product online service, product, or feature to forego privacy protections, or to otherwise take any action that the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10)(8) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how those interests may be furthered by the design, development, and implementation of an online service, product, or feature. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(4) Assessing and mitigating risks to children that arise from the use of an online service, product, or feature, including specific issues businesses must address to perform a Data Protection Impact Assessment.(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations, as necessary, to effectuate the purposes of this title.1798.99.35. (a) Any business that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.(b) Nothing in this title shall be interpreted to serve as the basis for a private right of action under this title.
SEC. 2. Title 1.81.46 (commencing with Section 1798.99.28) is added to Part 4 of Division 3 of the Civil Code, to read:
### SEC. 2.
TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(2) Board means the agencys board, as established in Section 1798.199.10. (3) Child or children, unless otherwise specified, mean means a consumer or consumers who is under 18 years of age.(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the service, product, or feature at issue that arises from the provision of that service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(6) Likely to be accessed by a child means it is reasonable to expect, based on the nature of the content, the associated marketing, the online context, or academic or internal research, that the service, product, or feature would be accessed by children. following factors, that the online service, product, or feature would be accessed by children:(A) The online service, product, or feature is directed to children as defined by the Childrens Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).(B) The online service, product, or feature is determined to be routinely accessed by children through academic, market, or internal company research.(C) An online service, product, or feature advertises to children.(D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).(E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1) Undertake a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.(5) If the online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(7) Provide prominent, accessible, and responsive tools to help children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(3) Collect, sell, share, or retain any personal information that is not necessary to provide a service, product, or feature with which a child is actively and knowingly engaged. engaged, or as described in paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(4) Use personal information for any reason other than the reason or reasons for which that personal information was collected, where the end user is a child.(4)If a business does not have actual knowledge of the age of a consumer, it shall not collect, share, sell, or retain any personal information that is not necessary to provide a service, product, or feature with which a consumer is actively and knowingly engaged.(5)Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(6)Notwithstanding Section 1798.120, share or sell the personal information of any child unless the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(7)(5) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(8)(6) Collect, sell, or share Collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.(9)(7) Use dark patterns or other techniques to lead or encourage consumers children to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide thatservice or product online service, product, or feature to forego privacy protections, or to otherwise take any action that the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10)(8) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how those interests may be furthered by the design, development, and implementation of an online service, product, or feature. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(4) Assessing and mitigating risks to children that arise from the use of an online service, product, or feature, including specific issues businesses must address to perform a Data Protection Impact Assessment.(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations, as necessary, to effectuate the purposes of this title.1798.99.35. (a) Any business that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.(b) Nothing in this title shall be interpreted to serve as the basis for a private right of action under this title.
TITLE 1.81.46. The California Age-Appropriate Design Code Act 1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.1798.99.30. (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(2) Board means the agencys board, as established in Section 1798.199.10. (3) Child or children, unless otherwise specified, mean means a consumer or consumers who is under 18 years of age.(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the service, product, or feature at issue that arises from the provision of that service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(6) Likely to be accessed by a child means it is reasonable to expect, based on the nature of the content, the associated marketing, the online context, or academic or internal research, that the service, product, or feature would be accessed by children. following factors, that the online service, product, or feature would be accessed by children:(A) The online service, product, or feature is directed to children as defined by the Childrens Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).(B) The online service, product, or feature is determined to be routinely accessed by children through academic, market, or internal company research.(C) An online service, product, or feature advertises to children.(D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).(E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.1798.99.31. (a) A business that provides an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1) Undertake a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.(5) If the online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(7) Provide prominent, accessible, and responsive tools to help children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(3) Collect, sell, share, or retain any personal information that is not necessary to provide a service, product, or feature with which a child is actively and knowingly engaged. engaged, or as described in paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(4) Use personal information for any reason other than the reason or reasons for which that personal information was collected, where the end user is a child.(4)If a business does not have actual knowledge of the age of a consumer, it shall not collect, share, sell, or retain any personal information that is not necessary to provide a service, product, or feature with which a consumer is actively and knowingly engaged.(5)Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(6)Notwithstanding Section 1798.120, share or sell the personal information of any child unless the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(7)(5) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(8)(6) Collect, sell, or share Collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.(9)(7) Use dark patterns or other techniques to lead or encourage consumers children to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide thatservice or product online service, product, or feature to forego privacy protections, or to otherwise take any action that the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10)(8) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how those interests may be furthered by the design, development, and implementation of an online service, product, or feature. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(4) Assessing and mitigating risks to children that arise from the use of an online service, product, or feature, including specific issues businesses must address to perform a Data Protection Impact Assessment.(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations, as necessary, to effectuate the purposes of this title.1798.99.35. (a) Any business that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.(b) Nothing in this title shall be interpreted to serve as the basis for a private right of action under this title.
TITLE 1.81.46. The California Age-Appropriate Design Code Act
TITLE 1.81.46. The California Age-Appropriate Design Code Act
1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.
1798.99.28. This chapter shall be known, and may be cited, as the California Age-Appropriate Design Code Act.
1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.
1798.99.29. The Legislature declares that children should be afforded protections not only by online products and services specifically directed at them, but by all online products and services they are likely to access and makes the following findings:
(a) Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.
(b) If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.
1798.99.30. (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.(b) For the purposes of this title, the following terms apply:(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(2) Board means the agencys board, as established in Section 1798.199.10. (3) Child or children, unless otherwise specified, mean means a consumer or consumers who is under 18 years of age.(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the service, product, or feature at issue that arises from the provision of that service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.(5) Default means a preselected option adopted by the business for the online service, product, or feature.(6) Likely to be accessed by a child means it is reasonable to expect, based on the nature of the content, the associated marketing, the online context, or academic or internal research, that the service, product, or feature would be accessed by children. following factors, that the online service, product, or feature would be accessed by children:(A) The online service, product, or feature is directed to children as defined by the Childrens Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).(B) The online service, product, or feature is determined to be routinely accessed by children through academic, market, or internal company research.(C) An online service, product, or feature advertises to children.(D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).(E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.
1798.99.30. (a) For purposes of this title, the definitions in Section 1798.140 shall apply unless otherwise specified in this title.
(b) For the purposes of this title, the following terms apply:
(1) Agency means the California Privacy Protection Agency, as established by the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.
(2) Board means the agencys board, as established in Section 1798.199.10.
(3) Child or children, unless otherwise specified, mean means a consumer or consumers who is under 18 years of age.
(4) Data Protection Impact Assessment means a systematic survey to assess and mitigate risks to children who are reasonably likely to access the service, product, or feature at issue that arises from the provision of that service, product, or feature in accordance with specifications promulgated by the California Childrens Data Protection Taskforce established pursuant to Section 1798.99.32.
(5) Default means a preselected option adopted by the business for the online service, product, or feature.
(6) Likely to be accessed by a child means it is reasonable to expect, based on the nature of the content, the associated marketing, the online context, or academic or internal research, that the service, product, or feature would be accessed by children. following factors, that the online service, product, or feature would be accessed by children:
(A) The online service, product, or feature is directed to children as defined by the Childrens Online Privacy Protection Act (15 U.S.C. Sec. 6501 et seq.).
(B) The online service, product, or feature is determined to be routinely accessed by children through academic, market, or internal company research.
(C) An online service, product, or feature advertises to children.
(D) An online service, product, or feature that is substantially similar or the same as an online service, product, or feature subject to subparagraph (B).
(E) An online service, product, or feature that has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children.
(7) Taskforce means the California Childrens Data Protection Taskforce as established by Section 1798.99.32.
1798.99.31. (a) A business that provides an online service, product, or feature likely to be accessed by a child shall comply with all of the following:(1) Undertake a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.(5) If the online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.(7) Provide prominent, accessible, and responsive tools to help children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.(b) A business that provides an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:(1) Use the personal information of any child in a way that the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.(2) Profile a child by default.(3) Collect, sell, share, or retain any personal information that is not necessary to provide a service, product, or feature with which a child is actively and knowingly engaged. engaged, or as described in paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(4) Use personal information for any reason other than the reason or reasons for which that personal information was collected, where the end user is a child.(4)If a business does not have actual knowledge of the age of a consumer, it shall not collect, share, sell, or retain any personal information that is not necessary to provide a service, product, or feature with which a consumer is actively and knowingly engaged.(5)Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.(6)Notwithstanding Section 1798.120, share or sell the personal information of any child unless the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.(7)(5) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.(8)(6) Collect, sell, or share Collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.(9)(7) Use dark patterns or other techniques to lead or encourage consumers children to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide thatservice or product online service, product, or feature to forego privacy protections, or to otherwise take any action that the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.(10)(8) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.(c) This section shall become operative on July 1, 2024.
1798.99.31. (a) A business that provides an online service, product, or feature likely to be accessed by a child shall comply with all of the following:
(1) Undertake a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by a child and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by a child. A report of the assessment must be provided to the agency within 12 months of the implementation of this act and reviewed every 24 months or before any new features are offered to the public.
(2) Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.
(3) Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy protection offered by the business.
(4) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.
(5) If the online service, product, or feature allows the childs parent, guardian, or any other consumer to monitor the childs online activity or track their location, provide an obvious signal to the child when they are being monitored or tracked.
(6) Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.
(7) Provide prominent, accessible, and responsive tools to help children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.
(b) A business that provides an online service, product, or feature likely to be accessed by a child shall not take any of the following actions:
(1) Use the personal information of any child in a way that the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.
(2) Profile a child by default.
(3) Collect, sell, share, or retain any personal information that is not necessary to provide a service, product, or feature with which a child is actively and knowingly engaged. engaged, or as described in paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.
(4) Use personal information for any reason other than the reason or reasons for which that personal information was collected, where the end user is a child.
(4)If a business does not have actual knowledge of the age of a consumer, it shall not collect, share, sell, or retain any personal information that is not necessary to provide a service, product, or feature with which a consumer is actively and knowingly engaged.
(5)Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.
(6)Notwithstanding Section 1798.120, share or sell the personal information of any child unless the sharing or selling of that personal information is necessary to provide the online service, product, or feature as permitted by paragraphs (1) to (4), inclusive, of subdivision (a) of Section 1798.145.
(7)
(5) Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature.
(8)
(6) Collect, sell, or share Collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.
(9)
(7) Use dark patterns or other techniques to lead or encourage consumers children to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide thatservice or product online service, product, or feature to forego privacy protections, or to otherwise take any action that the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the childs physical health, mental health, or well-being.
(10)
(8) Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.
(c) This section shall become operative on July 1, 2024.
1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:(1) Identifying online services, products, or features likely to be accessed by children.(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how those interests may be furthered by the design, development, and implementation of an online service, product, or feature. (3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.(4) Assessing and mitigating risks to children that arise from the use of an online service, product, or feature, including specific issues businesses must address to perform a Data Protection Impact Assessment.(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that service or product.(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations, as necessary, to effectuate the purposes of this title.
1798.99.32. (a) The agency shall establish and convene a taskforce, the California Childrens Data Protection Taskforce, to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.
(b) By April 1, 2023, the board shall appoint members of the taskforce. Taskforce members shall consist of Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and childrens rights.
(c) The taskforce shall make recommendations on best practices regarding, but not limited to, all of the following:
(1) Identifying online services, products, or features likely to be accessed by children.
(2) Evaluating and prioritizing the best interests of children with respect to their privacy, health, and well-being, and issuing guidance to businesses on how those interests may be furthered by the design, development, and implementation of an online service, product, or feature.
(3) Ensuring that age verification methods used by businesses that provide online services, products, or features likely to be accessed by children are proportionate to the risks that arise from the data management practices of the business, privacy protective, and minimally invasive.
(4) Assessing and mitigating risks to children that arise from the use of an online service, product, or feature, including specific issues businesses must address to perform a Data Protection Impact Assessment.
(5) Publishing privacy information, policies, and standards in concise, clear language suited for the age of children likely to access that service or product.
(d) By April 1, 2024, the agency, in consultation with the taskforce, shall adopt regulations, as necessary, to effectuate the purposes of this title.
1798.99.35. (a) Any business that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.(b) Nothing in this title shall be interpreted to serve as the basis for a private right of action under this title.
1798.99.35. (a) Any business that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
(b) Nothing in this title shall be interpreted to serve as the basis for a private right of action under this title.
SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
### SEC. 3.