California’s Age-Appropriate Design Code may reshape the US online privacy landscape

When California – the home of Silicon Valley – passes major internet-related laws, the rest of the country pays attention. As federal data privacy legislation continues to stall, California is once again setting the blueprint. On September 15, Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (AADC), which will impose sweeping requirements on businesses that provide online products and services to children under age 18, potentially reshaping the online privacy regulatory landscape in the US. Inspired by the UK’s Age Appropriate Design Code, it is the first state law in the nation of this nature.

The passage of the AADC is part of a growing push nationwide to hold companies accountable for how their services may affect children’s mental health and safety. In the past year, social media companies in particular, have come under fire from Republicans and Democrats for the impact their platforms have on children. Yet, despite criticism, no comprehensive regulations concerning children’s internet activity has been passed in the last 20 years. The federal Children’s Online Privacy Protection Act (COPPA), enacted in 1998, addressed the rapid growth of online marketing techniques targeting children, but its narrow scope does not address many of the policy challenges created by the growth of social media and online gaming. California’s AADC goes further than COPPA in several respects, including its requirement that online sites consider children’s physical and mental health when designing their products and turn on the highest privacy settings by default for children.

Although the AADC is specific to California, other state legislatures will likely use it as a model to create similar protections for children in their state. Indeed, this is not the first time California has led the way in implementing data privacy laws that encouraged other states to follow. The California Consumer Protection Act prompted four other states to follow suit in passing comprehensive privacy legislation. However, this has resulted in a fragmented data privacy landscape that is often challenging and costly for companies – especially smaller businesses – to navigate. Tech groups opposed the AADC, arguing that differing state regulations would make compliance difficult, and instead advocated for a new or revised federal privacy law that would provide national standards to protect kids online.

The AADC is likely to increase pressure for Congress to pass new guardrails concerning children’s data and online activity. Despite this topic having bipartisan support, efforts on Capitol Hill are dragging amid disagreement between House and Senate lawmakers over whether to prioritize expanding protections for children specifically or advancing privacy safeguards for all consumers. The Senate Commerce Committee recently advanced two major bipartisan bills - the Kids Online Safety Act and the Teens’ Online Privacy Act - aimed at increasing online protections for children. However, this approach contrasts with the one taken by House lawmakers who advanced the American Data Privacy and Protection Act which would provide comprehensive privacy protection for all Americans while also creating additional protections for children under age 17. Given the differences between the privacy bills and privacy focus, reconciling the bills – in the event they pass each respective chamber – will prove challenging.

Without federal legislation, the industry will have to continue navigating an increasingly fragmented regulatory landscape. To mitigate this impact, tech companies will likely introduce changes nationwide rather than treat children in California differently. Last June, Senator Ed Markey (D-MA) and Representatives Kathy Castor (D-FL), and Lori Trahan (D-MA) wrote to the CEOs of Big Tech companies, urging them to bring their UK Age Appropriate Design Code Act protections for teens to the US. While the companies did not promise to import the protections wholesale to the US, the platforms noted that they were considering what aspects of the UK Design Code to implement into their online products and services worldwide. Since then, Instagram has made private accounts the global default for users under age 16, and other companies have taken similar action. However, lawmakers noted that this still fell short of the protections they argue are necessary for children in the US. 

California’s passage of the AADC forces the hand of tech companies to offer those same protections to children in their state, which will likely have a domino effect where children nationwide also receive these protections. With Sacramento leading the charge in the US, perhaps we are on the precipice of a new regulatory era where children’s privacy is front and center, even in the absence of new laws from DC.