Continuing its push as the nation's first-mover on privacy, California has passed a bill that will require potentially significant new privacy commitments from online services that are "likely to be accessed" by children under 18. Covered companies have until July 2024, when the law takes effect, to assess their practices and come into compliance. In addition, implementing regulations due in January 2024 will give specifics on compliance.
Why It Matters
Because of the nature of online business -- accessible everywhere -- the new law from California is likely to become the de facto US standard for many online offerings. The law's coverage is much broader than the existing federal online privacy law protecting children (COPPA), which applies only to online offerings "directed to" children, and only children under 13.
The higher age limit for California will apply far more broadly. In addition, the California law will have a much lower threshold (children are "likely to access" the service, not just that it is "directed to" children). Combined with the higher age limit, California's law may have sweeping application: 17-year-olds may be using services that under COPPA are treated as general audience services (shopping, news, job applications, for example) rather than child-directed. This is a much wider net than that cast by COPPA.
Businesses that operate online services "likely to be accessed" in California by teens as well as younger children should monitor the implementing regulations closely. When the compliance date arrives, covered businesses will have to have completed internal data impact assessments, offer tools that help manage children's privacy, and possibly re-vamp their notices and other practices.