New California Law for Minors Went Into Effect Jan. 1: What You Need to Know to Comply

February.03.2015

California S.B. 568, “Privacy Rights for California Minors in the Digital World” (Cal. Bus. & Prof. Code § 22580-22581) took effect on Jan. 1, 2015. Enacted as an amendment to CalOPPA, the law contains two main provisions: 1) the right for a California minor to request the removal of content or information posted online (nicknamed the “Internet Eraser Law”), and 2) restrictions on the advertising of certain products and services to minors.

The Internet Eraser Law

The law requires any online service (which is defined broadly to include any “Internet Web site, online service, online application, or mobile application”) to permit minors to remove or request the removal of posted content or information. The law applies to online services that are directed to minors (meaning that the service, either in whole or in part, targets minors as its intended audience) or an online service that has actual knowledge that a minor is using the service (which would include any company that collects a birth date of a user), and only applies to online services with minors who are “registered users” of the service. The online service must post notice and instructions to direct the minor how to delete the information. Additionally, the online service must provide notice if “complete and comprehensive” removal of the content is not possible.

Key points to remember:

  • The law applies to any online service that registers a California user under the age of 18, even if the company is physically located outside California.
  • The minor may request deletion only of content that was posted by the minor, and the deletion request must come from the minor who posted the content (not the parent, or another person identified in the content).
  • The online service may anonymize rather than delete the content, so that the minor cannot be identified by other users of the service or by the general public.
  • There is no requirement to delete the content permanently from the company’s systems. The company may maintain the information subject to the removal request for internal purposes, as long as that content is no longer visible or identifiable to other members of the online service or to the general public.
  • Similarly, there is no requirement to delete or anonymize information that was copied or reposted by another member of the site. The company will be deemed in compliance with the statute if it makes the original posting by the minor invisible or anonymized, even if it does not take steps to delete or anonymize the portion of the minor’s content that has been copied or reposted by the third party.

Advertising Restrictions

The Privacy Rights for California Minors law also prohibits online services from advertising certain products such as alcoholic beverages, firearms and ammunition, tobacco products, tattoos, tanning beds, fireworks, aerosol paint containers, lottery tickets, dietary supplements containing ephedrine, drug paraphernalia and obscene matter if the online service is directed to minors or if the operator has actual knowledge that the online service is being used by a minor. The law also applies to targeted advertising and prohibits advertising of the enumerated products to minors “based on information specific to that minor, including” information such as “the minor’s profile, activity, address or location.” Operators of online services are also prohibited from providing minors’ personal information to a third party or allowing a third party to collect minors’ personal information for the purpose of advertising any of the specified products or services.

Key points to remember:

  • A company will not run afoul of the marketing provisions of the law solely because the listed products or services are shown on the operator’s online service if the products are not placed there “primarily for the purposes of marketing and advertising” the prohibited products or services.
  • Services that are directed to minors and that use a third-party advertising service may notify the advertising service that the online service is directed to minors. Once notified, third-party advertising services are prohibited from marketing any of the listed products or services on the operator’s online service.

Compliance Steps

If an online service is directed to minors or has actual knowledge that minors are registering with the service, the company should take the following actions toward compliance:

1. Update its online Privacy Policy to provide notice that a minor may delete or anonymize information that the minor posts to the site. The notice should include instructions on how the minor may delete or request the deletion of such information, and must note if it is not possible to “completely and comprehensively” remove all content.

2. Develop an internal procedure and policy to determine how the company will handle deletion requests. Will content be deleted permanently or be retained internally? Will content be deleted or anonymized? Will the company provide a deletion mechanism through the “settings” or must the user contact customer service to request content be deleted?

3. If the online service is directed to minors, notify in writing any third-party advertising partners (including advertising firms, ad networks and the like) that the online service is directed to minors. Keep a record of that notification.

4. If the online service has actual knowledge that minors are using its service, take “reasonable actions in good faith” to avoid marketing or advertising the prohibited products listed above.

5. Develop standard contractual provisions and consider addenda to existing contracts to restrict the collection and use of data from the company’s online services by third-party ad partners.

Enforcement

Violations of the new law will likely be enforced by the California Attorney General under the state’s unfair competition law, which provides for a penalty of $2,500 per violation.

******

Orrick’s Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.

For more information about these developments, please contact the authors of this alert or your Orrick relationship partner.