Last week, New Jersey Assemblyman Herb Conway Jr. introduced a bill similar to the California Age-Appropriate Design Code (“CA AADC”) enacted in September.  The bill, NJ A4919, tracks the CA AADC in many respects but contains several notable differences, which we summarize below:

  • Covered businesses.  The CA AADC applies to any online service, product, or feature likely to be accessed by children, with exceptions for broadband internet access services, telecommunications services, and the delivery or use of a physical product.  However, NJ A4919 would apply only to online services, products, or features likely to be accessed by children that are offered by a social media platform.
  • Likely to be accessed by children.  Like the CA AADC, NJ A4919 provides criteria for determining when a service, product, or feature is “likely to be accessed by children.”  The factors provided by NJ A4919 are the same as those included in the CA AADC, with two exceptions.  First, both the CA AADC and NJ 4919 include as a criteria that “the online service, product, or feature is directed to children,” but the CA AADC further specifies that this criteria adopts the definition of “directed to children” provided in the Children’s Online Privacy Protection Ace (COPPA) while NJ A4919 does not.  Second, both the CA AADC and NJ A4919 provide that one criteria that may be used to determine if a product, service, or feature is “likely to be accessed by children” is whether “the online service, product, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children,” the CA AADC lists an additional criteria for services that are “substantially similar or the same as” such services, products, or features.  NJ 4919 does not provide a similar criteria.
  • Data Protection Impact Assessment (DPIA) requirements.  Both NJ 4919 and the CA AADC require covered entities to complete a DPIA for each product, service, or feature likely to be accessed by children before it is offered to the public, and they provide virtually identical requirements for the specific information that must be included in such assessments.  However, the CA AADC requires covered entities to document “[w]hether, how, and for what purpose the online product, service, or feature collects or processes sensitive personal information of children,” but NJ A4919 applies this requirement to all personal information, not just sensitive personal information.
  • Geolocation information.  The CA AADC and NJ 4919 both prohibit covered entities from sharing geolocation information of children by default unless it is strictly necessary to provide the relevant service, product, or feature and it is only collected, sold, or shared when necessary to provide such service, product or feature.  However, the CA AADC only imposes this requirement for precise geolocation information, whereas NJ 4919 applies this requirement to all geolocation information.
  • Age estimation.  Both the CA AADC and NJ 4919 prohibit covered entities from using personal information collected to estimate age (or, in CA, age or age range) for any other purpose, or from retaining it longer than necessary to estimate age.  However, unlike NJ 4919, the CA AADC further provides that age assurance shall be proportionate to the risks and data practices of the relevant product, service or feature.

*          *          *

We will continue to monitor state law developments following the trend of the CA AADC and keep you updated here on Inside Privacy.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.

Photo of Madeline Salinas Madeline Salinas

Madeline Salinas is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups.