California continues to be the front-runner in proposing new privacy legislation. The California Age Appropriate Design Code was introduced, rapidly passed both chambers, and was signed by California Governor Gavin Newsom on September 15^th, 2022. Though the act doesn’t go into effect until July 1, 2024, it’s causing waves in the privacy community, and for conflicting reasons. Michael Hellbusch, Partner at Rutan & Tucker, says, “The broad applicability of this law will encompass not only sites that target children, but most general sites as well because it applies to 17-year-olds that generally show and surf like adults. Most businesses will have to verify age as a result.”

There are several key compliance elements beyond age verification for the CAADC, based on similar legislation from the UK, including:

• Configuration of default privacy settings
• Age-appropriate privacy information, policies, and terms of service
• Conduction of Data Privacy Impact Assessments for any new online product or feature that is likely to be used by children
• Age estimation of your users with a degree of certainty that is acceptable given the risks associated with the company’s data management methods, or extend to all customers the same level of privacy and data safeguards that are available to minors
• An obvious signal to the child when the child is being monitored or tracked
• Enforcement of posted privacy practices
• Adequate tools for children or parents to exercise privacy rights & report concerns

How Is This Legislation Being Received?

Increasing children’s privacy on the internet is a no-brainer for most, so where’s the pushback? In particular, the California Age Appropriate Design Code is asking companies to “estimate the age of child users with a reasonable level of certainty,” but how do companies do this practically, safely, and while respecting the privacy of the user? It provides inadequate parameters for conducting the age verification that could put users’ privacy at risk, provides an ill-defined level of certainty as compared to the risks the company’s data faces, and offers an unfavorable alternative of extending children’s privacy & data safeguards to all consumers despite their age.

Hellbusch says, “There has been a lot of debate about this bill—some saying it will break the internet and some saying it is needed to protect children’s privacy.  Personally, I think it leaves a lot up to interpretation and business will find compliance cumbersome.”

Why Putting This Into Practice Isn’t Easy

When we look at implementation strictly for age verification beyond a simple mechanism such as a birthdate question prior to entering the website, this is where you get into complicated considerations. Compliance will be necessary when this law goes into effect, but age verification for companies conducting business in California may prove to be more difficult to prepare for between now and then. “There are a lot of indirect ways to verify age, but they all involve getting more PII – Driver’s License, CC #, etc. all can prove age, but now you are gathering that sensitive information. It actually seems to backtrack on privacy…” said Truyo Chief Technology Officer Pete Mueller.

Navigating the Line Between Compliance & Privacy

How do you gather age verification information securely & in a way that matches the intent of this legislation – to protect minors? Companies will be forced to find a balance of compliance and privacy with options such as using Google analytics audience estimated age, combined with a requirement to enter birthdate or confirm you are over 18, and possibly have an advanced option to upload an ID.

How is Truyo Preparing for the CAADC?

Truyo is in the planning phase of adding to our offering to provide adequate compliance options for the CAADC when it goes into effect. Truyo’s privacy tool already includes Data Privacy Impact Assessments, cookie consent, preference management, and most recently a privacy policy generator that enables your compliance with current privacy laws. Once July 1, 2024 comes around, our customers will simply have to check a box to update their privacy policies for the CAADC.

In addition, the Truyo platform will be bolstered with additional capabilities to help you achieve compliance with this legislation and all others across the United States as they are proposed, passed, and implemented.