0
An image of the logo for LinkedIn, which is black text reading "Linked," followed by white text reading, "In," in a blue bow.

hiQ v. LinkedIn: User Agreements in the Age of Data Scraping

On November 4, 2022, LinkedIn announced a “significant win” for the platform and its members against “personal data scraping.” The win resulted from a 6-year legal battle that asked, in part, whether LinkedIn must allow hiQ Labs to scrape data from the public profiles of LinkedIn members. Last Friday, the U.S. District Court for the Northern District of California answered that question by ruling that LinkedIn’s User Agreement “unambiguously prohibits hiQ’s scraping and unauthorized use of the scraped data.” And as such, hiQ breached LinkedIn’s User Agreement “through its own scraping of LinkedIn’s site and using scraped data.”[1] An Overview of Data Scraping Data scraping is a technique by which a computer program extracts data from another program or source. The technique typically uses scraper bots, which send a request to a specific website and, when the site responds, the bots parse and extract specific data from the site in accordance with their creators’ wishes. Scraper bots can be built for a multitude of purposes, including:
  • Content scraping – pulling content from a site to replicate it elsewhere.
  • Price scraping – extracting prices from a competitor.
  • Contact scraping – compiling email, phone number, and other contact information.
In today’s economy, data is key, and data scraping is an efficient means of acquiring huge amounts of specific data. Yet, this court ruling signals that companies may need to be more cautious about how and where they use data scraping bots. hiQ’s Data Scraping Violates LinkedIn’s User Agreement Founded in 2012 as a “people analytics” company, hiQ Labs provides information to businesses about their workforces. To do this, hiQ extensively relied on using automated software to scrape data from LinkedIn’s public profiles. hiQ then aggregated, analyzed, and summarized that data to create two products, “Keeper” and “Skill Mapper,” which allowed businesses to improve their employee engagement and reduce costs associated with external talent acquisition. However, in 2017, LinkedIn sent a cease-and-desist letter threatening legal action against hiQ, arguing that LinkedIn’s User Agreement prohibits data scraping. Specifically, the User Agreement states: You agree that you will not:
  • Scrape or copy profiles and information of others through any means (including crawlers, browser plugins and add-ons, and any other technology or manual work);
. . .
  • Use manual or automated software, devices, scripts[,] robots, other means or processes to access, ‘scrape,’ ‘crawl’ or ‘spider’ the Services or any related data or information;
  • Use bots or other automated methods to access the Services, add or download contracts, send, or redirect messages.
Court records indicate that hiQ knew about this prohibition since 2015 yet continued scraping data from LinkedIn’s public profiles and even “attempted to reverse engineer LinkedIn’s systems . . . to avoid detection by simulating human site-access behaviors.” Based on these facts, LinkedIn sought a partial summary judgment finding hiQ liable for breach of contract. From hiQ Labs’ perspective, while the above User Agreement language may appear clear, language elsewhere in the User Agreement seemed to provide users and members with a right to scrape data from public profiles. Specifically, the User Agreement provides the following when delineating members’ rights and obligations: 2. Obligations . . . When you share information, others can see, copy and use that information. . . . 3.1 Your License to LinkedIn . . .

c. We will get your consent if we want to give others the right to publish your posts beyond the Service. However, other Members and/or Visitors may access and share your content and information, consistent with your settings and degree of connection with them.

hiQ argued that the User Agreement’s statements that “Visitors may access and share your content and information consistent with your settings” and that “[w]hen you share information, others can see, copy and use that information” are inconsistent with the prohibition of scraping data. And that, as a user and member of LinkedIn who agreed to the User Agreement, hiQ read this inconsistency to mean that hiQ had the right to scrape data from public profiles. Unfortunately for hiQ, this argument failed. The court concluded that informing users that their data may be copied and used does not contradict LinkedIn’s prohibition against scraping, crawling, or spidering. “The two concepts are not mutually exclusive – a warning to members that a third party may collect their public-facing data is not a blessing for third parties to do so through expressly prohibited means.” Thus, hiQ breached LinkedIn’s User Agreement, which “clear[ly]” prohibits data scraping, by scraping LinkedIn’s site and using that scraped data. LinkedIn May Lose Despite This Victory It is important to note that, although LinkedIn considered this a victory, the court only granted partial summary judgment in favor of LinkedIn on its breach of contract claim. hiQ raised numerous defenses to LinkedIn’s breach of contract claim, including waiver and estoppel, arguing that LinkedIn knew about hiQ’s data scraping as early as 2014 yet failed to act until the cease-and-desist letter in 2017. hiQ’s argument goes, in short, that because LinkedIn knew about hiQ’s data scraping but delayed in taking legal steps to prevent it, LinkedIn either waived its right to enforce the breach of contract claim or should be estopped because hiQ reasonably relied on LinkedIn’s acquiescence to the data scraping. The court concluded that there is at least a genuine dispute of material fact as to whether LinkedIn knew about hiQ’s data scraping as early as 2014, which – if sufficiently proven – could provide grounds for hiQ to raise the defenses of waiver and estoppel. These arguments remain unresolved, and it is not clear at this time whether hiQ and LinkedIn will continue battling in court – especially given that hiQ has gone dormant since 2019 – but we will continue monitoring for further developments. Further Privacy Concerns Lastly, this case brings to mind broader legal issues regarding publicly available personal information. Under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), businesses must satisfy numerous obligations when processing personal information. However, the definition of “personal information” does not include “information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.” Similarly, under the EU’s General Data Protection Regulation (GDPR), the law’s prohibition against the processing of special data categories (e.g., race, ethnicity, religion, health, etc.) does not apply if the “processing relates to personal data which are manifestly made public by the data subject.” These exceptions are reminiscent of hiQ’s argument in this case: that LinkedIn’s User Agreement expressly said that “[v]isitors [of LinkedIn] may access and share your content and information consistent with your settings.” Meaning, the users themselves provided their information to LinkedIn and purposefully, via their settings choices, made their information available to the public. Putting aside that LinkedIn’s User Agreement prohibited data scraping, hiQ’s argument raises the question: was hiQ scraping publicly available personal information, as it is understood under the GDPR and CCPA / CPRA? And if so, does that mean that hiQ would not have to comply with some requirements imposed by applicable general data protection laws? The answer will likely depend on a fact-specific inquiry on the circumstances surrounding the user content, such as (i) which data protection law applies to the data subjects in question; (ii) whether privacy settings were readily apparent to users when they initially posted their profiles/content; and (iii) whether users took affirmative actions to publicly post their information. In the meantime, businesses should remain aware that scraping personal information, even publicly available information, requires proper planning and due diligence. Key Takeaways
  1. Data scraping remains a prevalent data collection practice, but individuals and companies may be liable for breach of contract claims stemming from data scraping practices in violation of a User Agreement.
  2. On the other hand, if a business wants to quash a company’s known data scraping practices that violate the User Agreement, waiting too long to take legal steps may result in the business forfeiting a breach of contract claim.
  3. Either way, this ruling indicates that companies must take User Agreements seriously, both their own (if they want to prevent data scraping) and those belonging to others (if they want to scrape data).
  4. Lastly, a question remains as to whether the data in this case was made publicly available, as the term is understood under US and EU data regulation laws.

[1] Note: The court also concluded that hiQ separately breached LinkedIn’s User Agreement by hiring independent contractors to create fake LinkedIn accounts to conduct “quality assurance” while logged into LinkedIn by “viewing and confirming hiQ customers’ employees’ identities manually.” LinkedIn’s User Agreement expressly prohibits creating false identities.
0
A cartoonish picture of a person working at a computer while talking on a headset to another person.

Two-Party Consent Requirements for Recording Calls

For a call recording to be lawful, federal law [1] and most states require at least one party to the conversation to consent to the recording. However, many states go further, requiring two-party (or all-party) consent for a call to be lawfully recorded. As the following list demonstrates, navigating the state law nuances of two-party consent for recording calls can require some finesse. CALIFORNIA Requires prior consent from all parties to record a confidential in-person, telephone, or video communication. [2] However, case law indicates that where a person communicating is made aware that the conversation is being monitored or recorded, there may be no violation because there is no objectively reasonable expectation of privacy. [3] Moreover, by continuing with the conversation after being so warned, consent is given by implication. [4] CONNECTICUT Allows call recording if:
  • all parties have consented to the recording,
  • recording is preceded by a verbal notification which is recorded as well, or
  • recording is accompanied by an automatic tonal warning. [5]
DELAWARE Requires two-party consent for recording telephone or other private conversations. [6] However, a district court held the state law was meant to emulate its federal equivalent, [7] so one-party consent may, in some circumstances, satisfy the consent requirement. FLORIDA Requires prior consent from all parties to record an oral communication. [8] However, the law does not cover when the person communicating had no reasonable expectation of privacy, [9] which may occur when the parties are notified at the outset that the call will be monitored or recorded. ILLINOIS Requires all parties to consent to recording either an in-person or transmitted communication when at least one party intends the communication to be of a private nature under circumstances reasonably justifying that expectation. [10] MARYLAND Requires all parties to a communication to consent to the recording. [11] However, Maryland courts have interpreted this to be limited to situations where parties have a reasonable expectation of privacy. [12] MASSACHUSETTS Prohibits secretly recording or secretly hearing wire or oral communications. [13] Therefore, where parties to a communication are notified beforehand of the recording, the recording may fall outside the statute on grounds that the recording is no longer being done in secret. MICHIGAN Prohibits recording private conversations without consent of all parties. [14] A “private conversation” is one in which a person reasonably expects to be free from casual or hostile intrusion or surveillance. [15] Michigan has also been argued to have an exception for recordings made by participants to the conversation, [16] but a district court subsequently declined to follow this reasoning and rejected the existence of a participant-exception. [17] The Michigan Supreme Court has been silent on this issue, so the participant-exception issue has not been settled. MONTANA Prohibits recording communications by use of a hidden device without the knowledge of all parties to the conversation. [18] However, this prohibition does not apply if the parties are notified of the recording, even if they do not expressly consent. [19] NEW HAMPSHIRE Requires consent of all parties for interception of communications. [20] However, consent may be implied when the circumstances around a situation demonstrate that a person was aware they were being recorded. [21] OREGON Requires two-party consent for recording in-person conversations, but only one-party consent for recording telecommunications. [22] A “telecommunication” is, in part, a transmission of pictures and sounds by aid of wire or similar connection between the transmission’s origin and reception points, and it includes all instrumentalities, equipment, and services incidental to such transmission. [23] Therefore, Oregon may, in certain circumstances, operate as a one-party consent state. PENNSYLVANIA Prohibits intercepting oral communications unless all parties consent. [24] To qualify, an oral communication must have been uttered by a person possessing an expectation that such communication is not subject to interception under circumstances justifying such expectation. [25] WASHINGTON Prohibits recording private communications or private conversations unless all parties give prior consent. [26] However, consent may be considered obtained whenever one party announces to all other parties that such communication or conversation is about to be recorded, so long as that announcement is also recorded. [27]
[1] 18 U.S.C. § 2511. [2] Cal. Pen. Code § 632(a). [3] Kearney v. Salomon Smith Barney, Inc., 39 Cal.4th 95 (2006). [4] Id. [5] Conn. Gen. Stat. § 52-570d(a). [6] Del. Code Ann. tit. 11, § 1335(a)(4). [7] U.S. v. Vespe, 389 F.Supp. 1359 (1975). [8] Fla. Stat. § 934.03(2)(d). [9] Fla. Stat. § 934.02(2). [10] 720 ILCS § 5/14-1. [11] Md. Code Ann., Cts. & Jud. Proc. § 10-402. [12] E.g.Malpas v. State, 116 Md.App 69 (1997). [13] Mass. Ann. Laws ch. 272, § 99(B)(4), (C)(1). [14] Mich. Comp. Laws § 750.539c. [15] People v. Stone, 463 Mich. 558 (2001). [16] Sullivan v. Gray, 117 Mich.App. 476 (1982). [17] AFT Michigan v. Project Veritas, 378 F.Supp.3d 614 (2019). [18] Mont. Code Ann. § 45-8-213(1)(c). [19] Mont. Code Ann. § 45-8-213(2)(iii). [20] N.H. Rev. Stat. Ann. § 570-A:2. [21]  State v. Locke, 144 N.H. 348 (1999). [22] Rev. Stat. Ann. § 165.540(1). [23] Rev. Stat. Ann. § 165.535(4). [24] 18 Pa. Cons. Stat. Ann. § 5704(4). [25] 18 Pa. Cons. Stat. Ann. § 5702. [26] RCW § 9.73.030(1). [27] RCW § 9.73.030(3).
0
A picture of the White House.

The White House’s Blueprint for an AI Bill of Rights

In 2021, the global artificial intelligence (AI) market was estimated to value between USD 59.7 billion and USD 93.5 billion. Going forward, it is expected to expand at a compound annual growth rate of 39.4% to reach USD 422.37 billion by 2028. However, as financial and efficiency incentives drive AI innovation, AI adoption has given rise to potential harms. For example, Amazon’s machine-learning specialists discovered that their algorithm learned to penalize resumes that “included the word ‘women’s,’ as in ‘women’s chess club captain.’” As a result, Amazon’s AI system “taught itself that male candidates were preferable.” As our compiled list of guidance on artificial intelligence and data protection indicates, policymakers and legislators have taken notice of these harms and moved to mitigate them. New York City enacted a bill regulating how employers and employment agencies use automated employment decision tools in making employment decisions. Colorado’s draft rules require controllers to explain the training data and logic used to create certain automated systems. In California, rulemakers must issue regulations requiring businesses to provide “meaningful information about the logic” involved in automated decision-making processes. In truth, the parties calling for AI regulation form a diverse alliance, including the VaticanIBM, and the EU. Now, the White House joins these strange bedfellows by publishing the Blueprint for an AI Bill of Rights. What is the Blueprint for an AI Bill of Rights? The Blueprint for an AI Bill of Rights (“Blueprint”) is a non-binding white paper created by the White House Office of Science and Technology Policy. The Blueprint does not carry the force of law; rather, it is intended to spur development of policies and practices that protect civil rights and promote democratic values in AI systems. To that end, the Blueprint provides a list of five principles (discussed below) that – if incorporated in the design, use, and deployment of AI systems – will “protect the American public in the age of artificial intelligence.” To be clear: failing to incorporate one of these principles will not give rise to a penalty under the Blueprint. Neither will adoption of the principles ensure satisfaction of requirements imposed by other laws. However, the lack of compliance obligations should not inspire a willingness to ignore the Blueprint, for the authors expressly state that the document provides a framework for areas where existing law or policy do not already provide guidance. And given that many state privacy laws do not currently provide such guidance, the Blueprint provides a speculative glimpse at what state regulators may require of future AI systems. The Blueprint’s Five Principles for AI Systems
  1. Safe & Effective Systems. The Blueprint demands that individuals be protected from unsafe or ineffective systems. To do this, an AI system should undergo pre-deployment testing, risk identification and mitigation, and ongoing monitoring. The system should be designed to protect individuals from harms stemming from “unintended, yet foreseeable,” uses or impacts, and it should not utilize inappropriate or irrelevant data in the design, development, or deployment stages.
  2. Algorithmic Discrimination Protections. The Blueprint warns that algorithmic discrimination based on a classification protected by law may violate legal protections. Designers and developers should, in part, include equity assessments as part of the AI system’s design, ensure accessibility for people with disabilities, and use representative data for demographic features.
  3. Data Privacy. Taking a page from the EU’s GDPR, the Blueprint states that AI systems should, by default, seek a person’s permission to use, access, transfer, and delete your data. However, the Blueprint recognizes that consent cannot always form the basis for processing, and it states that where consent is not possible, alternative privacy by design safeguards should be used. The Blueprint calls for greater data privacy protections for surveillance technologies and sensitive domains (e.g., health, work, criminal justice).
  4. Notice & Explanation. As with most data privacy laws and regulations, the Blueprint cares about providing individuals with meaningful and useful information, so a person knows how and why an outcome was determined by the AI system.
  5. Human Alternatives, Consideration, & Fallback. The Blueprint states that individuals should, where appropriate, be given the choice to opt out of automated systems in favor of a human alternative. The Blueprint stresses this option as crucial for sensitive domains (e.g., criminal justice, employment, education, and health).
The Takeaway Current and upcoming state laws, such as the California Privacy Rights Act and the Colorado Privacy Act, seek to regulate AI technologies yet currently lack guidance on how that regulation should occur. For this reason, although the Blueprint lacks force of law, innovators and adopters of AI technology should take notice of its overall themes, as these themes may manifest the force of law through adoption by state regulators and agencies. Until then, Metaverse Law will continue to monitor the legal landscape for new developments and update our reference material accordingly for guidance on AI and data protection.
0
Social media apps on the screen of an smartphone device.

California’s Social Media Transparency Law

Disclosure Obligations, Hate Speech & AG Reports

Legislators across the United States have been grappling with how to regulate social media companies. In Texas, the 5th Circuit upheld a law limiting how social media platforms can moderate content.[1] In Florida, a brief was filed asking the U.S. Supreme Court to reverse the 11th Circuit’s decision to strike down a law preventing how social media platforms can moderate users.[2] Now, with Governor Newsom signing AB 587 into law, California joins the legislative efforts. Effective January 1, 2024, AB 587 imposes new disclosure and reporting obligations on companies operating social media platforms. A social media platform falls under the law if:
  • The company operating the platform generated at least one hundred million in gross revenue during the preceding calendar year;[3]
  • The platform is a “public or semipublic internet-based service or application”[4] with users “in California;”[5]
  • A substantial function of the platform is to connect users to allow them to “interact socially” with each other in the platform;[6] and
  • Users can:
    • construct “public or semipublic” profiles for the purpose of signing in and using the platform;[7]
    • populate a list of other users with whom they share a social connection within the platform;[8] and
    • post content viewable by other users.[9]
In addition, the law does not apply to services or applications for which user interactions are limited to direct messages, commercial transactions, or consumer reviews of products, sellers, services, events, or places, or any combination thereof.[10] Disclosure Obligations A covered social media platform must disclose to users the existence and contents of the platform’s terms of service.[11] In addition, the terms of service must disclose:
  • Permitted user behavior and activities on the platform, and activities that may subject the user or their content to negative actions;[12]
  • Potential negative actions that may be taken, such as removal, demonetization, deprioritization, or banning;[13]
  • Contact information for asking questions about the terms of service;[14] and
  • A process by which users can flag content, groups, or other users believed to be violating the terms of service.[15]
These disclosure obligations should feel familiar to businesses already operating in the social media industry. The more onerous requirements stem from the law’s reporting obligations to the California AG. Reporting Obligations to the California AG A covered social media company, on a “semiannual basis,” must provide the California AG with a “terms of service report.”[16] As part of this report, the company must detail whether it defines the following categories of content in its terms of service:
  • Hate speech or racism.
  • Extremism or radicalization.
  • Disinformation or misinformation.
  • Harassment.
  • Foreign political interference.
Interestingly, the law is written so as not to require a covered company to define these categories of content; rather, it merely requires disclosure of whether the company does so. That said, much of what the law requires as part of the report to the AG pertains to the company’s actions taken in response to content falling within one of the above categories. For example, the company must disclose any existing policies intended to address the above categories of content,[17] and the total number of content items flagged for belonging to one of those categories.[18] Failure to submit a report as required can result in a civil penalty of $15,000 per violation per day. So, while the law appears not to require defining the above categories, it seems unlikely that a company can provide a conforming report – and therefore avoid the penalty – without defining what constitutes hate speech, harassment, and so forth. But this raises an important compliance question: how should a company define these categories? And could a company violate the law if, say, they define misinformation or foreign political interference in a way that does not comport with the California AG’s expectations? Given the current legal challenges facing other social media laws across the country, the law will likely be challenged on First Amendment grounds, so time will tell whether the law survives long enough to answer these questions. In the meantime, companies should consider how to navigate the growing state laws either requiring or forbidding moderation of user activities and content.
[1] https://www.politico.com/news/2022/09/16/5th-circuit-upholds-texas-law-forbidding-social-media-censorship-again-00057316. [2] https://www.axios.com/2022/09/21/florida-supreme-court-social-media-law. [3] AB 587, 22680. [4] 22675(e). This excludes services or applications meant to facilitate communication between employees or affiliates within a business or enterprise, so long as the service or platform restricts access to those categories of users. 22675(c). [5] 22675(e). The law provides no guidance on what it means for a user to be “in California,” but the bill’s legislative introduction uses the language “consumers residing in California.” [6] 22675(e)(1)(A). And while the law does not define “interact[ing] socially,” services or platforms that provide “email or direct messaging” services do not satisfy this requirement on that basis alone. 22675(e)(1)(B). [7] 22675(e)(2)(A). Again, this exempts services or platforms in which employees or affiliates can create profiles, when that service or platform restricts access only to those categories of users. 22675(c). [8] 22675(e)(2)(B). [9] 22675(e)(2)(C). [10] 22681. [11] 22676(a). [12] 22675(f). [13] 22676(b)(3). [14] 22676(b)(1). [15] 22676(b)(2). [16] 22677(a). [17] 22677(a)(4)(A). [18] 22677(a)(5)(A)(i).
0
A close-up picture of code.

The California Age-Appropriate Design Code

***Update: On September 15, 2022, Governor Newsom signed AB 2273, establishing the California Age-Appropriate Design Code Act. Who It Covers, What It Requires & How It Compares to the UK Effective July 1, 2024, the California Age-Appropriate Design Code imposes obligations on businesses [1] that provide an “online service, product, or feature” that is “likely to be accessed by children.” [2] Children are defined as California residents [3] “who are under 18 years of age.” [4] The law provides factors for whether an online service, product, or feature (S/P/F) is “likely to be accessed” by California residents under the age of 18: [5]
  • It is directed to children as defined by COPPA. [6]
  • It is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children, or it is substantially similar to an online S/P/F that meets this factor.
  • It displays advertisements marketed to children.
  • It has design elements known to be of interest to children, including games, cartoons, music, and celebrities who appeal to children.
  • Based on internal research, a significant amount of the audience is children.
An online S/P/F is defined by what it is not, and the definition notably exempts the “delivery or use of a physical product.” [7] This exemption diverts from the UK version of the law, which covers “connected toys and devices.” [8] Compared to the UK’s Common-Sense Approach The US version of the law provides no guidance on what it means for a “significant number of children” to “routinely access[]” the online S/P/F. However, the law makes clear in its legislative findings that covered businesses may look to guidance and innovation in response to the UK version when developing US-covered online S/P/F. [9] ICO states that the term “likely to be accessed by” is purposefully broad, covering “services that children [are] using in reality,” not just those services specifically targeting children. [10] However, ICO recognizes that the term is not so broad as to “cover all services that children could possibly access.” [11] The key difference is whether it is “more probable than not” that an online S/P/F will be accessed by children, and businesses should take a “common sense approach to this question.” [12] To illustrate this point:
  • If an online S/P/F is the kind “you would not want children to use in any case,” then the business should focus on preventing children from accessing the online S/P/F, rather than making it child friendly. [13]
  • If a business’s common-sense analysis reveals that children make up a “substantive and identifiable user group” routinely accessing the online S/P/F, then the “likely to be accessed” definition will apply. [14]
  • If that analysis does not reveal such a group yet causes the business to “think that children will want to use it,” then the business “should conform to the [law’s] standards.” [15]
  • If a business decides that the online S/P/F is not likely to be accessed by children, the business should “document and support” the reasons for such a determination, and incorporate such evidence as “market research, current evidence on user behaviour, the user base of similar or existing service,” and more. [16]
While this does not specify a threshold for what constitutes a “significant number of children,” it does demonstrate ICO’s view on the breadth of the law’s application. In sum, businesses should make a common-sense determination — based on actual evidence (e.g., internal or market) — as to whether it is more probable than not for a substantive and identifiable user group of children to either routinely access or want to access the online S/P/F. Top 3 Pain Points for Businesses If a business makes such a determination and finds that their online S/P/F is covered by the law, the business must take several steps to ensure compliance. We identified the following as among the more onerous steps that must be taken.
  1. Data Protection Impact Assessments & Risk Mitigation Plans
Before offering any new online S/P/F likely to be accessed by children, the business must complete a Data Protection Impact Assessment (DPIA) for it and maintain DPIA documentation for as long as the online S/P/F is likely to be accessed by children. [17] Businesses must biennially review all DPIAs. Businesses must further document any risk of material detriment to children that arises from data management practices identified in the DPIA and create a timed plan to mitigate or eliminate the risk before the online S/P/F is accessed by children. [18]
  1. Estimate Age of Child Users or Treat All Consumers as Children
Covered businesses must estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers. [19] The law provides no further guidance on how one makes such an estimation, but ICO published guidance for the UK version. [20]
  1. High Privacy & Tracking Signals as Default Settings for Children
Covered businesses must configure all default privacy settings provided to children by the online S/P/F to settings that offer a “high level of privacy,” unless the business can demonstrate a compelling reason that a different setting is in the best interests of children. [21] If the online S/P/F allows a parent, guardian, or other consumer to track the child’s location, it must also provide an “obvious signal” to the child when the child is being tracked or monitored. [22]
[1] The law applies to “businesses” as defined by the California Consumer Privacy Act (CCPA), 1798.140(c). [2] 1798.99.31(a). [3] The law incorporates the CCPA’s definition for “consumer,” 1798.140(g). [4] 1798.99.30(b)(1). [5] 1798.99.30(b)(4). [6] Which means:
  • A commercial website or online service that is targeted to children; or
  • That portion of a commercial website or online service is targeted to children. 15 U.S.C. § 6501(10)(A).
[7] 1798.99.30(b)(5), which also exempts broadband internet access service and telecommunications service. [8] According to ICO, connected toys and devices are “children’s toys and other devices which are connected to the internet. They are physical products which are supported by functionality provided through an internet connection.” https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/14-connected-toys-and-devices. [9] AB 2273, Sec. 1(d). [10] https://ico.org.uk/media/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services-2-1.pdf, at 17. [11] Id. [12] Id, at 17-18. [13] Id, at 18. [14] Id. [15] Id. [16] Id. [17] The eight DPIA requirements can be found at 1798.99.31(a)(1)(B). [18] 1798.99.31(a)(2). [19] 1798.99.31(a)(5). [20] These methods include the user self-declaring their age, AI algorithms establishing a user’s age, third-party verification services, confirmation from a known adult account holder, hard identifiers (e.g., passports or similar documents), or some form of technical measures. https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/3-age-appropriate-application. [21] 1798.99.31(a)(6). [22] 1798.99.31(a)(8).
1 5 6 7 8