The California Age-Appropriate Design Code Act (CAADCA) was signed into law by Governor Gavin Newsom in September 2022. Starting on July 1, 2024, the bill will mandate businesses providing online services or features that are "likely to be accessed by children" take certain measures, such as conducting a data protection impact assessment. In this webinar, experts explore the intersection between CAADCA and existing children's privacy laws, and provide guidance on how companies, especially those in the gaming and child data handling app industries, can achieve compliance well in advance of the effective date.

1. 1
© 2023 TrustArc Inc. Proprietary and Confidential Information.
The California Age-Appropriate Design Code Act:
Navigating the New Requirements for Child Privacy

2. 2
Speakers
Joanne B. Furtsch
Director
Privacy Intelligence, Development,
TrustArc
Cody Venzke
Senior Policy Counsel
Surveillance, Privacy, Technology,
ACLU
Hailun Ying
Senior Lead Counsel, Privacy
Roblox

3. 3
Agenda
▪ Review of current trends and why this matters
▪ An overview of CA ADCA bill, its key provisions, and implementation
timelines
▪ A comparison between CA ADCA and the UK’s AADC
▪ A tour of what is happening at the US State and Federal level
▪ What steps you need to take to get into compliance with CA ADCA
▪ Q&A throughout

4. 4
Legal Disclaimer
The information provided during this webinar does not,
and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented
during this webinar are for general informational purposes only.
Anything discussed in the webinar is the speaker's
opinion and does not represent that of their employer.

5. 5
Why does this matter?
● Increasing regulatory scrutiny
● More children’s privacy regulations at the state level
● Expanded scope of laws protecting minors online
● New protections cover minors age 13-17.

6. 6
Current Trends
● Children’s information is seen as particularly sensitive
● Increasing concerns to protect children and teens
● Greater regulatory scrutiny of large online platforms
● Limit monetization of information collected from
children
● Extended reach of child protection requirements
● Increased legislative activity at the US state level

7. 7
What Happens Next?
Sept 2, 2020
UK AADC in force
Sept 2, 2021
Companies expected
to comply with UK
AADC
May 17, 2023
Montana governor signs law
banning Tik Tok from being offered
in app stores within the state
Sept 1, 2023
Arkansas Social
Media Safety Act
goes into effect
Jan 1, 2024
Montana Tik Tok ban
goes into effect
March 1, 2024
Utah Social Media
Regulation Act goes into
effect (3 laws now)
July 1, 2024
CA ADCA goes
into effect

8. 8
What is the California Age-Appropriate Design Code Act
(CA ADCA)?
● Modeled after the UK Age Appropriate Design Code
● Goes into effect July 2024
● Applies to businesses that provide online products, services, or features that likely to be accessed by
children (defined as any individual under age 18).
● Key provisions
○ High level privacy by default (with exceptions)
○ Clear and concise privacy statements, terms of service, and community standards
○ Estimate the age of child users with a reasonable level of certainty
○ Provide signals if monitoring usage
○ Provide prominent, accessible, and responsive tools to help children (or parents/guardian) to
exercise privacy rights
○ Conduct impact Assessments (DPIA’s)
Quick Overview

9. 9
How Did We Get To the CA ADCA?
Started with the UK
Quick Overview of UK Age Appropriate Design Code (AADC)
● Applies to relevant information society services which are likely to be accessed by
children.
● Child is defined as an individual under age 18
● In force since September 2, 2020 requiring businesses to be in compliance by September
2, 2021
● Includes 15 standards for safeguarding children’s privacy
● Designed to work with UK GDPR. If not in compliance with the Code, it will be difficult to
demonstrate compliance with UK GDPR

10. 10
Differences between the CA ADCA and UK AADC
CA ADCA UK AADC
Regulatory Framework
CA ADCA is a standalone law that is
independently enforced.
UK AADC works together with GDPR.
Best Interests of the
Child/Best Interests of
Children
Used in exemptions to default privacy
settings and legislative findings. UN
convention not recognized in the US
making the CA ADCA reference unclear
Based on the UN Convention on the
Rights of the Child
Default Privacy Settings
CA ADCA has an exception for when the
highest level of privacy is the default
setting
UK AADC does not include an
exception
Conducting DPIAs
A timeline for providing DPIAs upon
request is codified for CA ADCA.
The UK AADC only requires DPIAs be
available upon request.
Age Assurance
CA ADCA does include what risk to
consider when balancing data
minimization against age assurance
Take a risk-based approach to
recognize the age of individuals to
apply the UK AADC or apply the code
to all individuals

11. 11
What is Happening in Other States
● Privacy Bills
○ Enacted Legislation — CA, IA, TN, TX
○ Bills Introduced — KY
● Age Appropriate Design Codes
○ Enacted — CA, FL
○ Introduced — IL, MA, MN, NM, NJ, NV, NY, OR, TX
● Social Media Age Minimums and Parental
Consent Requirements
○ Enacted — AR, UT
○ Introduced — CT, KS, LA, MN, NC, NJ, SC, TX
● Addictive Design Bills
○ Enacted — UT
○ Introduced — CA, TX

12. 12
COPPA 2.0
● Reintroduced COPPA 2.0 bill in the US Senate early May 2023
● Extends COPPA protections to teens
● Key Provisions
○ Require consent of teens aged 13-16 prior to collecting their
personal information
○ Ban targeted advertising to children and minors
○ Expand the scope of online services covered under the law by
replacing the “actual knowledge” standard with the “reasonably
likely to be used” standard (similar to CA ADCA and UK AADC)
○ Create an Eraser button (similar to GDPR RTBF) for all users to
eliminate personal information submitted by the user about
children and minors when technologically feasible
○ Establish a Digital Marketing Bill of Rights for teens to limit the
collection of personal information
○ Establish the Youth Marketing and Privacy Division at the FTC

13. 13
Kids Online Safety Act
● Introduced in the US Senate in early May 2023
● Creates online tools for minors and parents and imposes
obligations on “covered platforms” that are “likely to be used” by
minors
● “Covered platforms” are social media, video games, educational
games, messaging applications, video streaming services, and
“online platforms”
● Key Provisions
○ Imposes a duty of care of “covered platforms” to mitigate certain harms
like addiction, mental health disorders, and anxiety
○ Provide minors options to protect their information, disable addictive
features, and opt-out of algorithmic recommendations
○ Provides parents with tools to view or change minors’ account settings
○ Strongest settings to be enabled by default
○ Requires social media platforms to conduct annual independent audits to
assess risks to minors, compliance with the Act, and how they are
mitigating those risks
○ Provides academia and public interest organizations with access to social
media platform data sets to research harms to the safety and well-being
of minors

14. 14
Actions to take now to comply with CA ADCA
Actions to take now
● Assess whether children will be visiting your online services
● Estimate the age of child users accessing your online services
○ Understand how well you know the users of your online
services.
○ Use a risk-based approach
● Leverage UK ICO’s guidance on how to comply with the UK
AADC as a starting point
● Determine which DPIAs need to be completed before July 2024
○ Assess features for dark patterns
○ Use of real-time geo-location
○ Automated processing

15. 15
How TrustArc Can Help

16. 16
16
Q&A

17. 17
17
Thank You!
See http://www.trustarc.com/insightseries for the 2023
Privacy Insight Series and past webinar recordings.
If you would like to learn more about how TrustArc can support you with privacy and
data security compliance, please reach out to sales@trustarc.com for a free demo.