California Age Appropriate Design Code Act (CAADCA) – Compliance Guide

California Age Appropriate Design Code Act (CAADCA) – Compliance Guide

Summary

The California Age-Appropriate Design Code Act (CAADCA), which took effect on July 1, 2024, sets strict rules to protect minors’ online privacy. It applies to any website or app accessible to users under 18 in California, with fines up to $7,500 per child for violations.

Businesses must assess child access, limit data collection, and conduct Data Protection Impact Assessments. Tools like the WPLP Compliance Platform help with age verification, cookie consent, and simple policies, making compliance easier while ensuring safer digital spaces for children.

Protecting children’s privacy online has never been more essential or more regulated. With the California Age Appropriate Design Code Act (CAADCA) now law, every digital service accessible by minors faces strict new standards and penalties.

Is your business ready?

The CAADCA could be groundbreaking legislation that focuses on children’s safety, privacy, and well-being, and will take effect on July 1, 2024.

If you are a website owner, app developer, or digital service provider, and you have any users in California who are under 18, then the ultimate question of whether to comply with the CAADCA is no longer a question. 

From age verification to data minimization, parental controls to limitations on targeted advertising, the law imposes strict requirements to provide safer digital environments for underage users.

In this article, we will take you through everything you will need to know about the California Age-Appropriate Design Code Act, which businesses are required to comply with, what rights are afforded to consumers, penalties for non-compliance, and much more.

So let’s get started!

What is the California Age Appropriate Design Code Act (CAADCA)

The California Age Appropriate Design Code Act (CAADCA) is new legislation designed to help keep children safe and to protect their privacy while using the internet. The CAADCA will take effect in California in 2025. 

It is modeled on the Age Appropriate Design Code (AADC) in the United Kingdom. CAADCA applies to any website, app, or online service that children or youth may access or use. 

If someone under the age of 18 is likely to use a digital product, the company must follow additional rules. Under the CAADCA, the definition of “child” is any person under the age of 18 who is located in California.

Today, young people use the internet for everything, including school, recreation, communicating with friends, and more. At times, websites engage in predatory practices, collect excessive personal information about children, and display advertisements that are harmful to children. 

Some websites even use deceptive designs known as dark patterns (design tricks that manipulate users into making unintended choices) to confuse users into clicking buttons or providing data without the user truly being aware of their actions or choices.

To prevent this, CAADCA implements strict rules, for example:

  • Collect less data: Only collect the data that is necessary.
  • Default safe settings for children: Websites should have the highest level of privacy settings as the default.
  • Make it simple: Kids should understand what they are collecting and why.
  • Do not track children: No tracking and no targeting children with ads.
  • Require age verification for users: Some websites may need to require that you provide your age to protect you.

CAADCA will help to protect against online scams or tricks, personal information will not be exposed or shared, and it gives kids better control over what they choose to share.

Who Must Comply With the California Age-Appropriate Design Code Act?

California Age Appropriate Design Code Act is applicable to any business that satisfies the criteria of being subject to the CCPA / CPRA, as well as having services that could be accessed by minors under 18. 

In order to comply with the CCPA, you have to be a for-profit organization, doing business in California, using the personal data of California residents, and meeting at least one of the three following criteria:  

  • $25 million in revenue or more annually. 
  • Uses the personal data of more than 50,000 individuals for commercial purposes. 
  • Fifty percent or more of your revenue comes from the sale of personal data. 

For CAADCA, you are going to want to examine your services, as well as the data you collect. You will need to comply with CAADCA if you: 

  • Provide services directed to minors under the age of 18, whether it be a product or website directed specifically to teens.
  • Provide services normally accessed by minors.
  • Use advertising directed toward minors.
  • Include elements for minors’ appeal, i.e, music, cartoonish designs.
  • Assume that your products are similar to others directed toward minors.

What are the Consumer Rights Under the CAADCA Law

Consumer Rights Under the CAADCA Law
  • Right to High-Level Privacy by Default: Services that are likely to be used by children should have robust privacy settings switched on by default. The site should not collect, share, or sell children’s data unless it is unavoidable for the service.
  • Right to be Informed of Data Collection: Companies need to present clear, simple, and age-targeted privacy notices to children. Children (and their parents/guardians) are entitled to know what data is being collected, why, and how it will be used.
  • Right to Harmless Design: Platforms should refrain from incorporating design patterns that are harmful to the well-being of a child (e.g., addictive design patterns, manipulative nudges to give more data). Profiling children by default is not allowed unless it’s absolutely necessary.
  • Right to Protection of Geolocation: Companies should not collect exact geolocation information unless it’s absolutely necessary for the service and only for the period needed.
  • Right to Transparent Data Use: Children are entitled to be told if they are being tracked or surveilled as part of their activity, such as parental or third-party tracking.
  • Right to No Dark Patterns: Platforms cannot employ dark patterns to coerce or trick children into surrendering more privacy than they’re aware of or wish to.
  • Right to a Risk-Assessed Platform: Companies have to carry out a Data Protection Impact Assessment (DPIA) (a process to identify and reduce privacy risks in data handling) prior to making available new features that are likely to be used by children. Children’s risks need to be minimized before the service becomes live.

How Businesses Can Comply With CAADCA Law Regulations

The California Age-Appropriate Design Code Act (CAADCA) is a new law designed to ensure the safety of children and teens under the age of 18 when they engage with websites, apps, and other digital services. 

If your business provides online services that children may engage with, then you will need to take a number of key steps to comply with CAADCA.

How Businesses Can Comply With CAADCA Law Regulations

1. Determine Child Access

Evaluate whether your digital product or service is likely to attract or be used by individuals under 18. This includes checking user demographics, marketing strategies, and product features to determine if children might interact with your platform.

2. Minimize Data Collection

Only collect information that is strictly necessary for the basic functionality of your service. Avoid gathering sensitive or unnecessary personal data from children to minimize privacy risks.

3. Perform a Data Protection Impact Assessment (DPIA)

Before launching, carry out a DPIA to identify potential risks to children’s data privacy. Document these risks along with the measures you plan to take to mitigate them, ensuring compliance and accountability.

4. Simplify User Notices

Draft privacy policies and consent forms in simple, understandable language suitable for children and parents. Avoid legal jargon and ensure the information is accessible and transparent.

5. Empower Children and Parents

Offer children and parents user-friendly tools to opt out of data collection, delete personal data, and adjust privacy settings easily. Make sure these controls are visible and simple to use.

How the WPLP Compliance Platform Can Help

WPLP Compliance Platform

Following CAADCA rules might sound overwhelming, but that’s where the WPLP Compliance Platform comes in. It’s a handy tool that helps you meet these privacy rules quickly and easily, without needing to be a legal expert.

1. Age Verification Popup

California child privacy consent popup

One of WPLP’s helpful features is an age verification pop-up. This shows up when someone visits your website and asks them to confirm their age before they can continue. It helps make sure kids aren’t accessing content meant for older users, and shows you’re taking privacy seriously from the start.

WP cookie consent plugin

WPLP also gives you a cookie consent banner that’s fully customizable. It lets you turn off all optional tracking (like for ads or analytics) until the user gives permission. This is a big part of staying compliant with CAADCA, and WPLP makes it easy to manage.

3. Easy-to-Understand Privacy Policies

terms of use template

With WPLP, you can create privacy policies that are written in simple language that kids and parents can understand. This helps you stay transparent and builds trust with your users.

For Example, you can see the terms of use template, the language used is very simple, and anyone can understand it.

4. One Dashboard to Manage Everything

One Dashboard to Manage Everything

Everything you need, age checks, cookie consent, and policy updates, can be handled in one place. WPLP’s dashboard keeps everything organized so you don’t miss anything important.

By using tools like age verification and clear cookie consent banners, the WPLP Compliance Platform helps your business follow the CAADCA compliance rules and protect young users. It’s a smart and easy way to stay on the right side of the law while building trust with families online.

CAADCA Law Penalties and Fines for Non-Compliance

CAADCA Law Penalties

If you fail to comply with the new CAADCA restrictions, it can come back to bite you in the rear with a substantial fine. The CAADCA does not create a private right of action. However, only the California Attorney General can impose the following civil penalties:

  • Up to $2,500 per affected child for negligent violations, and 
  • Up to $7,500 per affected child for willful violations of the Act 

This is why it is so essential for businesses to develop and follow a comprehensive Data Protection Impact Assessment and mitigation plan. 

If the business is in “substantial compliance” with this assessment and mitigation plan, then the Attorney General should provide written notice to the business prior to filing an action. Further, if a business were found to be in violation, it would have 90 days to comply.

FAQ

1. What is the California Age-Appropriate Design Code Act? 

The California Age-Appropriate Design Code Act (CAADCA) is a child data protection law requiring that online services likely accessed by children under 18 years of age must ensure that their design prioritizes child privacy, safety, and well-being. The CAADCA will become effective July 1, 2024, and it is modeled on the United Kingdom’s Age-Appropriate Design Code. 

2. To Whom Does the CAADCA Law Apply? 

The CAADCA applies to businesses covered by the CCPA and related regulations that provide websites, apps, or online services that a reasonable person would think would likely be accessed by children under the age of 18. This includes general audience platforms if a reasonable person would think that minors have access to the platforms. 

3. What are the Penalties for Non-Compliance with the CAADCA Law? 

For each non-compliance violation, the CAADCA provides for fines up to $2,500 per child if the violation was negligent, and $7,500 per child if the violation was intentional. Enforced by the California Attorney General, the CAADCA law does not provide for private lawsuits for violations. 

4. How Can Businesses Comply With the California Age-Appropriate Design Code Act? 

Businesses must conduct Data Protection Impact Assessments, enable privacy by default, and refrain from collecting unnecessary data about minors. Businesses must also provide age-appropriate notices and ensure any geolocation or tracking features are disabled by default.

Conclusion

The California Age Appropriate Design Code (CAADCA) requires companies to make privacy by design part of children’s privacy when offering a digital product or service that has a high likelihood of users under 18 years old.  

The requirements when following the CAADCA include businesses determining if the service is age-designated for children, conducting Data Protection Impact Assessments, simpler privacy policies, turning off optional tracking by default, limiting geolocation data collection, and providing the child and their parent with tools to execute their own rights to privacy.

In supporting business compliance with CAADCA, we recommend the WPLP Compliance Platform to ensure that the business’s processes align with their privacy policy, data protection, and children’s privacy.

This guide is for informational purposes and does not constitute legal advice. Consult a privacy attorney for specific guidance on CAADCA compliance.

If you like this article, you might also like:

Want a Legal Compliance Platform for WordPress Websites? Grab WPLP Compliance Platform now.