Last week, New Jersey Assemblyman Herb Conway Jr. introduced a bill similar to the California Age-Appropriate Design Code (“CA AADC”) enacted in September. The bill, NJ A4919, tracks the CA AADC in many respects but contains several notable differences, which we summarize below:
- Covered businesses. The CA AADC applies to any online service, product, or feature likely to be accessed by children, with exceptions for broadband internet access services, telecommunications services, and the delivery or use of a physical product. However, NJ A4919 would apply only to online services, products, or features likely to be accessed by children that are offered by a social media platform.
- Likely to be accessed by children. Like the CA AADC, NJ A4919 provides criteria for determining when a service, product, or feature is “likely to be accessed by children.” The factors provided by NJ A4919 are the same as those included in the CA AADC, with two exceptions. First, both the CA AADC and NJ 4919 include as a criteria that “the online service, product, or feature is directed to children,” but the CA AADC further specifies that this criteria adopts the definition of “directed to children” provided in the Children’s Online Privacy Protection Ace (COPPA) while NJ A4919 does not. Second, both the CA AADC and NJ A4919 provide that one criteria that may be used to determine if a product, service, or feature is “likely to be accessed by children” is whether “the online service, product, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children,” the CA AADC lists an additional criteria for services that are “substantially similar or the same as” such services, products, or features. NJ 4919 does not provide a similar criteria.
- Data Protection Impact Assessment (DPIA) requirements. Both NJ 4919 and the CA AADC require covered entities to complete a DPIA for each product, service, or feature likely to be accessed by children before it is offered to the public, and they provide virtually identical requirements for the specific information that must be included in such assessments. However, the CA AADC requires covered entities to document “[w]hether, how, and for what purpose the online product, service, or feature collects or processes sensitive personal information of children,” but NJ A4919 applies this requirement to all personal information, not just sensitive personal information.
- Geolocation information. The CA AADC and NJ 4919 both prohibit covered entities from sharing geolocation information of children by default unless it is strictly necessary to provide the relevant service, product, or feature and it is only collected, sold, or shared when necessary to provide such service, product or feature. However, the CA AADC only imposes this requirement for precise geolocation information, whereas NJ 4919 applies this requirement to all geolocation information.
- Age estimation. Both the CA AADC and NJ 4919 prohibit covered entities from using personal information collected to estimate age (or, in CA, age or age range) for any other purpose, or from retaining it longer than necessary to estimate age. However, unlike NJ 4919, the CA AADC further provides that age assurance shall be proportionate to the risks and data practices of the relevant product, service or feature.
* * *
We will continue to monitor state law developments following the trend of the CA AADC and keep you updated here on Inside Privacy.