Privacy Rights for California Minors

Mentioned in passing, in our first December blog post is another potential pitfall for operators of Internet-based services such as websites or applications. This one pitfall in particular comes out of the State of California. However, given the role of the internet as a wide-spread source of information, this is a lesson for any individual pitching to minors online. This law is Business & Professions Code 22580-22582 (“BPC 22580-22582”) otherwise known as “Privacy Rights for California Minors in the Digital World.” What does this law pertain to in general? What kind of entities need to be concerned about California Minors? What are the privacy rights these minors are allowed to enjoy?

What is BPC 22580-22582?

BPC 22580-22582 is a sub-part of the California Business and Professions Code.  It applies to operators of Internet websites and services, including, but not limited to, applications that are directed towards children and those same entities where the entities know the websites or services are used or visited by children. Here, “directed to” means it was created mainly for children, and is not intended for a general audience, including, but not limited to, adults. The law states, for children with registered accounts, entities must:

1) Allow the child to remove that child’s information from the website servers;

2) Provide notice that the child can remove account information and posts from the website servers;

3) Provide instructions on how to remove information; and

4) Provide notice that the removal may not be completely comprehensive.

There are some exceptions and limitations to removal, such as when a minor has been compensated for content submitted to the website, and when another user downloads and re-uploads that content elsewhere on the internet. Effectively, this is analogous to a “right to be forgotten” that occasionally mentioned regarding rights of the European Union citizens, but instead applied to minors within California.  It has the practical effect of forcing any entity that allows children under the age of 18 to invoke a right to be forgotten – i.e., getting a “clean start” on social media. This would potentially prevent actions taken from ages 13 to 17 recorded on social media from detrimentally affecting these children.

How should an entity comply with the law?

The first and perhaps easiest way to avoid penalties for violating the law is to simply create a website that is for all ages. For websites that are meant to be used solely by children, this becomes more difficult. The law states that a website will be compliant if it renders the content or information posted by the child no longer visible.  Or, in the alternative, makes the original posting invisible even if it is visible through a third-party user. This should be fairly simple for most online entities as it does not require actually deleting the information off the entity’s servers, or would it require tracing information and posts down to remove all possible re-posts of information the minor wanted removed.

At our law firm, we assist clients with legal issues related to internet, technology, and their sub-categories such as online privacy rights. Please contact us to set up an initial consultation.