On September 15, 2022, California’s Governor Newsom signed A.B. 2273, known as the California Age-Appropriate Design Code Act (“CADC”).  The law, to be codified at Cal. Civ. §§ 1798.99.28 – 1798.99.40, will go into effect on July 1, 2024, but businesses that will be affected by it will need to be in compliance by that date, which includes a complete Data Protection Impact Assessment.

Because that date is more than 18 months away, we thought presenting the law’s requirements in a multiple-choice format might help you remember some aspects of the law, so here are ten questions (answers below):

1.         The CADC applies to business that provides an online service, product, or feature likely to be accessed by children that includes children

a.         0 to 5 years of age or “preliterate and early literacy”;

b.         6 to 9 years of age or “core primary school years”;

c.         10 to 12 years of age or “transition years”;

d.         13 to 15 years of age or “early teens”; and

e.         16 to 17 years of age or “approaching adulthood.”

f.          Ages 0-12 [same as COPPA]

g.         Ages 0-17

2.         An online service, product or feature is “likely to be accessed by children” includes an online service, product or feature that (select all that apply):

a.         Includes advertisements marketed to children

b.         Has design elements that are known to be of interest to children, including, but not limited to, games, cartoons, music, and celebrities who appeal to children

c.         Is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children.

d.         Based on internal company research, is determined to have a significant amount of the audience of the online service, product, or feature to be children.

3.         The CADC requires the biennial Data Protection Impact Assessment to include (select all that apply)

a.         Whether algorithms used by the online product, service, or feature could harm children

b.         Whether, how, and for what purpose the online product, service, or feature collects or processes sensitive personal information of children

c.         Whether targeted advertising systems used by the online product, service, or feature could harm children

4.         Each completed Data Protection Impact Assessment must be made available to the California Attorney General upon request within ____ days:

a.         Three

b.         Five

c.         Ten

d.         Thirty

5.         Each completed Data Protection Impact Assessment that a business provides to the California Attorney General (select one):

a.         Is exempt from public disclosure

b.         Does not waive any applicable attorney-client privilege or attorney work product privilege

c.         Both a and b

d.         Neither a nor b

6.         The business must configure all privacy settings for children by default (select one):

a.         To the highest level

b.         To the level the business can demonstrate is most frequently selected by parents

c.         To the same level as provided to all users

7.         The CADC prohibits a business from doing which of the following actions (select all that apply):

a.         Collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged

b.         Collect, sell, or share any precise geolocation information of children by default

c.         “Profile” a child

d.         Use any personal information collected to estimate age or age range for any other purpose or retain that personal information longer than necessary to estimate age

8.         If the business is in substantial compliance with the CADC’s requirements, the CADC provides that the Attorney General must provide notice and an opportunity to cure any noted deficiencies within:

a.         30 days [same as CCPA—through December 31, 2022 only]

b.         45 days

c.         60 days

d.         90 days

9.         The CADC does not have a private right of action but the Attorney General can seek civil penalties of $2,500 for negligent violations and $7,500 for intentional violations, with violations calculated per

a.         Child

b.         Day

c.         Subsection of the CADC violated

10.       What technical tools are available to me to: (1) help me understand my risk profile, and take steps towards compliance with the CADC; (2) generate actionable reports to determine how my consumer-facing assets are collecting and sharing data, including personal information; and (3) assist with conducting the required systematic survey to assess and mitigate risks that arise from the data management practices of the business to children who are reasonably likely to access the online service, product, or feature?

            a.         I can do this manually

            b.         Nothing exists but it would be great if it did

            c.         NT Analyzer


The CADC contains many other provisions, but, as you can see, the detailed Data Protection Impact Assessment has to be ready to go shortly after July 1, 2024.  Affected companies that are already planning for the new privacy laws that go into effect next year (California, Colorado,  Connecticut, Utah, and Virginia) may want to add the CADC now, because the information will likely be relevant in other compliance efforts.

If you want to discuss any privacy concerns you have or see how NT Analyzer could help you specifically, please let us know and we are happy to schedule a demo. Visit our website to learn more: www.ntanalyzer.com/


1.         g (0-17)

2          a, b, c, and d—all of them

3.         a, b, and c—all of them

4.         b (five days—it’s 3 days to provide the number of assessments to the AG upon request)

5.         c (both exempt from public disclosure and does not waive privilege)

6.         a (highest level)

7.         a, b, c, and d—all of them

8.         d (90 days)

9.         b (per child)

10.       c (NTA Analyzer)