California has passed a landmark bill aimed at protecting children online.

The California Age-Appropriate Design Code Act instructs online service providers to “prioritize the privacy, safety and well-being of children” over commercial interests, requiring them to proactively design their products and services to protect users under the age of 18.

The bill requires such companies to consider and mitigate the risks of exposing children to explicit content and inducing them to spend excessive amounts of time online by sending them notifications at all hours and auto-playing content. The bill also requires that the highest privacy setting be applied by default for child users.

The language of the bill is reminiscent of the UK Children’s Code, which uses a “best interests of the child” framework to evaluate what business behavior is appropriate when dealing with kids on the internet, and what is not. Under the California regulation, online service providers are prohibited from taking the following actions:

  • Using the personal info of any child in a way that the business knows would be materially detrimental to the physical health, mental health, or well-being of the child.
  • Profiling a child without appropriate safeguards and only if the profiling is necessary to provide the service or product to the child, or if the business can demonstrate a compelling reason why profiling is in the best interest of the child.
  • Collecting, selling, sharing or retaining any personal information that is not necessary to provide the product or service unless in the best interest of the child.
  • Using personal information for any reason other than that for which the information was collected.
  • Collecting, selling or sharing any precise geolocation information of children by default unless strictly necessary to provide the service or product.
  • Collecting any precise geolocation information without providing an obvious sign to the child that such information is being collected.
  • Using dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide the service or product, or taking any action that the business knows is materially detrimental to the child’s health or well-being.
  • Using any personal information collected to estimate age or age range for any other personal information longer than necessary to estimate age.

The bill is the first of its kind in the nation. Its scope exceeds the Children’s Online Privacy Protection Act, the primary federal safeguard for kids online, which provides relatively narrow privacy protections for users under the age of 13.

The bill would authorize the California Attorney General to seek injunctions or civil penalties against businesses that violate its provisions, up to $2,500 per affected child for each negligent violation and up to $7,500 per affected child for each intentional violation.

The State Senate passed the bill on Monday evening. It now needs to be approved by Governor Gavin Newsom. If signed, the bill would go into effect on July 1, 2024.