On September 18, 2023, the Northern District of California granted a preliminary injunction in the case of NetChoice v. Bonta (Case No.: 5:22-cv-08861-BLF). 

This has major compliance ramifications. Although the CAADCA is not supposed to take effect until July 1, 2024, California regulators are now prohibited from enforcing the law unless or until the California Northern District Court orders otherwise. Companies should carefully monitor the situation as they prepare for compliance.

Background

As background, the California Age-Appropriate Design Code Act (CAADCA) is a landmark California data privacy law, aimed at regulating online products and services that may pose a risk to children’s wellbeing. At a high level, the CAADCA will apply to certain businesses that offer such online products services, and features which are “likely to be accessed” by a child. Notably, “child” here refers to anyone under the age of 18. The CAADCA sets out a plethora of requirements upon covered businesses, like conducting data protection impact assessments (DPIAs), estimating the age of users, and providing high default privacy settings. Also, the CAADCA prohibits certain conduct, such as employing dark patterns, using data in "harmful" ways, and profiling child users.  

First Amendment Claims

In December 2022, NetChoice (a collective of technology companies) sued to block enactment of the CAADCA, citing First Amendment concerns among its claims. Specifically, NetChoice argued that the CAADCA violated the First Amendment because it is (1) an unlawful prior restraint on protected speech; (2) unconstitutionally overbroad; and (3) regulated protected expression without passing the strict scrutiny test. NetChoice sought preliminary injunctive relief to prevent Rob Bonta, the California Attorney General, from enforcing the Act. 

In its order (Order), the Court focused solely on NetChoice’s First Amendment claims. The threshold question the Court addressed was whether the CAADCA was ‘content-neutral.’ 

As a brief summary of the Order:

• Content-Neutral Determination: In determining whether the CAADCA is ‘content-neutral,’ the Court first examined both the prohibitions and affirmative requirements under the law. In effect, the Court concluded that the Act’s prohibitions on the collection, selling, sharing, and retaining of personal information limits the availability and use of that data for certain speakers and for certain purposes, thereby regulating protected speech. Additionally, in addressing affirmative obligations placed on covered businesses, the Court stated that it is “troubled by the CAADCA’s clear targeting of certain speakers – i.e., a segment of for-profit entities, but not governmental or non-profit entities.”

• Substantial State Interest:  The Court  found that the State of California has a compelling interest in protecting the physical and psychological well-being of minors.

• The “Means-Ends Fit”: The Court also individually evaluated provisions of the CAADCA to determine whether each provision directly advances California’s interest in protecting minors and whether the law is more extensive than necessary to meet that interest. The Court identified and analyzed the following CAADCA requirements separately: (1) conducting DPIA report; (2) estimating age of users; (3) implementing high default privacy settings; (4) using age-appropriate language in policies; (5) internal policy enforcement; (6) prohibiting knowingly harmful use of children’s data; (7) prohibiting profiling children; (8) limiting the collection, sale, sharing, and retention of children’s data; (9) limiting the unauthorized use of children’s data; and (10) prohibiting dark patterns. In sum, the Court noted that for each provision, the State would fail to satisfy its burden to justify each restriction on speech and therefore, NetChoice would be likely to prevail on the merits.

• Declining to Address Merits of Other Claims: Notably, the Order focused entirely on NetChoice’s likelihood of success on its First Amendment claims, rather than its allegations of preemption by federal law and violation of the dormant commerce clause.

Invasiveness of Age Estimations

The Court paid particular interest to the requirement for businesses to estimate the age of its users. The Court noted: “Based on the materials before the Court, the CAADCA’s age estimation provision appears not only unlikely to materially alleviate the harm of insufficient data and privacy protections for children, but actually likely to exacerbate the problem by inducing covered businesses to require consumers, including children, to divulge additional personal information.” (emphasis added). Additionally, the Court cited Professor Goldman’s amicus brief, agreeing that age estimation is, in practice, substantially similar to age verification.

Further, the Court raised concerns about the alternative to age estimation – businesses that do not estimate ages would be instead be required to apply child-appropriate protections to all users. In effect, the CAADCA would mean that adults would access only content which is suitable for children.

Scrutiny of ‘Dark Patterns’

In addition, the Court addressed the prohibition of dark patterns by the CAADCA. The “most concrete potential harm,” the Court found, is the potential monetary harm dark patterns may cause to children. Additionally, the Court recognized that, although there is existing U.S. federal law limiting the practice of making opt-out inconvenient for users, California has not sufficiently shown how a harm in dark patterns causing children to forego privacy protections.

Takeaways 

This Order is definitely a blow to the CAADCA, but should not be interpreted as a reason for companies to stop addressing compliance. The UK has a similar Children’s Code and other states have enacted their own laws. Much will change between now and July 2024. We will continue to monitor the situation and provide updates as applicable.