In my last blog post I drilled down on Assembly Bill 2273 (AB 2273) that is Assemblymembers Buffy Wicks’ and Jordan Cunningham’s proposed California Age-Appropriate Design Code Act (ADCA). As a reminder, if the ADCA were to pass into law, it would require businesses to “consider the privacy and protection of children in the design of any digital product or service that children in California are likely to access.” This bill is modeled after the United Kingdom’s Age-Appropriate Design Code (aka the Children’s Code) that was sponsored by the 5Rights Foundation, and in fact 5Rights is the driving force behind the California version.
Having spent some time going through the bill in detail and meeting with 5Rights, I am very much a supporter of the bill. In this blog post I will highlight two areas of improvements that I think will better harmonize this bill with the California Privacy Rights Act (CPRA) and make it even stronger. The good news is that 5Rights is very receptive to my suggestions, so I think the bill will only get better.
Executive Summary of My Proposed Enhancements to AB 2273
I fully agree with the intent of the California Age-Appropriate Design Code Act (ADCA) which is to provide special safeguards to children in the digital world. As mentioned above, the ADCA is based on a UK law that has already promoted many Big Tech companies to innovate in the best interests of UK children. Some examples are shown below:
I do believe the goal of AB 2273 is consistent with the intent of Proposition 24 (CPRA), and in fact one of the major points of emphasis in the campaign for Proposition 24 was that it further enhanced the California Consumer Privacy Act (CCPA) by adding additional capabilities to safeguard our children’s safety. CPRA did this by tripling fines for the collection and sale of children’s private information. Proposition 24 also required opt-in consent for the sale of personal information from consumers under 16.
But in “porting” the UK law over to California, I do think there is some optimization vis a vis the California Privacy Rights Act that is required. Namely I believe the ADCA should be enhanced in two ways: (a) provide funding to the California Privacy Protection Agency (PPA) to support the operations and regulatory activities associated with the California Children’s Data Protection Taskforce (CDPT) — otherwise this will be an unfunded mandate that the PPA must bear that may distract from its current regulatory and enforcement activities that are needed to protect consumer privacy; and (b) harmonize definitions of key terms with the definitions found in the California Privacy Rights Act (CPRA) — otherwise businesses will not be clear if this law covers them, what constitutes precise geolocation and profiling, etc. thereby making the proposed law harder to interpret and enforce.
Let me drill down on both points in the next sections.
The Need to Fund the PPA to Support the ADCA
AB 2273 requires the California Privacy Protection Agency (PPA) to first create the California Children’s Data Protection Taskforce (CDPT) by appointing members. The taskforce members shall consist of Californians with expertise in the areas of privacy, physical and mental health as well technology and children’s rights. It appears the PPA has the flexibility to choose any number of members.
The CDPT is tasked with evaluating best practices for the implementation of the bill, and to provide support to businesses to comply with the bill. The CDPT shall make recommendations on best practices in six areas including identifying online goods/services/product features that are likely to be access by children and issuing guidance on how to incorporate children’s best interest into the design, development, and implantation of online products. Then from there, requiring the PPA to collaborate with the taskforce to adopt regulations and publish guidelines.
To me, this is a non-trivial undertaking and will take staff and resources, but currently the bill proposes no additional funding for the PPA, so in effect it is an unfunded mandate. The reality is that the PPA already has its hands full with its $10 million budget to regulate the biggest companies the world has ever seen, and is already legally tasked with performing 12 duties well as the creating regulations in an additional 22 areas (including in the areas of automated decision making and profiling, dark patterns, etc.).
So, I strongly recommend that AB 2273 be amended to provide additional budget to the PPA to support this important initiative. Otherwise, AB 2273 may, for example, rob the PPA from its ability to stop discrimination of minorities via automated decision making and profiling while it shifts focus to protecting children online. We should do and fund both.
The great news is that 5Rights has acknowledged this and will work with Assemblymember Wicks and Cunningham to amend the bill make sure there is appropriate funding for the PPA to support the Children’s Data Protection Taskforce and to adopt regulations.
Harmonizing Key Terms with the CPRA to Remove Ambiguity
My second major enhancement to AB 2273 would be better aligning the key terms in the ADCA with the CPRA. If this does not occur, there could be potential problems in interpretation and enforcement. Thus, the bill needs to be a bit more “California-ized” to harmonize itself with the CPRA. Here are some specific examples:
- “Business” is not defined in AB 2273; thus, it could be interpreted that AB 2273 could apply to an individual that has a side business of making children’s dolls. Nor is it clear if a business applies to a non-profit or not. Given that “business” is defined in State law in differing ways, it is not clear which entities this applies to. I would suggest that AB 2273 add “business” as defined term and utilize the definition of “business” found in Section 1798.140 of the CPRA. This would have the added benefit of not having AB 2273 apply to smaller “mom and pop” organizations or those businesses whose goods and services are not online. It would further clarify that non-profits would not be covered by AB 2273.
- “Consumer” is also not defined in AB 2273, so it is not clear who this law applies to in terms of protection (e.g., is a consumer a resident of California or not?). CPRA clearly defines who a consumer is, so I would suggest updating AB 2273 to define “consumer” as what is in 1798.140 of CPRA.
- The term “collect” is not defined in AB 2273, so businesses may again technically say they don’t collect data and in turn the law does not apply to them, as they may use other means to procure the data (e.g., they buy the data, or it is shared with them, so in theory they don’t collect data). Again, I would harmonize the definition of “collect” with the clear and expansive definition found in CPRA.
- The term “profile” and “profiling” is not defined in AB 2273. This gives wiggle room for businesses to claim the law does not apply to them and/or they don’t profile. This term is defined under CPRA as “profiling.”
- The term “precise geolocation” is not defined as well in AB 2273, thereby making it possible that businesses may track location of children to a certain degree but argue it is not “precise,” and therefore will claim they have the green light to track location. I strongly urge that AB 2273 clearly reference the definition of “precise geolocation” as defined in 1798.140 of the CPRA.
You may be saying to yourself that these are trivial changes, but by standardizing these key terms with the definitions found in the CPRA, it will make it significantly easier for businesses to interpret the law (and determine who in fact is covered by the law) and for the PPA to enforce the law. And of course, for any courts to interpret the law.
In spending time with 5Rights, they also see the advantage of harmonizing the definitions of key terms between the ADCA with the CPRA, and they seemed very receptive to these easy fixes that will have powerful results in terms of improved clarity, removing wiggle room, etc..
I really appreciate that AB 2273 takes CPRA’s online safeguards for children even further, by requiring additional obligations from businesses to protect kids online. I also think having a focused task force dedicated to children’s data protection that is established under the umbrella of the PPA is an excellent idea. Furthermore, the ability to adopt regulations in this area will allow the PPA to stay current with rapid changes in technology. Hence, I fully support AB 2273.
I do see two clears of improvement, namely it needs to be amended to address both the funding issue and the harmonization of the definitions of key terms with the CPRA. But the great news is I think the backers of AB 2273 realize that these suggestions are good things to add, which to me will make for an even better bill that is fully California-ized in terms of being integrated with and optimized for the CPRA.