California governor signs children’s privacy bill

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

CALIFORNIA GOVERNOR SIGNS CHILDREN’S PRIVACY BILL

A bill implementing the California Age Appropriate Design Code was officially signed into law. The law, which will go into effect July 1, 2024, will impose privacy restrictions and requirements on online products and services likely to be accessed by children under the age of 18. Companies within scope of the law will be required to either estimate the age of users with a “reasonable level of certainty” or apply child-appropriate protections for all users.

Child-appropriate protections include restrictions on profiling, use of personal information for purposes unnecessary to provide the service, and applying the highest level of privacy settings as a default.

TAKEAWAY

Application of this California law is much broader than the current federal Children’s Online Privacy Protection Act (COPPA), which applies to services “directed to children” under the age of 13. Therefore, many websites and services that have never had to consider children’s privacy protection may soon have to do so with respect to their California users. 

FTC ISSUES STAFF REPORT ON DARK PATTERNS

The Federal Trade Commission (FTC) released a report detailing types of dark patterns, including tactics “tricking consumers into sharing their data” and reiterating the FTC’s commitment to take action against such tactics.

The report lists as examples of dark patterns user interfaces that (a) do not allow consumers to definitively reject data collection or use; (b) repeatedly prompt consumers to select settings they wish to avoid; (c) present confusing toggle settings leading consumers to make unintended privacy choices; (d) purposely obscure consumers’ privacy choices and make them difficult to access; (e) highlight a choice that results in more information collection (such as allowing cookies), while greying out the option that enables consumers to limit such practices; and (f) include default settings that maximize data collection and sharing.

TAKEAWAY

The FTC can take action where such practices violate one of the federal laws enforced by the FTC, including the FTC Act that prohibits unfair or deceptive acts or practices. To avoid such actions, the FTC staff report recommends that businesses become “good stewards of consumer personal information” by making consumer choices easy to access and understand so that it is clear to the consumer what they are consenting to. 

EUROPE

EU / US Data Transfer Discussions Make “Very Good Progress”

According to a tweet from European Commissioner for Justice Didier Reynders, discussions on safe data flows between EU and the US have made “very good progress”, and they “should be able to move soon to next steps”. Reynders’ tweet thanked U.S. Secretary of Commerce Gina Raimondo for her leadership and EU and US teams for their great work.

BACKGROUND

The previous adequacy decision with the United States, the EU-US Privacy Shield, was invalidated by the Court of Justice of the European Union in 2020, so it can no longer be relied upon as the basis of transfers from the European Union to the United States. In March 2022, the European Commission and the United States announced that they had agreed “in principle” on a new Trans-Atlantic Data Privacy Framework, but details of the agreement have not yet been finalized.

GLOBAL

Google / Meta fined for violating South Korean Privacy Laws

South Korean data protection authorities announced sanctions issued against Google of 69.2 billion won and Meta of 30.8 billion won based on allegations that the companies collected and used behavioral information for online customized advertising without obtaining proper consent as required by the Personal Information Protection Act (PIPA).

TAKEAWAY

This is the largest penalty to date under PIPA and the first related to the collection and use of behavioral advertising.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.