New California legislation signed into law today requires that online platforms consider “the best interest of child users and to protect their mental health and wellbeing.” Governor Gavin Newsom announced the signing of AB 2273 which provides for the wellbeing, data, and privacy of children using online platforms.
Over the past years, California has consistently led the nation in legislation centered around cybersecurity, online child protection, data privacy, and data protection; AB 2273 takes this another giant step forward. AB 2273 goes well beyond the protections required by the 1998 Children’s Privacy Protection Act, which protected the privacy of children under the age of 13 when they use online services which were clearly targeted to children.
Existing law in California includes the Parent’s Accountability and Child Protection Act. The Parent’s Accountability and Child Protection Act requires a person or business that conducts business and sells products in California to take reasonable steps to ensure that the purchaser is of legal age at the time of purchase. This existing law prohibits a person or business that is required to comply with these provisions from retaining, using, or disclosing any information it receives in an effort to verify age from a purchaser or recipient for any other purpose, except perhaps as specified, and potentially opens a business or person that violates these provisions to a civil penalty.
This new bill, AB 2273, would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, would, among other things, require a business that provides an online service, product, or feature likely to be accessed by children to comply with specified requirements. These requirements include that the online service, product, or feature be set to the highest levels of privacy, with exception to this if it can be demonstrated that this different setting is in the best interests of children.
There’s a lot more. The business must also provide detailed privacy information, terms of service, policies, and community standards in clear language easily seen by children like to access the online service, product, or feature. The business must also complete and submit a written Data Protection Impact Assessment. AB 2273 requires a business to make a Data Protection Impact Assessment available, within 5 business days, to the Attorney General pursuant to a written request and would exempt a Data Protection Impact Assessment from public disclosure, as prescribed. The bill would prohibit a business that provides an online service, product, or feature likely to be accessed by children from using that personal information for any reason other than a reason for which the personal information was collected. Finally, this bill would create the California Children’s Data Protection Working Group to deliver a report to the Legislature regarding best practices for the implementation of these provisions, as specified.
As with previous California legislation, this AB 2273 has the sharp teeth of enforcement. This bill would authorize the Attorney General to seek an injunction or civil penalty against any business that violates its provisions. The bill would hold violators liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation. The bill would require any penalties, fees, and expenses recovered in an action brought under the act to be deposited in the Consumer Privacy Fund with the intent that they be used to fully offset costs incurred by the Attorney General in connection with the act. The penalties associated with AB 2273 non-compliance can get very ugly very quickly for violators.
DNS Security Can Help with Providing a Safe Browsing Experience in Education
Much of the existing California legislation addresses child protection, data privacy, data, breach, and cybersecurity. This new law adds a very important layer of additional protection in place for our children. Children and young adults continue to be targeted by a proliferation of internet-based games, applications, and advertising which targets them directly and then exploits or misuses their personal data.
Technologies like BloxOne Threat Defense can help ensure that schools and their students can have a secure, safe, and reliable internet browsing experience by providing malware blocking and data exfiltration prevention capabilities. In addition, using category-based filtering, DNS security can filter out undesirable and inappropriate content from even reaching students that utilize protected school networks. As a side benefit, the Infoblox solution can likely help your organization reduce costs and use your other security tools more efficiently.
At the 1,000-foot view, Infoblox BloxOne™ Threat Defense provides protective DNS capabilities to defend against sophisticated threats and brings extensive threat intelligence from multiple sources. BloxOne enables DNS servers to detect and block activity such as command and control (C&C) communications to malicious destinations. Advanced behavioral analytics, machine learning and other advanced techniques applied to real-time DNS queries can rapidly detect and stop zero-day DNS tunneling, DGA, data exfiltration, Fast Flux, lookalike domains, and more.
DNS, DHCP and IPAM data are another important part of the puzzle for your team. Infoblox’s DDI (DNS, DHCP, IPAM) data can further provide invaluable information about compromised devices and actionable network context (like what type of device it is, where it is in the network, who it is assigned to, lease history). This information can provide essential visibility into ongoing attacks and for remediation strategy.
The Morgan County School District – A Study in Success
Morgan County School District is a public district located in Morgan, Utah. The PreK-12 school district provides free, public education and services to 3,103 students across five schools. The school district has several long-term initiatives to improve and streamline cybersecurity and content filtering. They sought to migrate its IT infrastructure to the cloud and enhance its overall cybersecurity posture district wide. Further, the school district wanted to quickly implement a more robust and reliable solution that would eliminate false positives and keep students and users safe online, even as they learn from home under the COVID-19 quarantine.
In terms of a technical solution, they wanted to move IT infrastructure and applications to the cloud while also maintaining some local control over services, such as DNS Firewall, to implement better content filtering and eliminate false positives. The school district already had Infoblox’s core DDI solution in place before implementing Infoblox’s BloxOne Threat Defense.
The school district strongly understands that content filtering is essential to any IT strategy in the Education sector. Content filtering protects students, faculty and staff from accessing inappropriate or harmful content online, and it keeps their highly sensitive data safe. Content filtering is especially important in a school environment because it can help protect children from cyber-bullying, pornography, gambling websites, and more.
Schools around the globe are finding different ways to overcome barriers to online learning and teach students remotely. In Utah, school districts have a great amount of decision-making authority over how their schools operate, though they are overseen by the Utah State Board of Education (USBE). Therefore, the customer is able to take a unique approach to distance learning, district wide.
Infoblox solutions can help public education organizations address the wellbeing, data, and privacy of children using online platforms per the requirements of AB 2273.
For more information:
- Read the new legislation, AB 2273:
- Read the Morgan County School District Case study here:
- Learn more about BloxOne Threat Defense
- Learn more about protective DNS and DNS security here:
If you want to know more, please reach out to us directly via https://info.infoblox.com/contact-form/.
Russia’s invasion of Ukraine could impact organizations both within and beyond the region, including malicious cyber activity against the U.S. homeland, in response to the unprecedented economic sanctions imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.
Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov or (888) 282-0870.
