How California’s new CCPA law affects anyone operating in the kids market

The California Consumer Privacy Act (CCPA) gives state residents stronger data privacy protections, including the right to opt out of data collection, to know what data is being collected about them, and to request deletion of that data.  

Most importantly for anyone operating in the kids or youth market, it extends COPPA-style protections to residents between 13 and 15. Any publishers or advertisers engaging with that audience may no longer ‘sell’ their personal data (including technical identifiers such as IP address, device ID or geolocation) unless they have the user’s explicit, opt-in consent. Note that the definition of ‘sell’ is very broad and very likely includes sharing that type of data with partners who are helping you monetise your content, or deliver your ad campaign.

Some aspects of the CCPA are challenging to implement and will impose additional costs on companies.  But this law is also likely only the tip of the data privacy iceberg, as many states are looking to emulate California and pass new rules to protect the privacy of their residents.  The CCPA is also being seen as a potential blueprint for new efforts at crafting federal data privacy legislation. The reaction of tech platforms has been varied.  Google announced new features that allow its client websites to block personalised ads in the state, while Microsoft has decided to embrace the pro-privacy positioning by implementing CCPA’s standard throughout the US.   

If your site or app, or your ad campaigns, are likely to reach more than 50,000 Californians, you must comply with the CCPA. Below, you will find a full breakdown of the Act, and how it is likely to affect you.

What is the CCPA and does it apply to me? 

The California Consumer Privacy Act 2018 (“CCPA”) came into effect on 1 January 2020, creating new privacy and consumer protections for Californian residents. It broadly gives Californians enhanced rights to opt out of data collection and to know what is being collected from them.  Companies in breach of the CCPA can be issued large fines, and the California Attorney General has announced that it will immediately begin tracking breaches for enforcement during 2020.

Assuming you are a for-profit organisation, you will need to comply with the CCPA if you have users based in California from whom you collect personal information, and you either: (a) earn $25 million or more in annual revenue; (b) buy, receive, or sell personal information (PII) of at least 50,000 Californian consumers, households or devices per year; or (c) obtain at least half of your revenue from selling California residents’ personal data. For example, if you receive visits from at least 50,000 California-related IP addresses per year on your website and collect their personal information, then you will need to comply with the CCPA.  

Does it affect how I handle personal information from my users? 

Yes. Prior to collecting PII from Californian users, you will need to notify those users what will be collected, and why. Californian users have a right to access the PII that is held about them, and to find out how and why it was collected, and with whom it is shared. They also have rights of deletion and to not be subject to discriminatory treatment by exercising their rights. Your existing privacy notice may already set out such information and rights, but there are a number of CCPA-specific disclosures which may require you to update your notice, e.g. if no PII is sold then your notice must state so expressly and you need to provide a company contact for more information.

Note that the definition of “sell” is very broad and includes “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating” the data, and money does not have to exchange hands for there to be a “sale”– other “valuable consideration” will be enough.

In practice, if you allow third parties (analytics providers or ad networks, for example) to collect geolocation or persistent identifiers such as device ID, IP address or Ad ID, for example to display targeted advertising for revenue, then this would constitute “selling” under the CCPA. 

What about personal information from kids?

CCPA requires you to get consent if you sell the personal information of Californian kids under the age of 16: opt-in consent from those who are 13, 14 or 15, and parental consent (as required under COPPA) for those under 13.

The law also requires you to take steps to determine the age of your users if your service “might attract those under the age of 16”, so you can’t just claim ignorance or that may be considered “willful disregard.”

Opt-in consent requires positive action, such as ticking a box, and must include notice of what PII you are proposing to collect and sell, why and to whom, with a  link to your privacy policy. You must also provide a mechanism and link to enable the party to revoke that consent at any time. 

What are the consequences of breaching CCPA?

You can be fined $2,500 per violation, or $7,500 per intentional violation after receiving notice of a breach and having been given a 30 day opportunity to cure the violation. 

I have many tween and teenage users.  What should I do? 

Given how broadly “PII”, “selling” and “actual knowledge” are defined, if you are collecting information on Californian kids under the age of 16 and sharing it with third parties, you should seek affirmative consent of the user, or parental consent for those under 13 as the law requires.   

If your content appeals to both children and adults, an age-gate will help you funnel visitors under the age of 16 to a version of your service from which you don’t collect or sell PII, or which applies the appropriate consent flows (opt-in for teens, parental consent for under-13s) to collect the PII lawfully.

The information contained in this note is not intended as legal advice. Please seek your own legal advice before acting on the information it contains.