As is relevant to the Ninth Circuit’s opinion, the AADC creates two sets of requirements. First, the AADC requires businesses to complete a data protection impact assessment (DPIA) before a business offers to the public any new online services, products, or features likely to be accessed by children. The DPIA must “identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business.” The DPIA also must address, to the extent applicable, eight factors, including “whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature.” Businesses must document the risks and “create a timed plan to mitigate or eliminate” the risks before the online product, service or feature is accessed by children.
Second, the AADC contains a list of prescriptive requirements in sections 1798.99.31(a)(5)-(10) and (b). Specifically, sections (a)(5)-(10) require businesses to:
Estimate the age of child users or apply the privacy and data protections afforded to children to all users.
Configure all default privacy settings provided to children to the settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that the different setting is in the best interests of children.
Provide privacy information and other documents such as terms of service in language suited to the age of children likely to access the product, service, or feature.
Provide an “obvious signal” to a child if they are being monitored or tracked by a parent, guardian or any other consumer.
Enforce published terms and other documents.
Provide prominent tools to allow children or, if applicable, their parents or guardians, to exercise their private rights.
Section (b) then provides that businesses cannot:
Use children’s personal information in a way that the “business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.”
Profile a child unless certain criteria are met.
Collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature, unless the business can demonstrate a compelling reason that doing so is in the best interests of children likely to access the product, service or feature.
Collect, sell, or share a child’s precise geolocation information by default unless strictly necessary to provide the requested service.
Use dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected.
Use personal information collected to estimate age or age range for any other purpose or retain that personal information for longer than necessary to estimate age.
I stand with the parent commenter - Maybe Techdirt could actually hyperlink to this kind of information, instead of hyperlinking to three other articles pretending to answer the question but not doing so.
jcranmer|1 year ago
dgfitz|1 year ago
As is relevant to the Ninth Circuit’s opinion, the AADC creates two sets of requirements. First, the AADC requires businesses to complete a data protection impact assessment (DPIA) before a business offers to the public any new online services, products, or features likely to be accessed by children. The DPIA must “identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business.” The DPIA also must address, to the extent applicable, eight factors, including “whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature.” Businesses must document the risks and “create a timed plan to mitigate or eliminate” the risks before the online product, service or feature is accessed by children.
Second, the AADC contains a list of prescriptive requirements in sections 1798.99.31(a)(5)-(10) and (b). Specifically, sections (a)(5)-(10) require businesses to:
Estimate the age of child users or apply the privacy and data protections afforded to children to all users. Configure all default privacy settings provided to children to the settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that the different setting is in the best interests of children. Provide privacy information and other documents such as terms of service in language suited to the age of children likely to access the product, service, or feature. Provide an “obvious signal” to a child if they are being monitored or tracked by a parent, guardian or any other consumer. Enforce published terms and other documents. Provide prominent tools to allow children or, if applicable, their parents or guardians, to exercise their private rights. Section (b) then provides that businesses cannot:
Use children’s personal information in a way that the “business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.” Profile a child unless certain criteria are met. Collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature, unless the business can demonstrate a compelling reason that doing so is in the best interests of children likely to access the product, service or feature. Collect, sell, or share a child’s precise geolocation information by default unless strictly necessary to provide the requested service. Use dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected. Use personal information collected to estimate age or age range for any other purpose or retain that personal information for longer than necessary to estimate age.
unethical_ban|1 year ago
I stand with the parent commenter - Maybe Techdirt could actually hyperlink to this kind of information, instead of hyperlinking to three other articles pretending to answer the question but not doing so.