top of page

California Age Appropriate Design Code Act Blocked by Federal Judge

Credit: Ivan Radic | Flickr

Children's privacy is growing rapidly as legislatures worldwide endeavor to make the Internet safer for children. With more children using technology at home and in schools, regulators like the FTC have started ramping up their enforcement of the Children's Online Privacy Protection Rule (COPPA), the leading legislation relating to children in the United States. In an attempt to address some of the many concerns with COPPA, the California legislature created its own law prioritizing the safety and privacy of children: the California Age Appropriate Design Code Act (CA AADC, a.k.a. CAADCA). The CA AADC quickly accumulated supporters and critics across the country. On September 18, 2023, a federal judge enjoined the law, preventing it from going into effect.

What is the California Age Appropriate Design Code Act?

In September 2022, the California legislature passed the California Age Appropriate Design Code Act, slated to go into effect on July 1, 2024. Like many other US privacy regulations before it, the CA AADC was written to mimic similar regulations passed in the UK. With this law, California modeled their legislation after the UK’s Age Appropriate Design Code (UK AADC) which began enforcement on September 2, 2021 after a year-long grace period.

Both laws are substantially similar, aiming to set guidelines for how companies should treat children online. Under the AADC, if a business’s website is targeted toward or “likely to be accessed by children”, the business is considered covered by the law and must design their online presence with the “best interests of children” in mind, even if it may conflict with the company’s commercial interests. UK legislators sourced the “best interests of the child” standard from the UN Convention on the Rights of the Child, which the US has signed, but not ratified. While the UK ratified the convention in 1991, the standard of the “best interests of the child” does not hold the same legal significance in the US.

The CA AADC is not a carbon copy of its UK predecessor, although they do share core principles. Under both laws, covered businesses must enact a high level of default privacy, though only the UK law provides further guidance on that standard. The CA AADC emphasizes the “privacy by design” and “privacy by default” principles, encouraging companies to implement strong privacy protections from the onset.

The CA AADC requires covered businesses to complete “Data Protection Impact Assessments” (DPIAs) before launching any new online products or services to the public. These assessments must address any potential harms to children or possible ways the product or service could cause children to be targeted, whether any algorithms used could harm children, how their service might be designed to keep children engaged, and what sensitive personal data might be collected from child users. The California Attorney General can request these impact assessments at any time, and companies are required to provide them within five business days of receiving the request. Covered businesses must also configure default privacy settings to a “high level of privacy”, although the legislation does not provide details on what constitutes a high level of privacy.

Federal Judge Enjoins the Law

Shortly after the California legislature passed the CA AADC, NetChoice, a lobbying group dedicated to “mak[ing] the Internet safe for free enterprise and free expression,” filed a complaint against California Attorney General, Rob Bonta. NetChoice argued that the law violates the First and Fourteenth Amendment because it is a content-based restriction on free speech. Next, NetChoice stated that CA AADC is a violation of the Fourth Amendment because of the law’s requirements regarding DPIAs. The lobbying group then argued the law is void for vagueness under the First Amendment and Due Process Clause because the CA AADC has provisions that do not provide fair notice. NetChoice also asserted that the law is unconstitutional under the Dormant Commerce Clause because it controls actions and activities that occur outside of California. Moreover, NetChoice claims the CA AADC violates COPPA because it creates requirements regarding use, tracking, and storage of information collected on the website from users who are under the age of 18. Finally, NetChoice argues that the law violates Section 230 of the Communications Decency Act because the CA AADC classifies businesses as the “publishers or speakers of information provided” by the users of their websites.

In its complaint, NetChoice asked the court to (1) declare that CA AADC is preempted by federal law, (2) declare certain sections of the law unconstitutional under the U.S. and California constitutions and preempted by federal law, and (3) enjoin the law from going into effect. On September 18, 2023, the court issued its opinion. The court held that NetChoice “demonstrated a likelihood of success” on its First Amendment claim. The court agreed that the CA AADC’s restrictions on the types of information businesses collect and the DPIA requirements regulate speech. The court looked at ten of the law’s provisions and decided that all ten probably violate the First Amendment. Ultimately, the court granted the group’s motion for preliminary injunction.

Looking to the Future

The State is likely to appeal the decision to the Ninth Circuit. However, multiple courts have raised concerns about the type of data collection and the restrictions on speech outlined in the CA AADC. For instance, in August, a federal judge blocked a Texas law that required age verification and warnings on pornographic websites. Similarly, during the same month, a federal judge in Arkansas blocked a law that aimed to compel social media platforms to establish age verification processes and obtain parental consent before allowing minors to create accounts. It remains uncertain how the Ninth Circuit will rule in this specific case, but it is clear that industry experts will need to reconsider some of the processes used to protect children online.

*The views expressed in this article do not represent the views of Santa Clara University.


bottom of page