By Scott Hall and Bina Patel

Key Takeaways

• The Children’s Data Privacy Act (AB 1949) would require businesses to obtain affirmative authorization to collect, use or disclose personal data of children under 18 in California.
• Businesses should focus on understanding what data from children they may be collecting through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of children’s data.

Despite a court ruling late last year that blocked the California Age Appropriate Design Code Act (CAADCA) from going into effect in 2024, as scheduled, California’s Attorney General Rob Bonta is pressing forward with an amendment to the California Consumer Privacy Act (CCPA) aimed at protecting children’s data.

The Children’s Data Privacy Act (AB 1949), a bill introduced on January 29, 2024, would further amend the CCPA to prohibit businesses from collecting personal data of individuals under the age of 18, unless they receive affirmative authorization (i.e., opt-in consent) to do so. For individuals under the age of 13, the affirmative authorization must come from the parent. Specifically, the proposed amendment states that “a business shall not collect the personal information of a consumer less than 18 years of age, unless the consumer, in the case of a consumer at least 13 years of age and less than 18 years of age, or the consumer’s parent or guardian, in the case of a consumer less than 13 years of age, has affirmatively authorized the collection of the consumer’s personal information.” (Proposed amendment to Cal. Civil Code § 1798.100(g).) The bill authorizes the Office of the Attorney General to enforce the law and seek injunctive relief, damages, or civil penalties of up to $5,000 per violation.

AB 1949 represents a significant change to the CCPA. The law currently only prohibits the selling or sharing (for cross-context behavioral advertising purposes) of minor’s data without affirmative opt-in consent and does not prohibit the collection of such data without informed consent. Notably, the changes proposed by AB 1949 will allow California to align its privacy law and increased focus on the protection of children’s data with the vast majority of other states. When the CCPA initially went into effect in January 2020, it was the first comprehensive state privacy law in the nation and blazed the trail for many other state laws that have followed in recent years. However, unlike the CCPA, the majority of other states that have passed privacy laws subsequent to the CCPA have defined “sensitive information” to include the data of minors and have required affirmative opt-in consent prior to collecting or processing sensitive information of minors. The proposed amendment would make California’s data collection requirements consistent with the majority of other states.

Beyond restricting collection of minor data, AB 1949 also proposes amendments to the CCPA to prohibit the “use or disclos[ure]” of the personal information of minors without affirmative consent by the consumer or guardian. (Proposed amendment to Cal. Civil Code § 1798.121(e)). The law would also require – on or before July 1, 2025 – the California Privacy Protection Agency to issue regulations to establish technical specifications for an opt-out preference signal that allows a consumer (or a parent or guardian) to specify that the consumer is less than 13 years of age or less than 18 years of age, and to establish regulations regarding age verification and when a business must treat a consumer as being less than 13 or 18 years of age for purposes of the CCPA. (Proposed amendment to Cal. Civil Code § 1798.185(e).)

Admittedly, AB 1949 is not as comprehensive as CAADCA, which would require businesses to perform data protection impact assessments upon request from the Attorney General for products or services “likely to be accessed by children,” as well as implement stricter default privacy settings and terms. Even so, AB 1949 is an important step towards greater privacy protection for children and will make the patchwork of standards regarding children’s data collection and use more consistent across the country.

Having said that, CAADCA is still alive and, while the legal challenge continues, businesses may eventually have to deal with that stricter law or some modified version of it. To learn more about the requirements of CAADCA, see our prior article. Until then, given that AB 1949 will likely be enacted to put California on equal footing with other state privacy laws, businesses should focus on understanding whether and what data from minors may be collected through online or offline channels and prepare to implement opt-in mechanisms for the collection, use and disclosure of minor data.

Please contact the Coblentz Data Privacy Team with any questions about AB 1949 or other privacy issues.

To view a PDF version of this article, please click here.

By Scott Hall and Amber Leong

Key Takeaways

• Despite your recent efforts to comply with privacy law requirements for website cookies, pixels, and analytics, your business may be at risk of getting sued for violations of “pen register” or “trap and trace” laws based on information collected from website or mobile app users.
• A recent court decision has breathed new life into pen register and trap and trace claims. More than 75 complaints have been filed in California courts the past few months, and courts addressing these claims will need to reconcile the clear inconsistency between older pen register laws and more recent data privacy laws such as the EU’s GDPR and California’s CCPA/CPRA.
• Businesses should be aware of what cookies, analytics, and other website technologies they are running on their websites.

In the world of data privacy litigation, plaintiffs’ attorneys are always looking for the next big thing. Over the past couple of years, plaintiffs in California and elsewhere have tried to use decades-old wiretapping and eavesdropping statutes against companies, claiming that the use of website chat functions, session recording tools, cookies, pixels, and other tracking software amounted to “wiretapping” or “eavesdropping” on website visitors.

Having found limited success with these legal claims, the newest tactic in privacy litigation appears to rely on the theory that website cookies or other website analytics tools constitute “pen registers” or “trap and trace” devices under the California Invasion of Privacy Act (“CIPA”), California Penal Code § 638.51. The basis for these new claims appears to stem from a single recent decision, Greenley v. Kochava, 22-cv-01327-BAS-HSG, — F.Supp.3d —-, 2023 WL 4833466 (S.D. Cal. July 27, 2023) (“Kochava”), where the court – acknowledging that it was an issue of first impression[1] – allowed pen register claims to move beyond the motion to dismiss stage, at least in the context of that case. Kochava has opened the floodgates to pen register litigation, as over 75 complaints have been filed in California courts over just the past couple of months, asserting vague and formulaic violations of pen register laws, with many more cases likely to follow.

So, what is a “pen register”? Explaining the term requires remembering a time before the Internet and cellular telephones when special equipment was necessary to record numbers dialed to or from a landline telephone. Historically, pen registers were devices that could record numbers dialed to or from a particular telephone and were often used in criminal investigations. Laws prohibiting the use of pen registers without consent or a warrant were targeted at eliminating conduct akin to surveillance done under the color of law without proper authorization.[2] The federal pen register statute, passed in 1986, did not contemplate a world where cellular phones are ubiquitous portable handheld computer devices that now identify and record all phone numbers dialed to and from them, let alone application of the law to the Internet, where identification of computers and routers through IP addresses and other electronic source information is necessary to all website interactions. And, while the 2001 USA Patriot Act and certain state laws expanded the definition of a pen register to try to address computer and Internet communications, these laws were still largely based on older statutory language and definitions that are not a precise or comprehensive fit for all of the various electronic communications and interactions that occur online or through mobile devices today.

Returning to the present day, up to and until the Kochava case, there has been little to no civil litigation over the use of pen registers.[3] As noted above, there are good reasons for this. Cellular telephone technology, the Internet, and other advances have changed how we communicate. The pen register statutes apply, if at all, awkwardly to advancing technologies, and there are newer privacy laws specifically aimed at Internet privacy. However, because California’s pen register law defines “pen register” as a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, plaintiffs in Kochava sought to dust off the pen register law to apply it to Internet communications. In Kochava, plaintiffs asserted violations of the pen register law against a data broker company that provided a software development kit (“SDK”) to application developers. As the Kochava court noted, application-based companies could then embed Kochava’s SDK in their mobile applications to

‘deliver targeted advertising . . . by in essence ‘fingerprinting’
each unique device and user, as well as connecting users across
devices and devices across users.’ The data links longitude and
latitude coordinates with these fingerprints, which can be ‘easily
de-anonymized.’  In addition to geolocation, [the SDK allows
apps] to ‘search terms, click choices, purchase decisions and/or
payment methods.’  This data collection allows [Kochava to]
deliver ‘targeted advertising . . . while tracking [users’] locations,
spending habits, and personal characteristics’ and share this ‘rich
personal data simultaneously with untold numbers of third-party
companies.’

Kochava, 2023 WL 4833466, at *2-3 (internal citations to complaint omitted). Given this unique software and its purported ability to collect a treasure trove of information that could create a personal unique identifier, the Kochava court held that the SDK at issue amounted to a “process” that could collect “dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” Id. at *27. Thus, Kochava “reject[ed] the contention that a private company’s surreptitiously embedded software installed in a telephone cannot constitute a ‘pen register’” and allowed the claim to proceed past the motion to dismiss stage.

For now, it is unclear how broadly or narrowly courts will apply Kochava. Kochava involved a data broker with particular software used on mobile applications. The Kochava court carefully parsed through the “pen register” statute to conclude that “software installed in a telephone” could constitute a “pen register.” Accordingly, the Kochava holding merely stands for the proposition that a pen register claim may proceed (but not necessarily succeed) against a data broker (an entity selling data for targeted advertising rather than simply collecting it for its purposes) that installed software on users’ telephones (as opposed to on websites), purportedly without consent. It would seem to require a broad leap for other courts to apply this holding generally to find that the mere collection of data through website cookies or analytics that facilitate online interactions and transactions with consumers – and which is necessary for website operations and done by every company that operates a website – violates the law. Such a holding would essentially cripple online commerce and all other Internet communications and activities.     

While the Kochava decision may have breathed new life into pen register and trap and trace theories for the moment, courts addressing these claims must confront and reconcile the clear inconsistency between older pen register laws and more recent data privacy statutes that specifically govern the processes and disclosures companies must use when collecting consumer information on their websites, including via cookies and other analytics.

For example, the European Union’s General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and many other state privacy laws all carefully and explicitly regulate how personal information may be collected from individuals, including on Internet websites. These statutes emphasize transparency and disclosure of data collection practices through privacy notices, cookie banners, and other just-in-time methods, which allow consumers to exercise their privacy rights and control the flow of information transmitted on the Internet. But even if companies are compliant with these more recent privacy laws, they may be found to violate the old pen register and trap and trace laws if applied broadly and extended to Internet technologies. This is because, taken broadly, every company in the world that operates a website necessarily collects certain device source information in connection with website interactions. Yet, avoiding the collection of such information in the context of the Internet – an ecosystem of connected computers – is impossible. Thus, it remains to be seen whether courts will find that every company is violating the law by participating in online commerce, even when (or especially when) they are complying with more recent privacy laws that specifically regulate how companies collect and process the precise information at issue in these new pen register cases.

For now, plaintiffs’ attorneys will use Kochava as a foothold in an attempt to expand the pen register statute and expand Kochava’s fact-specific holding. Until courts consistently determine how to apply the pen register laws, if at all, to Internet communications, and reconcile such laws and claims against the backdrop of recently enacted privacy laws, we will all be riding this new wave of privacy litigation together.

Please contact the Coblentz Data Privacy Team with questions or to assist with any privacy claims or needs.

To view a PDF version of this article, please click here.

 

[1] And in fact, Kochava was the first case to ever cite to the California pen register statute, and at the date of this publication, still the only case to have cited to and analyzed the provision.

[2] Notably, the United States Supreme Court has held that individuals do not have a reasonable expectation of privacy under the Fourth Amendment of the U.S. Constitution to suppress any evidence obtained from pen registers. Smith v. Maryland, 442 U.S. 735, 742 (1979) (noting that a pen register has “limited capabilities” and the petitioner had no “legitimate expectation of privacy” regarding the numbers he dialed).

[3] To the extent the litigation was not derivative of any criminal charges.

By Scott Hall, Fred Alvarez, and Amber Leong

On October 8, 2023, California Governor Gavin Newsom signed into law AB-947, which expanded the category of “sensitive personal information” to include citizenship or immigration status. The category of sensitive personal information under the California Privacy Rights Act (“CPRA”) already includes government identifiers, precise geolocation, information concerning sexual orientation, racial or ethnic origin, religious or philosophical beliefs, and union membership.

The CPRA contains special restrictions on the collection, use and disclosure of sensitive personal information. If your business collects citizenship or immigration information, you will need to update your privacy policy and revise and review your collection and processing of any sensitive personal information.

Importantly, employee information falls within the scope of the CPRA. That means if your business is subject to the CPRA and you have California-based employees, you are inevitably collecting citizenship or immigration status information that will now constitute sensitive personal information under the new law. If so, you will separately need to update your employee privacy notice and potentially adjust collection and processing procedures with respect to employee information.

The CPRA requires yearly updates of both your consumer privacy policy and employee privacy policy. If you do not have up-to-date consumer or employee privacy policies, there is no better time than now to get started. With the new year right around the corner, now is the time to get your data privacy ducks in a row for 2024.

Please reach out to Coblentz’s Data Privacy or Labor & Employment groups with further questions.

By Scott Hall, Mari Clifford, and Amber Leong

In 1988, Congress enacted the Video Protection Privacy Act (“VPPA”) in response to the confirmation hearing of Judge Robert Bork, where his video rental history was disclosed during his Supreme Court confirmation hearing. Creative plaintiffs’ lawyers in recent years have asserted new claims under this statute, arguing that the use of website tracking pixels that transmit a user’s visit to a website page containing an embedded video violates the VPPA. Some courts have allowed some of these claims to pass the pleading stage, resulting in a proliferation of pre-litigation demands and complaints against companies who embed videos on their websites and use pixel analytics.[1]

There are several defenses that have defeated these claims at the pleading stage, however.

First, courts are in agreement that the VPPA only applies to “subscribers” and not just any user who happens to watch a video on a website. What constitutes a “subscriber” can get tricky though. Some courts have held that subscribing to a mailing list or newsletter may be sufficient,[2] while other courts have reached a different conclusion and required a subscription to video services or video content.[3]

Second, what constitutes “personally identifiable information” under the VPPA is also litigated. The Third Circuit has held that under the VPPA, personally identifiable information (“PII”) is limited only to “information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.”[4] Thus, in In re Nickelodeon, the Third Circuit held that “static identifiers” such as an IP address would not allow an ordinary person to determine which videos were viewed online and thus, not actionable under the VPPA.[5] However, courts have regularly held that a Facebook ID is sufficient to constitute PII because it can be easily and directly tied to an individual through that individual’s Facebook account.

Third, the VPPA specifically pertains to pre-recorded videos, and does not apply to live-stream content.[6]

Lastly, the statutory language provides an explicit exemption from the VPPA if a company obtains affirmative, written consent from the user prior to the collection and transmission of a user’s purported video-watching history.[7] There are specific codified requirements to obtain consent under the VPPA including, among other things, providing “a form distinct and separate from any form setting forth other legal or financial obligations of the consumer.”[8] Thus, obtaining consent under the VPPA may look different than obtaining consent sufficient under wiretapping statutes as detailed in our article linked here.

If you have questions about how to navigate this legal landscape, or if your company has been served a pre-litigation demand letter, please reach out to the Coblentz Data Privacy & Cybersecurity Team to discuss the various legal defenses available to your company. There is no one-size-fits-all approach. Navigating this (constantly changing) area of law requires a determination of your business needs, business model, and a well-thought-out and bespoke approach.

 

[1] See e.g., Belozerov v. Gannett Co., Inc., —F. Supp. 3d—-, 2022 WL 17832185 (D. Mass. 2022).

[2] Harris v. Public Broadcasting Serv., —F.Supp.3d—-, 2023 WL 2583118, at *3 (N.D. Ga. 2023)

[3] See Salazar v. Paramount Global d/b/a 247Sports, 22-cv-00756, Dkt No. 33 (M.D. Tenn. July 18, 2023); see also Austin-Spearman v. AMC Network Entertainment LLC, 98 F. Supp. 3d 662 (S.D.N.Y. 2015).

[4] In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 284 (3d Cir. 2016).

[5] See also White v. Samsung Elec. Am., Inc., Civ. No. 17-1775, 2019 WL 8886485, at *5 (D. N.J. Aug. 21, 2019) (granting Samsung’s motion to dismiss the VPPA claim because allegations of only obtaining IP addresses, MAC addresses, and zip codes do not constitute PII under VPPA).

[6]  Stark v. Patreon, 635 F. Supp. 3d 841, 852 (N.D. Cal. 2022).

[7] 18 U.S.C. § 2710.

[8] Id. § 2710(b)(2)(B).

By Scott Hall, Mari Clifford, and Amber Leong

Numerous new website technologies and tools allow companies to more effectively interact with their customers. These include chatbots, session recording software, tracking pixels (snippets of code that can be used to identify certain designated behavior on a website like seeing which products users are clicking on), and cookies (which remember products previously added to a shopping cart). All of these tools are immensely helpful in engaging with and identifying user experiences, and they help improve and promote a company’s business operations.

Plaintiffs’ attorneys have recently argued that the use of these website technologies – especially when provided or facilitated by a third-party vendor – constitutes violations of wiretapping and eavesdropping statutes. Under these statutes – both federal and state analogs – it is a violation if an individual uses a recording device to eavesdrop or intercept a confidential communication without the consent of the parties.

Historically, these statutes were used against individuals secretly listening in on private telephonic conversations. However, plaintiffs’ attorneys have revived these statutes to claim that companies are violating these laws through the use of website technologies. And some courts have allowed some of these claims to pass the motion to dismiss stage.[1]

This has created a flurry of pre-litigation demands against companies with consumer-facing websites. Many companies seek to settle these claims to avoid litigation costs, but several matters have gone to court. As more of these cases are making their way through the courts, we are able to see patterns in how courts are addressing these claims. There now appears to be a distinction emerging between claims that are allowed to proceed past the motion to dismiss stage and those that are not. Chatbots and session recording technologies used only to aid in servicing the website as a service provider have been found insufficient to state a claim under the wiretapping statutes.[2] By contrast, the use of these tools to collect user data that a third-party vendor is permitted to use for other purposes (including its own business purposes or with services to other companies) has been found to be sufficient to pass the motion to dismiss hurdle.[3]

The logic behind the reasoning is that there is no unlawful third-party “interception” by an entity that is acting as a service provider to provide a service for the company with whom the individual consumer is interacting. Put differently, a company cannot eavesdrop on itself or “intercept” its own communications.[4]

Given this guidance, companies should take the following steps if they use any chatbots, mouse click trackers, or session-recording technology to better understand their users:

• Service Provider Agreements: Companies should enter into service provider agreements with the chatbot, session recording, or mouse click providers. Contained within the agreements should be clear contractual language that companies providing such services cannot sell, share or use the personal information of users for their own purposes. This language thus captures that the service provider is there to provide a service and reaps no benefit in the form of personal information data.
• Update Privacy Policies: Companies should update their privacy policies and ensure that the policies adequately disclose the use of any chatbots, mouse clicks, or session recording. While updating the privacy policies alone will not be sufficient to be compliant with the various data privacy laws because courts have held that privacy policies at the bottom or footer of webpages may not give sufficient notice of recordings, the policies are nevertheless necessary for compliance as the bare minimum requirements.
• Disclose Immediately Prior to Recording: Companies should explicitly disclose that chat communications or other website interactions are being recorded by a vendor, and that if a user chooses to continue, they are consenting to such recording. Consent is an adequate defense to the wiretapping and eavesdropping claims. While the issues of adequate notice and consent continue to be litigated throughout the courts, generally, providing disclosure of such recordings immediately prior to the session with the opportunity to not proceed should work to provide sufficient notice and consent under the wiretapping laws.

Overall, the legal landscape of these claims is still in flux. However, a clear line that has developed is that a company’s use of “service providers” providing the recording services for companies is not in violation if that service provider cannot use the information collected for purposes other than to support the company, particularly if adequate notice has been provided to the users. This rule, however, does not include the use of analytics or pixels—which the courts have frequently found involve data exchanges with third parties for purposes beyond providing a service and which have been found sufficient to proceed past the motion to dismiss stage.[5]

If you have questions about whether your website collection procedures are compliant, or if you have received a threat or complaint about violation of the wiretapping statutes based on website technologies, please reach out to the Coblentz Data Privacy & Cybersecurity Team.

 

[1] See e.g., Hazel v. Prudential Financial, Inc., 22-cv-07465-CRB, 2023 WL 3933073 (N.D. Cal. June 9, 2023); Williams v. What If Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275 (N.D. Cal. Dec. 22, 2022).

[2] See Licea v. Vitacost.com, Inc., —F.Supp.3d—, 2023 WL 5086893 (S.D. Cal. 2023).

[3] See e.g., Hazel, 2023 WL 3933073.

[4] See also Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832-33 (N.D. Cal. 2021) (“[A]s a service provider, [third-party vendor] is an extension of [Defendant]. It provides a tool – like a tape recorder … that allows [Defendant] to record and analyze its own data in aid of [Defendant’s] business. It is not a third-party eavesdropper. As a result, [Defendant] is not liable for aiding and abetting [vendor’s] wrongdoing because there is no wrongdoing.”); Cody v. Boscov’s, Inc., ––– F.Supp.3d at ––––, 2023 WL 2338302, at *2 (C.D. Cal. 2023) (“Plaintiff must provide facts suggesting that [the vendors] are recording Defendant’s customers’ information for some use or potential future use beyond simply supplying this information back to Defendant.”).

[5] Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118 (N.D. Cal. Apr. 6, 2023) (Data broker was not a party to internet users’ communications, for purposes of exemption from liability for wiretapping claims under the federal Wiretap Act and the California Invasion of Privacy Act, where broker allegedly tracked users’ browsing activities on websites other than its own to intercept their personal information and sell it to third parties.)

 

Office vacancies have caused the values of Bay Area commercial real property to significantly decline in 2022. The value of real property that is used to determine the property tax assessment for the 2023-2024 fiscal year (which runs from July 1, 2023 to June 30, 2024) is determined as of the January 1, 2023 valuation date.

Depending on the extent to which the value of your property has declined, it is likely that the assessed value of your property, as of January 1, 2023, is considerably lower than the value currently listed on the assessment roll. If a property owner requests a reduction, the Assessor has the authority to proactively change the assessed value of a property to recognize a decrease in value (a one-time Proposition 8 reduction). In addition, if a property owner disputes the assessed value, the owner can file an Appeal with the Assessment Appeals Board and receive an Administrative Hearing. The deadline for filing an Appeal in most counties is September 15, although a few are November 30.

Our tax partner, Jeff Bernstein, has extensive experience in property tax assessment matters, and has attained significant reductions in property tax valuations for many owners of commercial and multi-family residential properties. If a reduced valuation can be achieved, the property tax savings could be substantial.

Please contact Jeff directly (jbernstein@coblentzlaw.com) if you are interested in discussing your potential for a reduced property tax valuation.

A Comprehensive Look at New Developments in Labor and Employment Law

By Fred Alvarez, Hannah Jones, Stephen Lanctot, Allison Moser, Kenneth Nabity

Download a PDF version of this report here.

We are halfway through 2023 so it is a good time to look back on this year’s employment law developments so far and look forward to what lies ahead.

Our 2023 Mid-Year Labor and Employment Update provides a short overview of the legal changes that we are monitoring the closest and that we think our clients should be aware of. These changes include new laws, regulations, and decisions in the areas of workplace diversity programs, pay transparency, non-compete agreements, religious accommodations, non-disclosure and confidentiality restrictions, independent contractor relationships, whistleblowing, drug-free workplaces, and remote employee onboarding. We’ve also included our thoughts on “what now?” regarding each key legal development and potential ways to help mitigate employment law risk.

You can download the full report here. If you have any questions about any of the issues discussed in this mid-year update, please reach out to a member of the Coblentz Employment Team.

By Scott Hall and Amber Leong

Despite (or possibly in reaction to) the recent court decision halting the enforcement of the regulations for the Consumer Privacy Rights Act (“CPRA”) by nine months, California regulatory authorities have made clear that they are still full speed ahead on privacy.

Immediately after the recent court decision on June 30, 2023, the California Attorney General’s Office issued a press release that it had sent notices to certain California employers regarding their compliance efforts in connection with employee privacy rights. Subsequently, the California Privacy Protection Agency (“CPPA”) released a statement on July 31, 2023 announcing its intent to review automakers’ data privacy practices for any “connected vehicle[s]” given these vehicles’ ability collect information “via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.” A few days later, on August 4, 2023, California Attorney General Rob Bonta and the CPPA filed a petition seeking to overturn the June 30, 2023 trial court decision delaying enforcement of the CPRA regulations.

Thus, in what has been a very busy past few weeks, California has clearly signaled its intent and willingness to move forward with the enforcement of privacy rights of California residents under the CPRA (which remains in effect despite the halt of regulations by court order). If companies have not already done so – they should, as soon as possible, assess whether they are subject to the CPRA, and if so, work with their legal teams to ensure their data collection practices, privacy policies, service provider agreements, and mechanisms to process consumer requests are all in place. Companies should also closely review areas of privacy that have been identified as enforcement priorities by regulators, including employee privacy rights, selling and sharing of consumer data, and connected vehicle data collection. California has shown it is not afraid to dole out fines in the millions. And with a new, dedicated California Privacy Protection Agency, in addition to the AG’s office, Federal Trade Commission, and other privacy enforcers, we can be sure to see a continued focus on privacy enforcement. If you have any questions or concerns, please do not hesitate to contact the Coblentz Data Privacy & Cybersecurity team.

By Scott Hall and Bina Patel

Although you are likely breathing a sigh of relief after just finishing compliance efforts for the California Privacy Rights Act (“CPRA”), don’t relax just yet. California has another new privacy law going into effect on July 1, 2024: The California Age-Appropriate Design Code Act (“CAADCA”). The new law is aimed at enhancing privacy, data, and safety protections for children and teens who use online platforms. Businesses subject to the CPRA should review the requirements of CAADCA closely to determine how their data protection measures should be updated, as the new law expands upon existing laws geared towards minors, such as California’s Parent’s Accountability and Child Protection Act and the federal Children’s Online Privacy Protection Act (“COPPA”).

Businesses Subject to CAADCA

CAADCA defines “business” the same way as CPRA.[1]  But, CAADCA only applies to businesses that provide online services, products, or features that are “likely to be accessed by children” who are under age 18. Still, this is a very broad scope, and much broader, for example, than COPPA, which is limited to operators of websites “directed to children” under 13, or with “actual knowledge” that a website is collecting personal information of children under 13.  CAADCA therefore expands both the age range (by 5 years) and the types of businesses and websites subject to regulation, since many online services, products, or features may be “likely to be accessed by children” under 18 even if they are not specifically directed at children or with actual knowledge of access by children. Whether a website is “likely to be accessed by children” will be determined based on various factors, including whether it is directed to children, routinely accessed by a significant number of children, has advertisements marketed to children, has design elements that are known to be of interest to children (i.e., games, cartoons, music, and celebrities who appeal to children), and has a significant audience that is determined to be children.

Affirmative Requirements of Covered Businesses

CAADCA requires covered businesses to implement the following affirmative actions:

• Perform a Data Protection Impact Assessment. Covered businesses must complete a Data Protection Impact Assessment (“DPIA”) before publicly launching a new online service, product, or feature that is “likely to be accessed by children.” The DPIA must include detailed information about a business’s online service, product, or feature, including its purpose, how it uses children’s personal information, and how it could harm children through its algorithms, design features, and targeted ads. The DPIA is confidential and exempt from public disclosure. Each business must retain documentation of the DPIA for as long as it provides the online service, product, or feature to children and provide a copy to the Attorney General upon request.
• Provide privacy by default. Covered businesses must configure all default privacy settings offered by the online service, product, or feature to offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interest of children.
• Provide a privacy policy and terms. Covered businesses must provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of the children that are likely to access their online service, product, or feature.
• Allow children to exercise privacy rights. Covered businesses must provide prominent, accessible, and responsive tools to help children or their parents/guardians exercise their privacy rights and report concerns.
• Identify tracking signals. Covered businesses must provide an obvious signal to a child when the child is being monitored or tracked by the online service, product, or feature.

Restrictions on Covered Businesses

CAADCA also prohibits covered businesses from engaging in the following actions:

• Using a child’s personal information in a way that is “materially detrimental to the physical health, mental health, or well-being of a child.”
• Collecting, selling, sharing, or retaining the personal information of children for any reason other than a reason for which the personal information was collected, unless the business can demonstrate a compelling reason that aligns with the best interests of children.
• Collecting, selling, or sharing any precise geolocation information of children, unless it is strictly necessary for the business to provide the service, product, or feature and only for a limited time.
• Using dark patterns, which are online experiences designed to encourage children to provide too much personal information.
• Profiling children, though this prohibition is subject to certain exceptions.
• Using personal information to estimate the age of a child for any other purpose or retaining that personal information longer than necessary to estimate age.

Enforcement of CAADCA

There is no private right of action under CAADCA, but the law authorizes the Attorney General to seek an injunction or civil penalty against any business that violates its provisions. The Attorney General can hold violators liable for a civil penalty of up to $7,500 per affected child. The new law gives companies an opportunity to cure any alleged violation within 90 days so that they can avoid these penalties.

Next Steps for California Businesses

While CAADCA does not go into effect until July 1, 2024, it is vital that California businesses take steps to ensure their compliance with the new law in advance of the effective date. These steps may include the following:

• Assess whether your business is subject to CAADCA. Determine if your business’s online products, services, or features are “likely to be accessed by children” under age 18 as defined under the new law.
• Start to prepare a Data Protection Impact Assessment. Familiarize yourself with the requirements of the DPIA and strategize how your business would perform such an assessment. For an online product, service, or feature that was launched before July 1, 2024, a DPIA must be completed by July 1, 2024. After that, a DPIA must be completed before launching any new online service, product, or feature that is “likely to be accessed by children.”
• Provide data privacy information in appropriate language for children. Revise your privacy information, terms of service, policies, and community standards so that they are accessible to the age group of children who are likely to access your online service, product, or feature.
• Start planning changes your business will need to make to ensure compliance. Businesses should consider how they can redesign their products, including those that have launched and those in development, to mitigate the risk of harm to children. For example, businesses will need to adjust their default privacy settings to accommodate a high level of privacy by default. A service, product, or feature should also provide an obvious signal to a child when their online activity is monitored or their location is tracked.
• Ensure that your business is not engaging in any prohibited activities. As described above, CAADCA imposes certain limitations on how and for what purpose a covered business may collect, sell, share, or retain a child’s personal information.

Please contact the Coblentz Privacy Team with any questions about CAADCA or other privacy issues.

To view a PDF version of this article, please click here.

[1] The CPRA defines a “business” as any for-profit entity operating in California that collects personal information of California residents and satisfies one of three requirements: (i) the company has annual gross revenues of more than $25 million; (ii) the company buys, sells, or shares personal information of at least 100,000 California residents; or (iii) the company derives at least 50% of its annual revenues from selling or sharing California residents’ personal information.

Wine trademarks have been the subject of recent decisions from the United States Patent and Trademark Office. In analyzing whether there is a likelihood of confusion between trademarks, these decisions illustrate the growing trend toward finding wine to be related to other types of alcohol, restaurant services, and even coffee, and fruit. Sabrina Larson and Bina Patel discuss the legal landscape of the vineyard and registering wine trademarks in the North Bay Business Journal article “Vine Notes: Relating wine to beer and spirits, restaurant services, even coffee and fruit.” To read the full article, please click here.