California governor signs children’s privacy bill

Julie Rubash, Chief Privacy Counsel
September 19, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.



bill implementing the California Age Appropriate Design Code was officially signed into law. The law, which will go into effect July 1, 2024, will impose privacy restrictions and requirements on online products and services likely to be accessed by children under the age of 18. Companies within scope of the law will be required to either estimate the age of users with a “reasonable level of certainty” or apply child-appropriate protections for all users.

Child-appropriate protections include restrictions on profiling, use of personal information for purposes unnecessary to provide the service, and applying the highest level of privacy settings as a default.


Application of this California law is much broader than the current federal Children’s Online Privacy Protection Act (COPPA), which applies to services “directed to children” under the age of 13. Therefore, many websites and services that have never had to consider children’s privacy protection may soon have to do so with respect to their California users. 


The Federal Trade Commission (FTC) released a report detailing types of dark patterns, including tactics “tricking consumers into sharing their data” and reiterating the FTC’s commitment to take action against such tactics.

The report lists as examples of dark patterns user interfaces that (a) do not allow consumers to definitively reject data collection or use; (b) repeatedly prompt consumers to select settings they wish to avoid; (c) present confusing toggle settings leading consumers to make unintended privacy choices; (d) purposely obscure consumers’ privacy choices and make them difficult to access; (e) highlight a choice that results in more information collection (such as allowing cookies), while greying out the option that enables consumers to limit such practices; and (f) include default settings that maximize data collection and sharing.


The FTC can take action where such practices violate one of the federal laws enforced by the FTC, including the FTC Act that prohibits unfair or deceptive acts or practices. To avoid such actions, the FTC staff report recommends that businesses become “good stewards of consumer personal information” by making consumer choices easy to access and understand so that it is clear to the consumer what they are consenting to. 



EU / US Data Transfer Discussions Make “Very Good Progress”

According to a tweet from European Commissioner for Justice Didier Reynders, discussions on safe data flows between EU and the US have made “very good progress”, and they “should be able to move soon to next steps”. Reynders’ tweet thanked U.S. Secretary of Commerce Gina Raimondo for her leadership and EU and US teams for their great work.


The previous adequacy decision with the United States, the EU-US Privacy Shield, was invalidated by the Court of Justice of the European Union in 2020, so it can no longer be relied upon as the basis of transfers from the European Union to the United States. In March 2022, the European Commission and the United States announced that they had agreed “in principle” on a new Trans-Atlantic Data Privacy Framework, but details of the agreement have not yet been finalized.


Google / Meta fined for violating South Korean Privacy Laws

South Korean data protection authorities announced sanctions issued against Google of 69.2 billion won and Meta of 30.8 billion won based on allegations that the companies collected and used behavioral information for online customized advertising without obtaining proper consent as required by the Personal Information Protection Act (PIPA).


This is the largest penalty to date under PIPA and the first related to the collection and use of behavioral advertising.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Unlimited Data Export for Easier Privacy Audits and CMP Disclosures

July 12, 2024

Keeping track of all your tracking technology partners to...

What is Global Privacy Control? Frequently Asked Questions

July 9, 2024

How does Global Privacy Control work? How is it...

Comprehensive Privacy Laws Take Effect in Texas and Oregon

July 9, 2024

Now in effect: privacy laws in Texas, Oregon, and...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]