On September 15, 2022 California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act (CAADCA) into law. The CAADCA takes effect July 1, 2024, and brings vast changes to the online compliance landscape with regard to children’s privacy and safety. Some key changes include defining a child as anyone under 18 years of age, requiring data protection impact assessments for online products and services that are “likely to be accessed by children,” and mandating all default privacy settings provided to children be set to a high level of privacy unless the business can demonstrate a compelling reason that a lower setting is in the best interests of children.
NetChoice v. Bonta
In December 2022, NetChoice, a trade association of online businesses including multiple major technology companies, filed suit asserting that the CAADCA is preempted by federal statute and is facially unconstitutional. On September 18, 2023, roughly one year after the CAADCA was signed into law, a federal court granted NetChoice’s request for a preliminary injunction prohibiting the enforcement of the CAADCA on the grounds that it likely violates the First Amendment to the U.S. Constitution because the Act’s “speech restrictions . . . fail strict scrutiny and also would fail a lesser standard of scrutiny” including the “advancing a substantial government interest” level of scrutiny used for commercial speech. In particular, the court granted the preliminary injunction when it found that NetChoice’s suit was likely to succeed for the following reasons:
- Even though the court did not address whether businesses have the right to collect personal information from children under the age of 18, the court found that a law restricting the availability and use of data by some speakers but not others regulates protected speech in violation of the First Amendment.
- The requirement for businesses to conduct a DPIA to evaluate risks to children, provide privacy notices geared towards children, and enforce its content moderation policies is a regulation of the distribution of speech in violation of the First Amendment.
Moreover, the court found that the challenged provisions of the CAADCA, which it found invalid, are not functionally severable from the remainder of the statute, and thus it enjoined enforcement of the entire statute rather than just the invalid portions. Having determined NetChoice was entitled to relief on a First Amendment basis, the court declined to determine whether NetChoice is likely to succeed on the merits of its other claims grounded in the dormant Commerce Clause, Children’s Online Privacy Protection Act (COPPA), and Section 230.
Looking Ahead: Recommendations for Businesses
Only time will tell whether the CAADCA in its current form will ever be enforced. Even if the California Attorney General is ultimately able to overcome NetChoice’s First Amendment arguments, the multiple remaining unaddressed claims in the case, coupled with the court’s finding that many of the act’s provisions are not functionally severable, make enforcement on July 1, 2024, unlikely. However, businesses that are in scope for the CAADCA should not take this as a sign to wholly abandon preparatory compliance efforts.
Domestic and international governments are concerned with children’s online privacy and safety and are likely to continue to attempt to regulate in this space. Moreover, there is a regulatory trend towards increasing online protections for teens (ages 13-17) as well as for young children (below age 13). Domestically, this year we have seen various laws passed aimed at protecting minors on social media platforms. Additionally, Lawmakers in Maryland and Minnesota intend to bring back legislation modeled after the CAADCA. These laws may take the CAADCA challenges into account and be drafted to avoid similar challenges. Internationally, the United Kingdom’s Children’s Code which contains 15 standards that online services need to follow has been in effect for just over two years. Various other countries have laws that protect children online to some degree.
Businesses should recognize that more regulation is likely in the children’s online privacy and safety space. Rather than abandoning CAADCA preparatory compliance efforts, businesses should examine how they can holistically evaluate privacy and safety aspects of their products and services that may be accessed by individuals under 18 years of age. This exercise, guided by the CAADCA, will be helpful groundwork for compliance with future children’s online privacy and safety laws as well as the CAADCA if it ultimately is enforced in its current or a similar revised form.