The California Privacy Protection Agency is putting the business community on notice again with its second enforcement advisory, focusing now on confusing and deceptive UI designs.
Update: California Governor Gavin Newsom has since vetoed this legislation and it will not become law.
The California Assembly has significantly increased privacy protections for minors under the California Consumer Privacy Act (CCPA). Other states such as Virginia and Colorado have also amended their privacy legislation to enhance protections for children, but with the passage of AB 1949, California has upped the ante.
See what the new changes mean for businesses.
The CCPA already has some additional privacy requirements when it comes to younger consumers. Currently, businesses may not sell or share the personal information of consumers under the age of 16 without their affirmative consent; if the consumer is under the age of 13, their parent or guardian must consent.
The first big change in AB 1949 is raising the age threshold from under-16 to under-18. That is, businesses may not sell or share the personal information of anyone under the age of 18 without their consent. (The under-13 threshold remains in place.)
The second big change is that businesses will also be prohibited from collecting, using, or disclosing any personal information from consumers under the age of 18 without their consent. This is a major expansion of existing protections for minors; in fact, it seems to make the restrictions on selling or sharing minors’ data entirely redundant.
Businesses must follow the rules described above when they have actual knowledge that the consumer is under the age of 18 or 13. Knowing that, many companies may think they’re off the hook because they don’t knowingly process the personal information of minors unless their services are geared towards children.
That may continue being the case for now, but AB 1949 highlights an aspect of the CCPA that is seldom talked about: the contemplation of an opt-out signal that identifies the consumer as being a minor.
In theory, devices or browsers could send a signal to websites and apps (similar to Global Privacy Control) that identifies the consumer as under-13 or under-18. The CCPA authorizes the California Privacy Protection Agency (CPPA) to create regulations about how such a signal would function. So far, the CPPA has not addressed this issue in any regulations.
AB 1949 puts the signal in the spotlight by clarifying that receipt of such a signal would constitute actual knowledge that a consumer is a minor. In other words, if a website detected the signal, it would have to follow the under-18 or under-13 data processing rules with respect to that consumer. By bringing attention to this issue, AB 1949 may increase the pressure on the CPPA to make the children’s opt-out signal a regulatory priority.
If and when that happens, a lot more businesses may have to figure out how to navigate the tough new rules on children’s data.
The provisions of AB 1949 will take effect on January 1, 2025.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.