Background and Key Provisions
AB 2273’s proponents argue that the bill is necessary for the safety and privacy of children. Importantly, the bill would prohibit businesses from using children’s data in any way that the business knows or has reason to know “is materially detrimental to the physical health, mental health, or well-being of a child.”
The bill would also impose specific requirements on businesses, including:
- Data Minimization – businesses must limit the collection, sharing, sale, and retention of children’s data unless they can demonstrate a compelling reason that the processing is in the child’s “best interests”;
- Risk Assessments – businesses must assess, document, and mitigate risks of material detriment to children;
- High Privacy Defaults – default privacy settings for under-18 users must offer a “high level of privacy” (unless the business can demonstrate a compelling reason that a different setting is in the best interests of children);
- Revised Online Notices – privacy information and similar online notices must use language suitable to the age of children likely to access the service; and
- Rights and Reporting Tools – businesses must offer children and parents/guardians tools to exercise their privacy rights and report concerns.
The Attorney General can also adopt regulations to clarify these requirements, and a new Children’s Data Protection Working Group will recommend best practices for businesses implementing the bill’s provisions.
Significant Challenges
AB 2273 could create significant compliance challenges in its pursuit of additional protections for children. For example, the bill’s “likely to be accessed by children” standard goes beyond COPPA’s “directed to children” standard. Under the current framework, COPPA’s requirements apply only to online services where a business has actual knowledge that the user is under the age of 13 or if the service’s offerings are “directed” at children through factors like marketing, graphics, or music that appeals to children.
Under AB 2273, businesses must now also determine whether “a significant number of children” routinely access the service (or substantially similar services) “based on competent and reliable evidence regarding audience composition.” The law would also require businesses to estimate under‑18 users’ ages “with a reasonable level of certainty.” Compliance with these provisions could require collecting even more children’s data and make understanding the law’s applicability a moving target for businesses.
Enforcement
Violations of AB 2273 can result in injunctions or civil penalties against businesses of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation. Businesses that substantially comply with the Data Protection Impact Assessment requirements, however, can benefit from a 90-day cure period. AB 2273 also expressly prohibits a private right of action.
Broader Impact
If passed, the California AADC could further complicate compliance efforts for companies operating across the country. Like with the California Consumer Privacy Act (CCPA), other state legislatures may look to California as a model for similar protections, creating another patchwork of potentially inconsistent state laws.
This effort comes as the U.S. Senate considers the Kids Online Safety Act (S. 3663), similar legislation that also involves potential state preemption. But as with California’s opposition to the preemption provisions of the American Data Privacy and Protection Act (H.R. 8152), efforts to preempt state rules may lead to significant pushback.
Next Steps
The bill is now eligible for a full Senate vote. Because the Senate’s and Assembly’s versions of AB 2273 differ, the Assembly (AB 2273’s house of origin) must concur with the Senate’s amendments. If the Assembly concurs, the bill will go to Governor Newsom for signing. If the Assembly does not concur, the bill will go to a conference committee to negotiate and reconcile the two versions’ differences. If they agree on a single version, it will go back to both Floors for approval and then to the Governor for signing.
If passed, the bill would go into effect on July 1, 2024.
Authored by Mark Brennan, Ryan Thompson, Sophie Baum, Harsimar Dhanoa, and A.J. Santiago.
