Skip to main content

California Age-Appropriate Design Code Act

The California Age-Appropriate Design Code requires online services likely accessed by children to apply privacy-by-design, high-privacy defaults, data minimization, and impact assessments. It faces ongoing litigation that affects enforceable scope.

Jurisdiction
California

What the California Age-Appropriate Design Code Is

The California Age-Appropriate Design Code Act (AB 2273) requires businesses providing online products and services likely to be accessed by children to design those services with children's best interests, privacy, and safety in mind. Modeled on the UK's Children's Code, it shifts responsibility toward providers to build child-safe defaults rather than relying on parents and children to opt into protections. It reflects growing concern about the effects of online services on minors.

The law has faced legal challenges, and parts have been subject to litigation and injunction; businesses should track its current enforceable scope while recognizing the durable design principles it embodies.

Who It Applies To

The Act applies to businesses that meet CCPA-style thresholds and that provide online services, products, or features likely to be accessed by children under 18. "Likely to be accessed by children" is interpreted broadly, so many consumer-facing services can fall in scope even if children are not the primary audience.

Key Requirements

  • Data protection impact assessments — Assess how a service's design could harm children before offering features likely to be accessed by them.
  • High-privacy defaults — Configure default settings to a high level of privacy for child users.
  • Data minimization — Collect and use only the personal information necessary for the service.
  • Age-appropriate experience — Provide privacy information and terms in language suited to the age of likely users.
  • No harmful design — Avoid dark patterns and designs that lead children to weaken protections or act against their interests.
  • Transparency — Enforce published policies and clearly signal monitoring or tracking to children.

Penalties for Non-Compliance

Violations can lead to civil penalties enforced by the California Attorney General, with penalties scaled per affected child for negligent or intentional violations. Beyond fines, businesses face reputational risk and potential parallel scrutiny under other privacy laws. The exact enforceability of specific provisions has been shaped by ongoing litigation.

How to Comply

Determine whether the service is likely to be accessed by children, then perform data protection impact assessments for relevant features. Set high-privacy defaults, minimize data collection, and remove dark patterns. Provide age-appropriate transparency and ensure that profiling, geolocation, and tracking are restricted by default for child users. Monitor the law's litigation status and align with broader children's privacy frameworks to maintain durable, defensible designs.