California Looks To Britain For The Protection of Children

EU assents to Amazon's purchase of MGM; FTC settles with company over a data breach cover up

The Wavelength is moving! Next week, you’ll get the same great content, but from the Ghost platform. The move will allow for a price decrease because of reduced costs for me.  

And, it bears mention that content on technology policy, politics, and law that preceded the Wavelength can be found on my blog.

Photo by Alex Azabache on Unsplash

A bill has been introduced in California’s legislature that could have an effect on children’s online privacy that the state’s privacy laws have had on data protection in the United States (U.S.) If passed, this bill could fundamentally change the issue of children’s privacy and become an impetus for the Congress to act. Interestingly, unlike the California privacy laws, the draft bill explicitly references a legal framework in force in a European nation.

A bill has been introduced in California’s legislature modeled on the United Kingdom's Information Commissioner's Office's (ICO) Age Appropriate Design Code (aka the Children’s Code) that arose from the “Data Protection Act 2018.” In the code, the ICO explained it has statutory force, and “[a]s was made clear in the Parliamentary debates when the Data Protection Bill passed through Parliament, if your online service fails to conform to a provision of this code you may find it difficult to demonstrate compliance with the law and you may invite regulatory action.” Moreover, the ICO made clear the code “applies to you if you provide online products or services (including apps, programs, websites, games or community environments, and connected toys or devices with or without a screen) that process personal data and are likely to be accessed by children in the UK.” What’s more, the bill in the California legislature is based on many of the standards in the code[1].

In terms of additional background, the UK Department of Digital, Culture, Media & Sport (DCMS) laid the code before Parliament in the summer of 2020 and it took effect in early September 2020. However, there was a subsequent 12 month period during which companies could transition to the new requirements, and as such, it did not have legal force until September 2021. The ICO drafted and submitted the code to DCMS per “the Data Protection Act 2018, which required the ICO “to produce a code of practice on standards of age appropriate design…[that] applies to “relevant information society services which are likely to be accessed by children” in the UK” per the explanatory memorandum submitted to Parliament.

Shortly after the code was laid before Parliament, Democratic Members of Congress wrote a number of companies, including Amazon, Facebook, Google, Snapchat, TikTok, and Twitter and gaming companies, urging them “to extend privacy protections required under the United Kingdom’s Age Appropriate Design Code (AADC) to children and teens in the United States.” To date, none of these companies have, and even though the bills of one of the Members incorporates some of the code’s structure (see here for more detail and analysis), no bills have been introduced in Congress to transplant the code wholly into U.S. law.