A Blog About FTC regulations and happenings
California Age-Appropriate Design Code Act Stymied After Federal District Court Ruling
As state legislatures pursue laws directed at online safety and privacy for children, federal courts are striking down their efforts. The latest example is California’s Age-Appropriate Design Code Act (CA-AADC), which a federal judge in the Northern District of California enjoined from enforcement. While larger questions loom about constitutional authority and what is the best way to protect children online, we can glean from the California case that state legislators need to craft their laws with greater precision if they want any chance of success.
Background on the California Case Enjoining the CA-AADC
Approximately a year after Governor Newsom signed the California Age-Appropriate Design Code Act (CA-AADC) into law, a federal judge issued a preliminary injunction that bars State Attorney General Rob Bonta from enforcing the landmark legislation. CA-AADC was created to bolster digital and data safeguards for children online and was slated to take effect in July 2024. While the decision will likely be contested and progress to the Ninth Circuit—where the same federal judge recently had another privacy-related decision reversed—the ruling follows shortly after similar laws were enjoined by federal district courts in Texas and Arkansas. All three rulings highlight ongoing legal challenges and complexities surrounding digital privacy rights and protections for children in the modern age.
In its decision, the court found that the CA-AADC likely violates the First Amendment as it fails legal standards for restrictions on commercial speech.
Overview of the California Age-Appropriate Design Code Act
While we’ve already covered the CA-AADC’s content and passage, below is a brief summary.
The California statute was modeled after the Age-Appropriate Design Code established in the United Kingdom and goes beyond other privacy and security laws protecting minors at both the federal and state levels, such as the federal Children’s Online Privacy Protection Act (COPPA) and California’s Parent’s Accountability and Child Protection Act as well as the California Privacy Rights Act of 2020 (CPRA).
Part of the CA-AADCA’s intended purpose was to build upon the objectives of the CPRA; as such, the statute applies only to companies governed by the CPRA: for-profit entities that generate $25 million or more in annual gross revenue, buy or sell the personal information of 100,000 or more users, derive 50% of their annual revenue from selling or sharing consumers’ personal information, or any combination of the preceding characteristics.
CA-AADCA applies to online products or services that are “likely to be accessed by children,” the definition of which was expanded to encompass consumers under the age of 18 rather than under the age of 13 as in COPPA. For instance, websites that contain advertisements that are marketed to children, contain design elements known to be of interest or appeal to children, or have a target audience or actual audience significantly composed of children, etc. are covered under the statute.
The CA-AADCA imposes rigorous requirements on covered businesses. Such businesses are mandated to carry out a comprehensive Data Protection Impact Assessment (DPIA) for any online service, product, or feature that children are likely to access. This assessment is meant to delve into potential risks, such as the possibility of children being exposed to harmful content or the collection of their sensitive personal information. Additionally, businesses are required to develop a strategy to address and mitigate these risks, accurately determine the age of their child users, provide them with high default privacy settings, and ensure that all information, terms, and policies are presented in a manner that is age-appropriate.
The statute also delineates specific prohibitions. Covered businesses are forbidden from using a child’s personal data in ways that could be detrimental to their well-being. The statute restricts the profiling of children unless it meets certain conditions and prohibits the unnecessary collection or sale of their personal information. Precise geolocation data collection is also limited and must be transparent to the child. Furthermore, the statute prohibits the use of manipulative “dark patterns” that might coerce children into divulging more information or compromising their own privacy unwittingly.
The Lawsuit That Has Halted the CA-AADC
In December 2022, NetChoice filed suit against the California Attorney General in the District Court for the Northern District of California, alleging that the CA-AADC violates both the First Amendment and the Dormant Commerce Clause, and is also preempted by Section 230 of the Communications Decency Act and COPPA. NetChoice is a trade association that represents e-commerce and other online enterprises, members of which include prominent tech giants such as Facebook parent Meta, TikTok, Amazon, Youtube parent Google, and Twitter.
NetChoice filed request for preliminary injunction in the middle of February 2023. The preliminary injunction hearing on July 27th was followed by supplemental brief filings from both NetChoice and the California Attorney General in August.
The court issued its 45-page opinion enjoining the CA-AADCA on September 18th, 2023, finding that NetChoice adequately demonstrated a likelihood of success on its claim that the statute violates the First Amendment. More specifically, the court concluded that NetChoice demonstrated a likelihood of success on the claim that “the Act’s ‘speech restrictions . . . fail strict scrutiny and also would fail a lesser standard of scrutiny.’”
The court found that the CA-AADCA’s prohibitions on collecting, selling, sharing, or retaining any personal information for most purposes regulated protected speech by limiting the “availability and use” of information by certain speakers and for certain purposes. On the matter of the statute’s mandates, the court found that the CA-AADCA also likely regulates protected speech through the CA-AADCA’s ten provisions, moving to an application of the standard for commercial speech scrutiny. In so doing, the court analyzed the following provisions:
- The DPIA Report Requirement
- Age Estimation
- High Default Privacy Settings
- Age-Appropriate Policy Language
- Internal Policy Enforcement
- Knowingly Harmful Use of Children’s Data
- Profiling Children By Default
- Restriction on Collecting, Selling, Sharing, and Retaining Children’s Data
- Unauthorized Use of Children’s Personal Information
- Use of Dark Patterns
The court held that all ten provisions likely violate the First Amendment under the standard for commercial speech. Further, the court enjoined the entirety of the law, quashing any possibility that the state could sustain the valid portions of the statute after the fact, determining that the invalid parts of the statute could not be severed from the valid parts because the “CA AADCA is not capable of ‘separate enforcement’ without the DPIA requirement.”
The preliminary injunction against the CA-AADC is part of a broader legal landscape surrounding online privacy and digital rights. In August, another federal court halted a law mandating age verification for online pornography over concerns about invasive data collection techniques and potential infringements on constitutionally protected speech. On the same day, an Arkansas statute that sought to limit underage users’ access to social media platforms was similarly blocked by a federal court. Furthermore, the Supreme Court recently vacated an earlier decision by the Fifth Circuit Court of Appeals, blocking a Texas law—which forbids banning, demonetizing, or otherwise disfavorably ranking the posts of Texas users on the basis of “viewpoint”—while the matter concerning its constitutionality proceeds.
As the CA-AADC case and other cases touching upon digital rights in other states unfold, they highlight complexities of navigating digital privacy legislation, as these decisions are likely to shape the future contours of online privacy and state regulatory power.
 Ibid. Pg. 35.