Lawmakers share the goal of protecting young people from harm. But the laws that jurisdictions enact often pursue their objectives in different ways, such as by establishing different age thresholds around whom the laws protect, different criteria regarding who must comply, disparate roles for parents and their children, and dissimilar standards to which companies must adhere. The UK Code, which one of the authors of this article architected and implemented, has been in force since 2021. The California Code is modeled on the UK Code and comes into force on 1 July 2024. These two instruments follow similar principles. And they vary in subtle but important ways. We outline below some of these differences and similarities, before offering recommendations for companies faced with an uncertain children’s privacy landscape around the world.
Who must comply?
The UK and California Codes are focused on providers of online services that are “likely to be accessed by children,” which both codes define to mean essentially any online service that is directed to children under 18, appealing to children, or actually used by a significant number of children. The UK Code applies to information society services irrespective of their size or economic footprint. It applies to online service providers if they are established in the UK, or if they offer services to or monitor the behaviors of young people residing there. In contrast, the California Code only applies to for-profit entities that meet certain revenue or quantitative thresholds. To be subject to the California Code, an entity must: (i) have annual gross revenues of more than USD 25 million (as adjusted periodically for inflation); (ii) buy, sell or share the personal information of 100,000 or more California residents or households; or (iii) make 50% or more of its annual revenues from selling or sharing California residents’ personal information.
Form and substance of the Codes
The UK Code is centered on 15 standards, whereas the California Code sets out eight affirmative requirements and 10 general prohibitions. The UK Code does not have the force of a statute like the California Code does but constitutes a code of practice intended to guide companies on how to comply with the UK General Data Protection Regulation (“UK GDPR”) and other UK privacy laws when offering online services that are likely to be accessed by children. The UK Code is more than 10 times the length of the California Code by word count and replete with explanations of the policy reasons behind its requirements, examples of how organizations can comply, and resources intended to help organizations implement compliance measures. The California Code is comparatively sparse on details and permits, but does not require, the California Attorney General to adopt regulations to clarify its requirements.
The best interests of the child
The UK and California Codes require covered entities to consider and respond to the best interests of children when designing their online services. However, the “best interests of the child” has different legal meanings in the UK and USA. The UK has ratified the United Nations Convention on the Rights of the Child (“UN Convention”) whereas the US has not. In line with the UN Convention, the UK Code explains that the “best interests of the child” is a concept that encompasses various important rights and values, including children’s rights to privacy and freedom from economic exploitation, the importance to children of access to information, association with others, and play in supporting their development, and the right to have a say in matters that affect them. By contrast, the “best interests of the child” standard generally only exists in US jurisprudence in the context of family and child welfare law, and, without more guidance, it is uncertain how authorities will interpret the term in the online consumer privacy law context. Nevertheless, both the UK and California Codes provide that the commercial interests of an organization will generally not outweigh a child’s right to privacy.
Data protection impact assessments
Both Codes establish as core requirements the duty to conduct a data protection impact assessment (DPIA) of any service likely to be accessed by children. In each case, the key objective of the DPIA is to identify and mitigate risks to children that may arise from the data processing operations, including risks that a child might be exposed to harmful content, contacts or conduct. Other risks are posed when services or products actively encourage young people to spend inordinate stretches of time engaged with them. Because the UK Code flows from the UK GDPR, a UK Code DPIA may look substantially different from a California Code DPIA. For example, Article 6 of the UK GDPR generally prohibits the processing of personal data unless one or more “lawful bases of processing” listed in the regulation applies, so a UK DPIA should specify the lawful basis for each processing activity involving children’s personal data. No analogous requirement applies in California. Consistent with Article 35(9) of the UK GDPR, the UK Code contemplates that, whenever possible, DPIAs should incorporate feedback and input from children and parents. The California Code does not mention the benefit of consultations with children or parents, although collaboration of this kind would make any DPIA more comprehensive.
Despite the differences across these two instruments, they share underpinning principles. As a result, they overlap more than they diverge. The upcoming California Code mirrors the UK’s Code’s key requirements and restrictions. Any companies feeling unsure about what is expected of them under the California Code should find it helpful to read the corresponding passages of the UK Code and its practical guidance. Whether or not a company is subject to either code, it would benefit from regularly conducting confidential assessments of the legal risks associated with its online services and fine-tuning them to mitigate those risks.
The UK and California Codes provide guidance on how to structure assessments. They list practices that go a long way towards keeping children safe. Companies should also monitor global legal developments in youth protection. Regulators around the world are increasingly taking action against companies that allegedly violate children’s privacy and safety requirements. Studying regulators’ decisions can yield important lessons. Lawmakers in many jurisdictions are now advancing new youth protection rules and regulations. Unfortunately, not all of them are as aligned with one another as the landmark UK and California Codes.
This article was first published by the IAPP.