By Hansenard Piou

On March 12th, the 9th Circuit Court of Appeals ruled on parts of the injunction of the California Age-Appropriate Design Code Act (CA AADC). The circuit court overturned the injunction against the definition determining scope of covered businesses and affirmed the injunction against five of the six provisions that NetChoice challenged, sending the age estimation provision back to the district court.  

CA AADC was passed in September 2022 and was slated to go into effect July 1, 2024. The law was modeled after the UK Children’s Code and imposed several privacy-by-design and documentation requirements on for-profit businesses offering services that are “likely to be accessed” by children under 18. For a breakdown of the law’s requirements, please see our 2022 post analyzing the CA AADC and its impacts. 

Litigative History 

Shortly after the law’s passage, the CA AADC has been subject to prolonged litigation. NetChoice, a technology trade organization representing Google, Meta, Airbnb, and other technology companies, filed its initial complaint in 2022, alleging that the CA AADC was unconstitutionally vague and failed strict scrutiny under the First Amendment for compelling protected speech and content. The District Court granted NetChoice’s motion for preliminary injunction in September 2023, enjoining the act in full. (For more information about the decision, see our 2023 post.) 

California appealed to the 9th Circuit Court of Appeals which ruled in August 2024. The court applied the standard from the Supreme Court’s recent ruling in Moody v. NetChoice and remanded to the district court to conduct the proper First Amendment analysis. However, it enjoined the CA AADC’s data protection impact assessment (DPIA) requirement for likely violating the First Amendment, which is still enjoined. 

On remand, NetChoice filed an amended complaint in October 2024, asserting that the Act’s coverage of online businesses “likely to be accessed by children” was content based and failed strict scrutiny. NetChoice then filed a motion for preliminary injunction in November. The District Court granted the motion in March 2025, fully enjoining enforcement of the AADC. California appealed in April 2025, leading to the current decision. 

This appeal focuses on the CA AADC’s coverage definition (1798.99.30(b)(4)(A)–(F)), age estimation requirement (1798.99.31(a)(5)), and data use and dark patterns restrictions (1798.99.31(b)(1)–(4), (7)).  

CA AADC’s Coverage Definition 

The circuit court found that NetChoice was unlikely to succeed in its facial challenge that the law as a whole is content-based regulation targeting speech. The finding hinged on the definition of a key term determining coverage of the law -- “likely to be accessed by children” -- which is defined by a list of separate factors that can indicate whether it would be reasonable to expect a business to be accessed by children and, thus, covered by the CA AADC (“the coverage definition”). Under the Moody standard for a facial challenge, courts must first assess the law’s scope by examining what activities the law regulates and by what actors and then decide whether the number of the law’s applications that violate the First Amendment outweigh the law’s otherwise legitimate applications. 

Disagreeing with the district court and NetChoice, the 9th Circuit found the coverage definition -- “likely to be accessed by children” -- doesn’t speak to the nature of the business or its content. Because coverage by the CA AADC does not require all or even a combination of the definition’s factors and because the factors include age-based factors that don’t consider the content that a business publishes (e.g., looking at demographic user data received by the business), the circuit court held that the coverage definition would not raise the same First Amendment issues in a substantial number of applications of the law. 

While NetChoice focused on possible applications of the CA AADC that may impact covered speech, the circuit court found that it did not meet its burden for a facial challenge to consider whether a substantial proportion of applications would impact protected speech. As a result, the circuit court found the Act as a whole was unlikely to violate the First Amendment. 

Data Use, Dark Patterns, and Age Estimation 

While the 9th Circuit disagreed with the theory that the CA AADC should be fully enjoined due to the unconstitutionality of the coverage definition, the circuit court examined the challenged provisions individually. The circuit court upheld the injunctions against the data use and dark patterns provisions finding that the challenges were likely to succeed, but did not uphold the injunction against age estimation requirement. 

Age Estimation 

The circuit court found that the requirement to “estimate the age of child users with a reasonable level of certainty or apply the privacy and data protections afforded to children to all consumers” was unlikely to facially violate the First Amendment, since the provision “says nothing about restricting content on its face.” 

However, the provision requires the level of certainty to match “the risks that arise from the data management practices of the business.” In previously enjoining the DPIA requirement, the circuit court had found that “data management practices” was statutorily defined to cover the content of the online service, product, or feature. As a result, the circuit court remanded the issue to the district court to apply the Moody standard and consider whether “data management practices” cross-references the factors listed under the DPIA provision (1798.99.31(a)(1)(B)) which trigger First Amendment review. 

Data Use and Dark Patterns 

The circuit court held that the restrictions against use of data that is to children’s “material detriment” and that impacts their “best interests and well-being” were unconstitutionally vague as defined under the CA AADC. The circuit court noted that these terms have no established meaning or proscribed guidance as to what conduct may be “material detriment to the physical health, mental health, or wellbeing of a child.” 

While California argued that “best interest of the child” pulled from family law, the circuit court disagreed that family law’s case-by-case, child-specific standard translates to data privacy, especially when the CA AADC gauges whether data practices are in the best interest of child users as a group. 

The circuit court extended this reasoning to the dark pattern provision. The CA AADC prohibits using dark patterns to encourage children to provide more personal information than reasonably expected, to forgo privacy protections, or “to take any action that the business knows, or has reason to know, is materially detrimental to the child’s physical health, mental health.” Even if “dark pattern” is a defined term under the California Consumer Privacy Act (CCPA), the circuit court found that “has reason to know” and “materially detrimental” were also unconstitutionally vague. 

For these vagueness reasons, the circuit court upheld the injunction against the data use and dark patterns provisions. 

Notice-and-Cure Provision 

The 9th Circuit vacated the district court’s determination that CA AADC’s notice and cure provision is not volitionally severable. It remanded for the district court’s consideration of whether the remaining valid CA AADC provisions could be severed and enforced separately. 

Takeaways 

Even after the remand to the district court and the probable appeal of its result, litigation over the CA AADC will likely continue, as NetChoice may challenge specific elements of the coverage definition and age estimation provisions as enforced against specific covered entities. 

While children and teen online safety laws have shifted to age-verification/estimation and harmful content, NetChoice v. Bonta and the CA AADC have influenced how legislatures draft their children privacy laws for constitutional validity, and NetChoice has alleged that the “best interest of the child” requirements of similar AADC laws are also unconstitutionally vague. As we await the results of such litigation, the 9th Circuit rulings provide some takeaways for businesses.  

Key Takeaways. Although CA AADC’s coverage definition remains intact and the age estimation provisions seems likely to survive, the Act’s other unenjoined provisions currently apply to covered businesses. The requirements include: 

• configuring all default privacy settings for children to a high level of protection, 

• providing privacy tools for children and parents,  

• restricting the default collection of precise geolocation information for children, and 

• signaling to the child any collection of precise geolocation information.  

(Special thanks to Cobun Zweifel-Keegan at IAPP for his helpful graphic)  

Covered businesses should update their privacy programs to comply with these requirements and begin to consider how it may comply with age estimation requirements. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on data protection. Hintze attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of AI, privacy, and data security.