Privacy & Information Security Law Blog

UPDATE: On September 29, 2020, California Governor Gavin Newsom vetoed AB 1138.

On September 8, 2020, AB 1138, the Parent’s Accountability and Child Protection Act, was enrolled and presented to the California Governor for signature. If signed into law by the Governor, the bill would require a business that operates a social media website or application, beginning July 1, 2021, to obtain verifiable parental consent for California-based children that the business “actually knows” are under 13 years of age (hereafter, “Children”). The bill defines “social media” to mean an electronic service or account held open to the general public to post, on either a public or semi-public page dedicated to a particular user, electronic content or communication, including but not limited to videos, photos or messages intended to facilitate the sharing of information, ideas, personal messages or other content.

Under the bill, businesses that willfully disregard a consumer’s age will be deemed to have actual knowledge of the consumer’s age. Consent must be obtained from the parent or guardian before an account is created and using a method that includes reasonable measures to ensure that the person providing consent is the parent or guardian of the California Child.

The bill would explicitly permit businesses to require the parent or guardian to implement any of the below measures for purposes of ensuring the person providing consent is the parent or legal guardian of the California Child:

• Sign and send a consent form via fax, U.S. mail or electronic scan;
• Provide a credit or debit card or other online payment system information that would provide the parent or guardian notification of each separate transaction made using the account;
• Call a toll-free number or connect via video conference;
• Provide a copy of a government-issued identification card that the business may check against a database (provided that the business deletes the identification card from its records after the verification process is complete);
• Answer a series of knowledge-based challenge questions that would be difficult for someone other than the legal guardian of the minor to answer;
• Provide a copy of a photographic identification card that the person or business can compare to another photograph submitted by the parent or guardian using facial recognition technology; or
• Provide verifiable parental consent that complies with the Children’s Online Privacy Protection Act of 1998.

The bill also would prohibit the business from using or retaining the information obtained for any purpose other than obtaining the required consent.

AB 1138 initially was introduced in February 2019, but the bill failed to pass the Assembly Floor in September 2019 following Senate amendments. The bill was granted reconsideration on August 30, 2020, and the Senate amendments were concurred in by the Assembly the same day. The bill author stated, “AB 1138 aligns state and federal law, closes […] loopholes, and standardizes compliance mechanisms by requiring social media providers to receive parental consent before allowing minors under the age of 13 to create social media accounts.”