California’s New Age-Appropriate Design Code Act Imposes New Obligations on Businesses to Protect Children
On September 15, 2022, California’s governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (“CAADCA”). The CAADCA furthers the goals of the California Privacy Rights Act (“CPRA”) and applies to businesses subject to the CPRA.[1]
Modeled after the UK’s Age-Appropriate Design Code, the CAADCA imposes new obligations on businesses that provide an online service, product, or feature (collectively, “Online Platforms”) that is likely to be accessed by children under the age of 18.[2] The CAADCA goes into effect on July 1, 2024.[3]
First, the CAADCA has an affirmative requirement for businesses to assess how their Online Platforms may harm children and to create a plan to mitigate those harms and to ensure their Online Platforms’ default settings are appropriate for children.[4] The CAADCA requires businesses to do the following, among other things.
- Create Data Protection Impact Assessments. The CAADCA requires businesses to prepare a Data Protection Impact Assessment for any new Online Platforms likely to accessed by children.[5] A Data Protection Impact Assessment is a document that assesses the risk of harm a business’s online services, products, or features pose to children.[6] Specifically, businesses must assess:
-
- how the design of the Online Platform may expose children to harmful content, contacts, or conduct;[7]
- how the design of the Online Platform may allow children to participate in harmful contacts or conduct;[8]
- how algorithms used by the Online Platform may harm children;[9]
- how targeted advertising systems used by the Online Platform may harm children;[10]
- how the Online Platform may increase, sustain, or extend its own use;[11] and
- how the Online Platform collects or processes children’s sensitive personal information.[12]
-
Businesses are required to make assessments available to the California attorney general upon written request.[13]
- Create Mitigation Plans. Businesses must also keep track of how risks that arise from their data management practices and create a timed plan to mitigate those risks prior to launch of an Online Platform.[14]
- Apply Protective Default Privacy Settings for Children. Businesses must estimate the age of child users of their online platforms.[15] Business must also configure default privacy settings for children at their most protective setting, unless the business can show that an alternative setting is the best interest of children.[16]
- Provide Tools to Exercise Privacy Rights and Report Concerns. Businesses must provide children tools to help them exercise their privacy rights and report concerns.[17]
Second, the CAADCA prohibits businesses from taking actions concerning their Online Platforms identified by the CAADCA as potentially harmful to children.[18] Business must not do the following, among other things.
- Improperly Use Children’s Personal Information. Businesses may not use a child’s personal information in a way that is harmful to a child.[19]
- Collect, Share, Sell, or Retain Unnecessary Personal Information. Businesses may not collect, sell, share, or retain any personal information that is not necessary to provide an Online Service with which a child is actively and knowingly engaged, unless the business can show doing so is in the best interests of children.[20]
- Secretly Collect Precise Geolocation Data by Default. Businesses may not collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.[21]
- Profile Children. A business may not profile a child except in limited circumstances.[22]
- Use Dark Patterns. A business may not use deceptive user interface design to trick children into providing more personal information than is reasonable, into foregoing privacy protections, or into doing anything that may harm children.[23]
Businesses that violate the CAADCA may be liable for damages of $2,500 per affected child for each negligent violation $7,500 per affected child for each intentional violation.[24]
この記事はThe Japan Practice Reportに掲載されました。The Japan Practice Reportを読む
First, the CAADCA has an affirmative requirement for businesses to assess how their Online Platforms may harm children and to create a plan to mitigate those harms and to ensure their Online Platforms’ default settings are appropriate for children.[4] The CAADCA requires businesses to do the following, among other things.
- Create Data Protection Impact Assessments. The CAADCA requires businesses to prepare a Data Protection Impact Assessment for any new Online Platforms likely to accessed by children.[5] A Data Protection Impact Assessment is a document that assesses the risk of harm a business’s online services, products, or features pose to children.[6] Specifically, businesses must assess:
-
- how the design of the Online Platform may expose children to harmful content, contacts, or conduct;[7]
- how the design of the Online Platform may allow children to participate in harmful contacts or conduct;[8]
- how algorithms used by the Online Platform may harm children;[9]
- how targeted advertising systems used by the Online Platform may harm children;[10]
- how the Online Platform may increase, sustain, or extend its own use;[11] and
- how the Online Platform collects or processes children’s sensitive personal information.[12]
-
Businesses are required to make assessments available to the California attorney general upon written request.[13]
- Create Mitigation Plans. Businesses must also keep track of how risks that arise from their data management practices and create a timed plan to mitigate those risks prior to launch of an Online Platform.[14]
- Apply Protective Default Privacy Settings for Children. Businesses must estimate the age of child users of their online platforms.[15] Business must also configure default privacy settings for children at their most protective setting, unless the business can show that an alternative setting is the best interest of children.[16]
- Provide Tools to Exercise Privacy Rights and Report Concerns. Businesses must provide children tools to help them exercise their privacy rights and report concerns.[17]
Second, the CAADCA prohibits businesses from taking actions concerning their Online Platforms identified by the CAADCA as potentially harmful to children.[18] Business must not do the following, among other things.
- Improperly Use Children’s Personal Information. Businesses may not use a child’s personal information in a way that is harmful to a child.[19]
- Collect, Share, Sell, or Retain Unnecessary Personal Information. Businesses may not collect, sell, share, or retain any personal information that is not necessary to provide an Online Service with which a child is actively and knowingly engaged, unless the business can show doing so is in the best interests of children.[20]
- Secretly Collect Precise Geolocation Data by Default. Businesses may not collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.[21]
- Profile Children. A business may not profile a child except in limited circumstances.[22]
- Use Dark Patterns. A business may not use deceptive user interface design to trick children into providing more personal information than is reasonable, into foregoing privacy protections, or into doing anything that may harm children.[23]
Businesses that violate the CAADCA may be liable for damages of $2,500 per affected child for each negligent violation $7,500 per affected child for each intentional violation.[24]
この記事はThe Japan Practice Reportに掲載されました。The Japan Practice Reportを読む
Related Articles
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
California’s New Age-Appropriate Design Code Act Imposes New Obligations on Businesses to Protect Children
On September 15, 2022, California’s governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (“CAADCA”). The CAADCA furthers the goals of the California Privacy Rights Act (“CPRA”) and applies to businesses subject to the CPRA.[1]
Modeled after the UK’s Age-Appropriate Design Code, the CAADCA imposes new obligations on businesses that provide an online service, product, or feature (collectively, “Online Platforms”) that is likely to be accessed by children under the age of 18.[2] The CAADCA goes into effect on July 1, 2024.[3]
First, the CAADCA has an affirmative requirement for businesses to assess how their Online Platforms may harm children and to create a plan to mitigate those harms and to ensure their Online Platforms’ default settings are appropriate for children.[4] The CAADCA requires businesses to do the following, among other things.
- Create Data Protection Impact Assessments. The CAADCA requires businesses to prepare a Data Protection Impact Assessment for any new Online Platforms likely to accessed by children.[5] A Data Protection Impact Assessment is a document that assesses the risk of harm a business’s online services, products, or features pose to children.[6] Specifically, businesses must assess:
-
- how the design of the Online Platform may expose children to harmful content, contacts, or conduct;[7]
- how the design of the Online Platform may allow children to participate in harmful contacts or conduct;[8]
- how algorithms used by the Online Platform may harm children;[9]
- how targeted advertising systems used by the Online Platform may harm children;[10]
- how the Online Platform may increase, sustain, or extend its own use;[11] and
- how the Online Platform collects or processes children’s sensitive personal information.[12]
-
Businesses are required to make assessments available to the California attorney general upon written request.[13]
- Create Mitigation Plans. Businesses must also keep track of how risks that arise from their data management practices and create a timed plan to mitigate those risks prior to launch of an Online Platform.[14]
- Apply Protective Default Privacy Settings for Children. Businesses must estimate the age of child users of their online platforms.[15] Business must also configure default privacy settings for children at their most protective setting, unless the business can show that an alternative setting is the best interest of children.[16]
- Provide Tools to Exercise Privacy Rights and Report Concerns. Businesses must provide children tools to help them exercise their privacy rights and report concerns.[17]
Second, the CAADCA prohibits businesses from taking actions concerning their Online Platforms identified by the CAADCA as potentially harmful to children.[18] Business must not do the following, among other things.
- Improperly Use Children’s Personal Information. Businesses may not use a child’s personal information in a way that is harmful to a child.[19]
- Collect, Share, Sell, or Retain Unnecessary Personal Information. Businesses may not collect, sell, share, or retain any personal information that is not necessary to provide an Online Service with which a child is actively and knowingly engaged, unless the business can show doing so is in the best interests of children.[20]
- Secretly Collect Precise Geolocation Data by Default. Businesses may not collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.[21]
- Profile Children. A business may not profile a child except in limited circumstances.[22]
- Use Dark Patterns. A business may not use deceptive user interface design to trick children into providing more personal information than is reasonable, into foregoing privacy protections, or into doing anything that may harm children.[23]
Businesses that violate the CAADCA may be liable for damages of $2,500 per affected child for each negligent violation $7,500 per affected child for each intentional violation.[24]
この記事はThe Japan Practice Reportに掲載されました。The Japan Practice Reportを読む
First, the CAADCA has an affirmative requirement for businesses to assess how their Online Platforms may harm children and to create a plan to mitigate those harms and to ensure their Online Platforms’ default settings are appropriate for children.[4] The CAADCA requires businesses to do the following, among other things.
- Create Data Protection Impact Assessments. The CAADCA requires businesses to prepare a Data Protection Impact Assessment for any new Online Platforms likely to accessed by children.[5] A Data Protection Impact Assessment is a document that assesses the risk of harm a business’s online services, products, or features pose to children.[6] Specifically, businesses must assess:
-
- how the design of the Online Platform may expose children to harmful content, contacts, or conduct;[7]
- how the design of the Online Platform may allow children to participate in harmful contacts or conduct;[8]
- how algorithms used by the Online Platform may harm children;[9]
- how targeted advertising systems used by the Online Platform may harm children;[10]
- how the Online Platform may increase, sustain, or extend its own use;[11] and
- how the Online Platform collects or processes children’s sensitive personal information.[12]
-
Businesses are required to make assessments available to the California attorney general upon written request.[13]
- Create Mitigation Plans. Businesses must also keep track of how risks that arise from their data management practices and create a timed plan to mitigate those risks prior to launch of an Online Platform.[14]
- Apply Protective Default Privacy Settings for Children. Businesses must estimate the age of child users of their online platforms.[15] Business must also configure default privacy settings for children at their most protective setting, unless the business can show that an alternative setting is the best interest of children.[16]
- Provide Tools to Exercise Privacy Rights and Report Concerns. Businesses must provide children tools to help them exercise their privacy rights and report concerns.[17]
Second, the CAADCA prohibits businesses from taking actions concerning their Online Platforms identified by the CAADCA as potentially harmful to children.[18] Business must not do the following, among other things.
- Improperly Use Children’s Personal Information. Businesses may not use a child’s personal information in a way that is harmful to a child.[19]
- Collect, Share, Sell, or Retain Unnecessary Personal Information. Businesses may not collect, sell, share, or retain any personal information that is not necessary to provide an Online Service with which a child is actively and knowingly engaged, unless the business can show doing so is in the best interests of children.[20]
- Secretly Collect Precise Geolocation Data by Default. Businesses may not collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.[21]
- Profile Children. A business may not profile a child except in limited circumstances.[22]
- Use Dark Patterns. A business may not use deceptive user interface design to trick children into providing more personal information than is reasonable, into foregoing privacy protections, or into doing anything that may harm children.[23]
Businesses that violate the CAADCA may be liable for damages of $2,500 per affected child for each negligent violation $7,500 per affected child for each intentional violation.[24]
この記事はThe Japan Practice Reportに掲載されました。The Japan Practice Reportを読む
Related Articles
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Podcasts
Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast
Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.
July 15, 2026
Publications
Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report
Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.
July 14, 2026
Publications
Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law
Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.
July 7, 2026
Publications
In New York Law Journal, The True Lender Doctrine and the OppFi Decision
Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.
July 1, 2026
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026