Policy Briefing — California Age-Appropriate Design Code Enacted

Executive briefing: On 15 September 2022 California enacted the Age-Appropriate Design Code Act (AADC, AB 2273), scheduled to take effect 1 July 2024 pending litigation. The law requires businesses providing online services likely to be accessed by children under 18 to implement privacy-by-design, conduct Data Protection Impact Assessments (DPIAs), configure high privacy defaults, and avoid practices that harm minors. It mirrors and expands elements of the UK’s Age Appropriate Design Code, signalling a shift toward child-centric digital regulation in the United States. Companies must develop governance, engineering controls, and outcome testing to demonstrate compliance.

Scope and applicability

The AADC applies to for-profit entities subject to the California Consumer Privacy Act (CCPA/CPRA) that provide an online service, product, or feature likely to be accessed by children. Likelihood is assessed via factors such as child user metrics, audience composition, advertising, and design elements appealing to children. Key obligations include:

• DPIAs: Conduct DPIAs for each online service before launch or material change, identifying risks of harmful or potentially harmful data processing to children. DPIAs must be provided to the California Privacy Protection Agency (CPPA) upon request.
• Privacy settings: Configure default settings to a high level of privacy unless demonstrably in the child’s best interests.
• Age estimation: Estimate users’ ages with reasonable certainty to apply appropriate protections, while minimising data collection.
• Data minimisation: Refrain from collecting, selling, sharing, or retaining children’s personal information beyond what is necessary to provide the service.
• Dark patterns ban: Avoid using dark patterns that encourage children to provide additional personal information or take actions detrimental to their well-being.
• Profiling restrictions: Prohibit profiling by default unless appropriate safeguards are in place or it is necessary for service provision.

Violations can lead to civil penalties up to USD 7,500 per affected child for intentional violations and USD 2,500 for negligent violations.

Governance and accountability

Compliance requires executive sponsorship and cross-functional teams:

• Board oversight. Incorporate child safety compliance into risk committee agendas, with periodic reporting on DPIA findings and remediation.
• Policies and standards. Update privacy policies, design guidelines, and product development standards to integrate child-centric requirements.
• Training. Provide role-based training for product managers, designers, engineers, data scientists, trust and safety teams, and customer support.
• Recordkeeping. Maintain detailed records of DPIAs, design decisions, stakeholder consultations, and mitigation measures.

Outcome testing should assess whether governance structures effectively reduce risks and ensure timely remediation.

Engineering and design controls

Product and engineering teams must embed safeguards:

• Implement age assurance methods (self-declaration, AI-based estimation, or third-party verification) calibrated to privacy risks.
• Design interfaces that avoid nudging children toward weakening privacy protections; test for dark patterns using usability studies.
• Develop privacy dashboards for child users and guardians, enabling control over data sharing and profiling.
• Implement geolocation masking, communication controls, and content filters to reduce exposure to harmful interactions.

Organisations should document design rationale and testing outcomes, demonstrating alignment with the child’s best interests standard.

DPIA methodology

DPIAs under the AADC must evaluate risks of materially detrimental effects on children’s physical health, mental health, or well-being. Robust DPIAs should include:

• Data flow diagrams mapping collection, processing, storage, and sharing of children’s data.
• Assessment of risks from product features such as autoplay, notifications, social sharing, and algorithmic recommendations.
• Evaluation of cybersecurity protections, including authentication, encryption, and monitoring for child exploitation.
• Stakeholder consultation, including child safety experts and advocacy groups.
• Mitigation plans with timelines, owners, and residual risk ratings.

Outcome testing should confirm that mitigations deliver intended protections, for example by measuring reductions in unsolicited contact or exposure to harmful content.

Interaction with other laws

Companies must align AADC compliance with CPRA, COPPA, and sectoral regulations. CPRA introduces additional obligations around sensitive personal information, automated decision-making, and data minimisation. COPPA focuses on children under 13, whereas the AADC extends protections up to 17, requiring harmonised consent and parental control processes.

Monitoring and enforcement preparation

Although enforcement is stayed pending litigation (NetChoice v. Bonta), companies should maintain readiness. Steps include:

• Monitoring CPPA rulemaking for DPIA submission processes and enforcement priorities.
• Developing incident response plans for child data breaches, including CPPA notification protocols.
• Participating in industry forums to share best practices and advocate for practical implementation guidance.

Outcome metrics could track DPIA completion rates, remediation closure timelines, user complaint volumes, and child safety incident counts.

Implementation roadmap

1. 0–90 days: Identify in-scope services, initiate DPIAs, and review design patterns for risks.
2. 90–180 days: Implement age assurance, privacy defaults, and design changes. Launch training and update documentation.
3. 180–365 days: Conduct outcome testing, refine controls, and prepare evidence packages for regulators.

Sources

• California AB 2273 (Age-Appropriate Design Code)
• CPPA staff report on AADC implementation
• California Privacy Rights Act resources
• UK ICO Children’s Code guidance
• NetChoice v. Bonta Ninth Circuit opinion (2023)

Zeph Tech helps digital platforms and product teams operationalise the California Age-Appropriate Design Code, integrating DPIA workflows, privacy engineering, and outcome monitoring tailored to youth safety expectations.

Testing methodologies for child-centric outcomes

Robust testing should combine qualitative and quantitative techniques. Usability testing with teen advisory panels can reveal whether privacy controls are understandable and whether dark patterns remain. Behavioural analytics can measure how often minors adjust privacy settings or decline optional data sharing. Firms should track safety incident rates—such as reports of bullying or unsolicited contact—and evaluate the effectiveness of moderation workflows. Red teaming exercises can simulate attempts to bypass age assurance or exploit communication features, providing evidence of control robustness.

Organisations should maintain dashboards summarising key indicators: average response time to child safety reports, proportion of content removals resolved within target SLAs, and adherence to age verification accuracy thresholds. Sharing metrics with the board reinforces accountability.

Collaboration with external stakeholders

Implementing the AADC benefits from collaboration with academic researchers, child safety NGOs, and industry coalitions. Partnering on threat intelligence sharing helps identify emerging risks such as grooming patterns or new social engineering tactics. Firms may participate in voluntary certification programmes or independent audits to validate compliance claims. Documenting stakeholder engagement and incorporating feedback into DPIAs demonstrates a commitment to continuous improvement.

Product governance and lifecycle assurance

Teams should integrate AADC compliance checkpoints into their product lifecycle gates. During discovery, user researchers must capture how minors actually experience the product; design reviews must confirm default privacy settings are high and that profiling or nudge techniques are disabled unless a documented best-interest justification exists. Before code freeze, engineering and privacy engineering teams should run automated tests that search for age-estimation bypasses, unredacted precise geolocation fields, or logging statements that expose children’s data.

Because the law requires the California Attorney General (and potentially the California Privacy Protection Agency in the future) to inspect DPIAs, organisations should maintain a DPIA library with executive sign-offs, remediation status, and links to experiment results showing risk mitigations worked. Quarterly reviews with legal and trust & safety leadership should triage emerging risks, such as new machine-learning recommendation features or integrations with educational partners.

Finally, document a regulatory engagement plan. Even though litigation has challenged AB 2273, companies should prepare to supply evidence on request, including dashboards that display child-safety incident metrics, mean time to remediate vulnerability reports affecting youth accounts, and results of independent accessibility or safety audits. These proactive controls will demonstrate diligence should the law take effect on schedule or influence parallel legislation in other US states.

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 92/100 · August 12, 2020

Policy Briefing — UK Children’s Code Finalised

Comprehensive implementation roadmap for the UK ICO’s Age Appropriate Design Code, outlining governance, product design, data minimization, and international alignment steps for digital services impacting children.

Policy · Credibility 89/100 · September 30, 2022

FinCEN Beneficial Ownership Reporting Rule — Compliance Playbook

FinCEN’s Corporate Transparency Act final rule compels most U.S. and foreign reporting companies to submit beneficial ownership and company applicant data starting 1 January 2024, requiring entity inventories, secure…

Policy · Credibility 91/100 · October 4, 2022

U.S. Blueprint for an AI Bill of Rights — Implementation Guide

OSTP’s Blueprint for an AI Bill of Rights sets five principles—safe systems, anti-discrimination safeguards, privacy, notice, and human fallback—that organizations must translate into governance, testing, and…

Policy · Credibility 40/100 · October 4, 2022

Policy Briefing — White House releases Blueprint for an AI Bill of Rights

The U.S. White House Office of Science and Technology Policy published a Blueprint for an AI Bill of Rights on 4 October 2022, outlining five principles to guide the design and deployment of automated systems.

Policy · Credibility 40/100 · October 7, 2022

Policy Briefing — U.S. BIS issues sweeping advanced semiconductor export controls

On 7 October 2022 the U.S. Bureau of Industry and Security released rules restricting exports of advanced chips, semiconductor manufacturing equipment, and related services to China, imposing new license and U.S. person…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Semiconductor Industrial Strategy Policy Guide — Zeph Tech

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

• Digital Markets Compliance Guide — Zeph Tech

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Export Controls and Sanctions Policy Guide — Zeph Tech

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…