Children’s online safety at the forefront of California law

California passed a new law, AB 2273, known as the California Age-Appropriate Design Code Act (CAADCA)

Ojas Rege
OneTrust General Manager, Privacy & Data Governance Cloud
September 20, 2022

Green gradient background

The law is the latest evolution in regulators’ efforts to protect minors and their data on the Internet. It places stricter requirements on businesses that provide online services, products, or features likely to be accessed by a child under 18 years of age. These requirements include regularly reviewed Data Protection Impact Assessments (DPIAs), default privacy settings at the highest protection level, and privacy policies that are understandable by children.

The CAADCA reflects an ongoing focus at the state level on establishing data privacy and data protection guardrails for the online safety of children. It is one of many new state laws going into effect in 2023 and 2024 to increase a variety of consumer rights protections. As more states propose their own bills, the privacy landscape in the United States is becoming increasingly fragmented.

Take a Proactive Privacy Approach

As the state-by-state patchwork of privacy rules becomes more complex, it’s essential for companies to build flexible and  scalable solutions that adhere to different regulations. Even for well-staffed organizations, keeping up with the pace and variability of regulations is a struggle. It’s common to end up with a complicated set of disconnected privacy programs, siloed by region or individual regulations. These disconnects cause operational inefficiencies and strained teams, resulting in poor governance, and unreliable or inconsistent consumer experiences.

A proactively designed privacy program embeds privacy into the organization and is both scalable and necessary to earn and retain consumer trust. You should not wait for regulations to dictate your privacy policies. Instead, proactively establish privacy principles and frameworks at the company level. Then, map specific regulatory requirements to your frameworks, making it easier to scale key privacy activities across regions, regulations, audiences, and internal functions.

Anticipate Evolving Privacy Legislation

Privacy protection for children is a good example of how regulations evolve along themes that well-designed privacy programs anticipate. The Children’s Online Privacy Protection Act (COPPA) was passed by the US Congress in 1998 and took effect in April 2000. It focused on restricting the collection of children’s personal information and limiting how that information could be used by operators. Twenty years later, the Age Appropriate Design Code was issued in the UK, setting standards for online services to both protect children’s privacy and reinforce that such services should be designed with children in mind. There are substantial similarities between the CAADCA and the UK Code. This is an evolution of privacy.

The CAADCA is yet another reminder to organizations of the importance of designing scalable and flexible privacy programs now, so that they can anticipate and respond effectively to future legislation.

You may also like


Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more


Privacy Automation

US privacy laws on the horizon: Which states will be next?

Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.

June 15, 2023

Learn more

Regulation Book

Privacy Management

Colorado Privacy Act law book

The Colorado Privacy Act (CPA) comes into force on July 1. Get the law's official text right at your fingertips.

May 30, 2023

Learn more