California Governor Jerry Brown recently signed into law S.B. 568, the first bill of its kind in the nation. S.B. 568 enacts two new statutes under the title “Privacy Rights for California Minors in the Digital World.” The first, Business and Professions Code section 22580, prohibits advertising certain products to minors online. The second, Business and Professions Code section 22581, requires businesses to provide an online “eraser button” for remorseful minors (see blog post here).

The new advertising law takes effect January 1, 2015. It applies to websites and mobile apps primarily directed to minors, but, unlike some other statutes directed at online protection of minors, it does not stop there. It also applies to any website or app the provider knows to be used by minors that markets or advertises to minors based upon information specific to the minor. For example, it apparently would apply to a website or app that delivers behaviorally targeted advertising, or advertising based on information gleaned from a minor’s online profile.

The new law prohibits marketing or advertising certain categories of products. The common feature of the enumerated products or services is that they are illegal to actually sell to minors in California, such as tobacco, alcohol, firearms, fireworks, spray paint, lottery tickets, tattoos, or (so appropriately Californian) tanning bed services or tanning devices. Advertising service providers that are notified by a website operator that the site is directed to a minor are also subject to the new law’s restrictions.

Notably, there is a “safe harbor” if the website takes “reasonable actions in good faith designed to avoid marketing or advertising” as prohibited by the law, including notifying its advertising service provider that its site is directed to minors. Further, the marketing and advertising restrictions do not apply to “the incidental placement of products or services embedded in content” if the content is not distributed at the direction of the website operator (for example, user-generated content).

In addition, the new law provides that website and app providers are not required to collect or retain age information. Thus, at least for websites and apps not primarily directed at minors, the new law may create an incentive to avoid collecting age information, in order to avoid the knowledge that the website or app is being used by minors that could trigger the application of the law.

The new law has been criticized by online advocates such as the Center for Democracy and Technology, which has argued that its definition of what websites or apps are “directed at minors” is unconstitutionally vague, and will result in the restriction of distributing constitutionally protected information to young adults and minors in violation of the First Amendment.

The new law would also prohibit website and app providers from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile a minor’s personal information for the purpose of marketing or advertising prohibited products or services. The statute, however, does not define what constitutes a minor’s “personal information.” Thus, some argue, the scope of this prohibition is impermissibly vague, which makes it onerous or impossible to know how to comply with it. Moreover, this part of the statute also runs smack up against the federal Children’s Online Privacy Protection Act (“COPPA”), which generally prohibits operators of websites or online services directed to children under 13 from collecting the child’s “personal information” (which is defined by the federal statute) unless the operator has the child’s parents’ verified consent. Opponents to the new California law argue that it is preempted by COPPA, given the apparent conflicts between the two statutes’ prohibitions and requirements. Opponents also argue that, if other states follow California’s lead, websites will be subject to a myriad of many different regulations, making compliance for online businesses even more complicated and costly.

The new California privacy law does not independently provide a private right of action or otherwise specify the consequences for failure to comply. However, once the law goes into effect in 2015, it could potentially be enforced by a state or local enforcement agency under statutes such as California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 in action for injunctive relief, and could potentially be cited as the basis for private lawsuits under those statutes.