We have arrived at a tipping point. Policy makers, consumers, technologists and regulators are in agreement: The internet was not designed with children in mind.

Lawmakers came to the conclusion that new regulations to support the online protection and development of children and young people are needed. This prompted the recent proliferation of codes, laws, bills and regulatory guidance documents governing how online service providers interact with young people. Key examples are the U.K. Age-Appropriate Design Code and the California Age-Appropriate Design Code Act. Youth protection measures have also been adopted or are progressing in Ireland, the Netherlands, the People’s Republic of China, Argentina, Utah, Arkansas, Oregon, New Jersey, Minnesota, Illinois, Maryland and other jurisdictions. 

Lawmakers share the goal of protecting young people from harm. But the laws jurisdictions enact often pursue their objectives in different ways, such as by establishing different age thresholds around which the laws protect, different criteria regarding who must comply, disparate roles for parents and their children, and dissimilar standards to which companies must adhere.

The U.K. code, which one of the authors of this article architected and implemented, has been in force since 2021. The California code is modeled on the U.K. code and comes into force 1 July 2024. These two instruments follow similar principles. And they vary in subtle but important ways. 

Who must comply?

The U.K. and California codes are focused on providers of online services "likely to be accessed by children," which both codes define to mean essentially any online service directed at children under 18, appealing to children or actually used by a significant number of children.

The U.K. code applies to information society services irrespective of their size or economic footprint. It applies to online service providers if they are established in the U.K., or if they offer services to or monitor the behaviors of young residents.

In contrast, the California code only applies to for-profit entities that meet certain revenue or quantitative thresholds. To be subject to the California code, an entity must have annual gross revenues of more than $25 million (as adjusted periodically for inflation); buy, sell or share the personal information of 100,000 or more California residents or households; or make 50% or more of its annual revenues from selling or sharing California residents’ personal information.

Form and substance of the codes

The U.K. code is centered on 15 standards, whereas the California code sets out eight affirmative requirements and 10 general prohibitions. The U.K. code does not have the force of a statute like the California code does, but constitutes a code of practice intended to guide companies on how to comply with the U.K. General Data Protection Regulation and other U.K. privacy laws when offering online services likely to be accessed by children.

The U.K. code is more than ten times the length of the California Code by word count and replete with explanations of the policy reasons behind its requirements, examples of how organizations can comply and resources intended to help organizations implement compliance measures. The California code is comparatively sparse on details and permits, but does not require the California attorney general to adopt regulations to clarify its requirements.

The best interests of the child

The U.K. and California codes require covered entities to consider and respond to the best interests of children when designing their online services. However, "best interests of the child" has different legal meanings in the U.K. and U.S. The U.K. has ratified the United Nations Convention on the Rights of the Children, whereas the U.S. has not.

In line with the U.N. Convention, the U.K. code explains the "best interests of the child" is a concept that encompasses various important rights and values, including children’s rights to privacy and freedom from economic exploitation, the importance of children's access to information, association with others, and play in supporting their development, and the right to have a say in matters that affect them.

By contrast, the "best interests of the child" standard generally only exists in U.S. jurisprudence in the context of family and child welfare law, and, without more guidance, it is uncertain how authorities will interpret the term in the online consumer privacy law context. Nevertheless, both the U.K. and California codes provide that the commercial interests of an organization will generally not outweigh a child’s right to privacy.

Data protection impact assessments

Both codes establish the duty to conduct a data protection impact assessment of any service likely to be accessed by children as a core requirement. In each case, the key objective of the DPIA is to identify and mitigate risks to children that may arise from data processing operations, including the risk of a child being exposed to harmful content, contacts or conduct.

Other risks are posed when services or products actively encourage young people to spend inordinate stretches of time engaged with them. Because the U.K. code flows from the U.K. GDPR, a U.K. code DPIA may look substantially different from a California code DPIA.

For example, Article 6 of the U.K. GDPR generally prohibits the processing of personal data unless one or more "lawful bases of processing" listed in the regulation applies, so a U.K. DPIA should specify the lawful basis for each processing activity involving children’s personal data. No analogous requirement applies in California. Consistent with Article 35(9) of the U.K. GDPR, the U.K. code notes DPIAs should incorporate feedback and input from children and parents whenever possible. The California code does not mention the benefit of consultations with children or parents, although collaboration of this kind would make any DPIA more comprehensive.

Recommendations

Despite the differences across these two instruments, they share underpinning principles. As a result, they overlap more than they diverge.

The upcoming California code mirrors the U.K. code’s key requirements and restrictions. Any companies feeling unsure about what is expected of them under the California code should find it helpful to read the corresponding passages of the U.K. code and its practical guidance. Whether or not a company is subject to either code, it would benefit from regularly conducting confidential assessments of the legal risks associated with its online services and fine-tuning them to mitigate those risks.

The U.K. and California codes provide guidance on how to structure assessments. They list practices that go a long way towards keeping children safe. Companies should also monitor global legal developments in youth protection. Regulators around the world are increasingly taking action against companies that allegedly violate children’s privacy and safety requirements. Studying regulators’ decisions can yield important lessons. Lawmakers in many jurisdictions are now advancing new youth protection rules and regulations.

Unfortunately, not all of them are as aligned with one another as the landmark U.K. and California codes.