The law is the latest evolution in regulators’ efforts to protect minors and their data on the Internet. It places stricter requirements on businesses that provide online services, products, or features likely to be accessed by a child under 18 years of age. These requirements include regularly reviewed Data Protection Impact Assessments (DPIAs), default privacy settings at the highest protection level, and privacy policies that are understandable by children.

The CAADCA reflects an ongoing focus at the state level on establishing data privacy and data protection guardrails for the online safety of children. It is one of many new state laws going into effect in 2023 and 2024 to increase a variety of consumer rights protections. As more states propose their own bills, the privacy landscape in the United States is becoming increasingly fragmented.

Take a Proactive Privacy Approach

As the state-by-state patchwork of privacy rules becomes more complex, it’s essential for companies to build flexible and  scalable solutions that adhere to different regulations. Even for well-staffed organizations, keeping up with the pace and variability of regulations is a struggle. It’s common to end up with a complicated set of disconnected privacy programs, siloed by region or individual regulations. These disconnects cause operational inefficiencies and strained teams, resulting in poor governance, and unreliable or inconsistent consumer experiences.

A proactively designed privacy program embeds privacy into the organization and is both scalable and necessary to earn and retain consumer trust. You should not wait for regulations to dictate your privacy policies. Instead, proactively establish privacy principles and frameworks at the company level. Then, map specific regulatory requirements to your frameworks, making it easier to scale key privacy activities across regions, regulations, audiences, and internal functions.

Anticipate Evolving Privacy Legislation

Privacy protection for children is a good example of how regulations evolve along themes that well-designed privacy programs anticipate. The Children’s Online Privacy Protection Act (COPPA) was passed by the US Congress in 1998 and took effect in April 2000. It focused on restricting the collection of children’s personal information and limiting how that information could be used by operators. Twenty years later, the Age Appropriate Design Code was issued in the UK, setting standards for online services to both protect children’s privacy and reinforce that such services should be designed with children in mind. There are substantial similarities between the CAADCA and the UK Code. This is an evolution of privacy.

The CAADCA is yet another reminder to organizations of the importance of designing scalable and flexible privacy programs now, so that they can anticipate and respond effectively to future legislation.