Select Page

California Leads the Way on Children’s Privacy Protection Laws

California has always been known as a trailblazer state within the entertainment and technology sectors. The Golden State has also historically served as a national bellwether on a variety of political issues including data privacy and the protection of minors online.

The California Consumer Privacy Act (CCPA) 2018 has the strongest protections for children among all US privacy regulations, building on previous data privacy laws aimed at protecting minors in the state including:

  1. Privacy Rights for California Minors in the Digital World 2013
  2. Student Online Personal Information Protection Act (SOPIPA) 2016

The passage of California’s stricter child protection laws was driven by greater public awareness and concern about data privacy matters.

One of the major concerns for parents who lobbied for changes to California’s data privacy laws was the long-term ramifications if minors were not given the opportunity to delete their online mistakes.

At the same time, K-12 public schools experiencing budget shortfalls were increasingly looking for free or low-cost online technology services to successfully educate students.

As many organizations eager to sell digital education products and services tend to rely on advertising and sale of consumer data to generate revenue, the updates to California state privacy law included rules to address concerns about the types of ads served to children. Along with stricter terms for how personal data is managed.

Extra Protections for Children Under California State Privacy Law

Under California’s data privacy laws an online service organization must have mechanisms to identify minors who are using its website or any other digital channel.

This means organizations need to establish effective legal and technological mechanisms to manage protection of children online.

These mechanisms need to include policies and programs to ensure the organization is fully compliant with California’s child privacy protection laws, including:

  • Easy opt-out from data collection – mechanisms so minors can exercise their ‘right to be forgotten’, which means their personal data is not collected
  • Exclusion from some advertising – online tracking partners and technologies also needs fine-tuning so children are not included in online advertising programs, and are not served advertising that is not deemed age appropriate in California

California is the only state to establish a ‘cure period’ for violations related to security breaches. Under this rule, individuals must allow businesses 30 days to cure any violation before they can begin pursuing statutory damages.

Privacy Rights for California Minors in the Digital World 2013

Sentate Bill 568 was passed in 2013 and became effective on January 1, 2015. Privacy Rights for California Minors in the Digital World prohibits online service companies from marketing a variety of products and services to minors when such products and services can only be bought by a person over 18 years or older.

This legislation added stricter data privacy laws which included the following:

  • Banning collection of minors’ personal data from being shared with third parties for the purpose of advertising or marketing products and services that can only be bought by adults.
  • Enforcing the ‘right to be forgotten’ for minors, so that any California resident under 18 years of age can request any personal data, including online activity data related to them, to be permanently deleted. Online service providers must disclose this right to minors and clearly explain the process to make a request for the deletion of personal information.

Student Online Personal Information Protection Act (SOPIPA) 2016

SOPIPA which became effective onJanuary 1, 2016, prevents organizations that focus on K-12 educational offerings from engaging in targeted advertising to minor students and their parents or legal guardians. 

SOPIPA was an important update to California’s data privacy laws because it banned several common online advertising activities. The major changes included:

  • Banning collection of personal information about students which could be used to establish individual profiles
  • Banning sale of a student’s personal information
  • Enforcing reasonable security measures which require K-12 online service organizations to implement and maintain reasonable security to protect the data they do collect
  • Enforcing the right to delete, which requires online service organizations to delete student data upon the request of a K-12 school or district which had its students use an organization’s online educational services

Understanding Privacy Laws in California

The California Consumer Privacy Act (“CCPA”) of 2018 applies to for-profit organizations that do business in California, and meet any of the following criteria:

  • Have gross annual revenue of more than US $25 million
  • Buy, receive or sell the personal information of 50,000 or more California residents, households, or devices
  • Earn 50% or more of annual revenue from selling California residents’ personal information

The CCPA gives consumers in California extended rights related to their personal information including:

  • Right to know what personal information is collected [See: ‘Notice at collection’ below], and how that data is used and shared, including whether it is sold and to whom
  • Right to opt-out from the sale of their personal information
  • Right to access records of their personal data held by an organization
  • Right to delete personal data by requesting an organization deletes records collected from them, with some exceptions [See Exception to ‘right to delete’ below]
  • Right to non-discrimination for exercising their privacy rights

‘Notice at Collection’ Under California State Privacy Law

The CCPA also requires organizations to give consumers a ‘notice at collection’ at or before the point at which data is collected.

The notice must list the types of personal information being collected and the purposes. If the organization plans to sell any consumer data it collects, the notice at collection must also include a Do Not Sell link so consumers can opt-out.

Exceptions to ‘Right to Delete’ Personal Information Held by an Organization

Under the CCPA, there are some exceptions to consumers’ right to delete their personal information held by an organization.

Common examples of these exceptions which allow organizations to keep records of personal information include:

  • The request for deletion cannot be verified
  • To complete a transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes
  • To manage certain business security practices
  • To comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • For certain internal uses compatible with reasonable consumer expectations or the context in which the information was provided
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

Manage Compliance with CCPA

CCPADownload our Guide to Addressing CCPA Requirements
This guide will help determine whether your company needs to comply and includes best practices for data privacy compliance.