On September 18, 2023, the U.S. District Court for the Northern District of California granted technology trade association NetChoice, LLC’s request for a Preliminary Injunction in NetChoice LLC v. Bonta, a lawsuit challenging the constitutionality of the California Age-Appropriate Design Code Act (CAADCA), which the California Legislature passed last year. In granting the Preliminary Injunction, the court found that the law’s restrictions on commercial speech likely violate the First Amendment. 

Drawing inspiration from the UK Age-Appropriate Design Code, the CAADCA regulates covered businesses and their practices with respect to the collection, storage, and processing of personal data collected from children under the age of 18. CAADCA requires that the most restrictive default privacy settings be implemented for younger users and that any community standards, terms of service, and privacy settings be freely accessible and enforced. Following the September 18 ruling, the future of the CAADCA is uncertain. At the very least, the CAADCA is unlikely to be enforced on its intended effective date of July 1, 2024, as the injunction remains in place throughout the course of litigation.

The NetChoice, LLC Challenge

The lawsuit began last December when NetChoice, a trade organization representing prominent internet-based companies including Google, Amazon, Meta, and TikTok, filed suit to block the law. NetChoice argued that the CAADCA would harm children and force online business to “over-moderate content;” restricting information available to users of all ages. In NetChoice’s complaint, the organization specifically asserted that the CAADCA: (a) violates the First, Fourth and Fourteenth Amendments, (b) is void for vagueness under the First Amendment and Due Process Clause, (c) violates the dormant Commerce Clause, and (d) is preempted by certain federal laws. The State of California argued that the CAADCA merely regulates the conduct of business practices regarding the collection and use of children’s data, which it described as wholly non-expressive activity not subject to First Amendment considerations. In other words, the State claimed that any objections to the provisions on First Amendment grounds were without merit, as the regulations did not restrict speech. 

In a comprehensive decision, the court concluded that NetChoice demonstrated a likelihood of success on the merits of its First Amendment claim. “The Court [found] that although the stated purpose of the Act—protecting children when they are online—clearly is important, NetChoice has shown that it is likely to succeed on the merits of its argument that the provisions of the CAADCA intended to achieve that purpose do not pass constitutional muster. Specifically, the Court [found] that the CAADCA likely violates the First Amendment.” The court did not consider the merits of NetChoice’s remaining claims concerning dormant commerce clause or preemption objections. Additionally, the court refused to sever any “presumably valid” sections of the statute from the likely-invalid provisions, meaning the granted preliminary injunctive relief will thwart  CAADCA’s enforcement as a whole.

What’s Next? Recommendations for Businesses

It is too early to know whether the CAADCA in its current form will ever be enforced. Even if the State is able to overcome the First Amendment challenges, NetChoice’s remaining claims along with the court’s determination that the act’s provisions are not severable make it unlikely that the CAADCA will be enforced on its effective date of July 1, 2024. However, businesses that are covered by the CAADCA should not abandon strides they have already taken towards compliance, nor should they refrain from being proactive in this space. Proposed laws in other jurisdictions such as Maryland and Minnesota suggest a growing regulatory interest in protecting minors online, and state lawmakers are likely to draw lessons from the NetChoice challenge when crafting future legislation. In the end, being aware of the act’s coverage and requirements is an essential exercise for businesses in order to be prepared in case CAADCA or similar children’s online privacy laws are ultimately passed and enforced. If no action has been taken to date, businesses should still evaluate the extent to which the CAADCA may apply to their services, and begin planning how best to adapt to the new set of regulations.

Taft’s Privacy and Data Security attorneys will continue to monitor this and other developments relating to CAADCA.  For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.

Incoming Taft associate JP Jarecki contributed to the research and writing of this article.