On Monday, September 18, 2023, a federal judge in the Northern District of California issued a preliminary injunction delaying enforcement of California’s Age Appropriate Design Code (“CA AADC”) in NetChoice, LLC v. Bonta signaling the likelihood that CA AADC will be deemed unconstitutional.
CA AADC was passed in September 2022 and was slated to go into effect July 1, 2024. The law was modeled after a UK regulatory code by the same name and imposed several privacy-by-design and documentation requirements on for-profit companies offering services that are “likely to be accessed” by children under 18. (See our blog post for a summary of the law’s requirements).
Net Choice, a technology trade organization, representing Google, Meta, Airbnb, and other technology companies, filed a lawsuit alleging the CA AADC’s requirements violate the California Constitution, the First, Fourth, and Fourteenth Amendment of the U.S. Constitution, and the dormant Commerce Clause of the U.S. Constitution, and that CA AADC is preempted by the federal Children’s Online Privacy Protection Act (“COPPA”) and Section 230 of the Communications Decency Act (“Section 230”).
The Court focused on NetChoice’s First Amendment claims, withholding rulings on the other claims. The Court cited changes in case law relating to the dormant Commerce Clause regarding which the parties had no opportunity to brief. The Court did signal doubts (1) that a facial challenge to AADC would be sufficient to rule on Section 230 preemption, and (2) that the CA AADC would be inconsistent with COPPA as opposed to supplemental to COPPA.
Nevertheless, the Court determined that NetChoice was likely to succeed in proving CA AADC violates the First Amendment at trial. In doing so, the Court found that many of the CA AADC requirements regulated commercial speech requiring that the State of California show that the requirements further a substantial government interest and that the requirements are not “more extensive than necessary to serve that interest.” NetChoice v. Bonta, 5:22-cv-08861-BLF (N.D. Cal. Sep. 18, 2023), 19-20.
The Court considered the constitutionality of a number of regulations but called age estimation into particular question. Although the Court found that the state made adequate arguments that its interest in protecting the safety and privacy of children was a substantial government interest, it found age estimation to be a dubious means to further that interest. The Court noted that age estimation may result in companies collecting more information — including, in some cases, sensitive and biometric information — to perform age estimation. This fact not only casts doubt that the age estimation requirement furthers the substantial state interest in protecting safety and privacy but also may actively undermine that interest. For this reason, the Court determined that NetChoice was likely to show at trial that the state’s age estimation requirement would violate the First Amendment.1
The Court further preliminarily ruled:
1. CA AADC’s DPIA reporting requirement did not clearly support the state’s interest in children’s wellbeing because, although it required documentation of risks and mitigations, the statute made no requirement that companies adhere to their mitigation plans.
2. The CA AADC does not make it clear whether default privacy settings should be on accounts created by kids or to all visitors of websites who are likely under 18. The Court found this lack of clarity is likely to cause businesses to restrict access to their sites and services in a “substantially excessive” manner that indicates that the law is not a reasonable fit to furthering the State’s interest. Id. At 25.
3. With respect to the CA AADC’s requirement that companies provide privacy information in a manner that is understandable by and accessible to children, the state’s evidence focused primarily on general consumer understanding of website privacy policies. As a result, the Court determined that the state did not provide adequate evidence showing a likelihood that this requirement will help minors make privacy decisions that promote their safety and wellbeing.
4. The Court ruled that the state did not provide evidence indicating a causal link between the CA AADC’s requirement that businesses enforce all of their publicly-posted terms and the harm to children’s well-being.
5. With respect to using children’s data in a knowingly harmful way, via “dark patterns,” for profiling, or in a manner that is not necessary to provide online services, products, or features, except where these uses are in the best interests of children, the Court indicated that the state failed to provide enough evidence that these restrictions further the state’s interest in promoting children’s safety and wellbeing, that the prohibited conduct are tied to harm, or that—particularly where applicable standards such as “best interests of children” are unclear—the restrictions do not excessively chill protected speech.
In light of these findings, the Court determined that NetChoice would likely be successful at trial in showing a significant number of CA AADC’s provisions unconstitutional. The Court further determined that many of the remaining CA AADC provisions depend on the likely unconstitutional provisions such that these likely unconstitutional provisions cannot be severed from the Act. As a result, the entire CA AADC will be enjoined from coming into effect until NetChoice v. Bonta is resolved.
It is possible, once discovery has concluded and the parties are able to present a more complete set of facts at trial, that the Court will uphold at least some provisions of the CA AADC. California may also amend the legislation in light of this ruling. Nevertheless, CA AADC’s requirements are on shaky constitutional footing in the U.S. Earlier this year two separate Courts also found that online age authentication laws in Arkansas and Texas were unconstitutional. And in 2004, in Ashcroft v. ACLU, the Supreme Court essentially struck down a federal online child safety law the Child Online Protection Act (“COPA”) (not to be confused with COPPA). Professor Eric Goldman has an excellent blog post on this subject.
Despite the likely demise or narrowing of these laws, companies may leverage investments they may have made in CA AADC compliance to support compliance with the UK Age Appropriate Design Code for any operations in the UK and other European Countries.
Charlotte Lunday is a Senior Associate at Hintze Law with expertise in COPPA, FERPA, and online safety.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.