Privacy & Information Security Law Blog

On February 12, 2024, California bill AB-1949 was referred to the Assembly Committee on Privacy and Consumer Protection. The bill would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (the “CCPA”) to significantly expand businesses’ obligations with respect to the personal information of consumers under the age of 18.

If enacted, AB-1949 would prohibit the collection of personal information of a consumer under the age of 18, unless the consumer or, in the case of a consumer under the age of 13, the consumer’s parent or guardian has affirmatively authorized the collection of the consumer’s personal information. The bill also would prohibit businesses from using or disclosing the personal information of a consumer under 18 years old, unless the consumer or, in the case of a consumer under the age of 13, the consumer’s parent or guardian has affirmatively authorized the use or disclosure of the consumer’s personal information.

Currently, under the CCPA, a business is prohibited from selling or sharing (for cross-context behavioral advertising purposes) the personal information of a consumer under the age of 16 without affirmative authorization from the consumer or, in the case of consumers under the age of 13, the consumer’s parent or guardian, where the business has actual knowledge that the consumer is under 16 years of age. AB-1949 would remove the condition that the business have actual knowledge that the consumer is under 16 and would increase the age threshold to consumers under the age of 18. Accordingly, businesses with or without actual knowledge that a consumer is under the age of 18 would be prohibited from selling or sharing the consumer’s personal information without affirmative authorization from the consumer or, for those under 13, the consumer’s parent or guardian.

AB-1949 also would require the California Privacy Protection Agency (“CPPA”), on or before July 1, 2025, to solicit broad public participation and adopt regulations to establish technical specifications for an opt-out preference signal that allows the consumer, or the consumer’s parent or guardian, to specify that the consumer is under the age of 13 or between the ages of 13 and 17. The bill also would require the CPPA to issue regulations regarding age verification and when a business must treat a consumer as being under 13 or 18 years old for purposes of the CCPA. Although AB-1949 has a long way to go before becoming law, the bill demonstrates the California legislature’s continued interest in children’s privacy issues and suggests that, even if the California Age-Appropriate Design Code is struck down, businesses may still face significant privacy obligations with respect to children’s personal information in California.