Reflections on California’s Age-Appropriate Design Code in Advance of Oral Arguments

Co-authored with Isaiah Hinton, Policy Intern for the Youth and Education Team 

Update: On Wednesday, July 17th, the U.S. 9th Circuit Court of Appeals heard oral arguments for an appeal of the District Court’s preliminary injunction of the California Age-Appropriate Design Code Act (AADC). Judges Milan Smith Jr., Mark Bennett, and Anthony Johnstone appeared interested in questions about severability and implications of the recent NetChoice/CCIA v. Moody decision on this case. The panel seemed skeptical of the State’s argument that the California AADC does not regulate content, particularly through the DPIA provisions concerning whether the design of a service could expose children to “harmful, or potentially harmful content” or lead to children “experiencing or being targeted by harmful, or potentially harmful, contacts.” While NetChoice conceded that they did not challenge four provisions, including those regarding geolocation information, NetChoice argued that the entirety of the law must be struck because the DPIA requirements are unconstitutional and interrelated to the rest of the law. However, it was noted that severability is a state issue, while the First Amendment’s constitutionality is a federal question and the idea of certifying the question to the California Supreme Court was raised. 

The California AADC was the first of its kind in the U.S. and marked a significant development in youth privacy policy debates by mandating privacy by design and default for children under 18. Ahead of the oral arguments, this blog post provides an overview of how the California AADC’s enactment and subsequent constitutional challenge continue to impact the regulation of young people’s online experiences in the U.S.

The Enactment 

California lawmakers modeled the AADC after the United Kingdom’s Age-Appropriate Design Code (UK AADC) and aimed to regulate the collection, processing, storage, and transfer of children’s data. The California law’s scope extended beyond the existing framework under the federal Children’s Online Privacy Protection Act (COPPA) by covering more online services and expanding protections to all individuals under 18. The California AADC included provisions from the UK AADC that were novel to U.S. law such as mandating the implementation of age estimation techniques if an online product, service, or feature was “likely to be accessed by children” and configuring default privacy settings to a “high level of privacy.” The California law was intended to address genuine privacy and safety risks faced by young people online and sparked renewed interest in seeking policy solutions, leading to an influx in state laws and enforcement actions. The law’s novel approach also raised concerns about not only the practicality of the law’s provisions but also their constitutionality. 

Read our Analysis of The California Age-Appropriate Design Code and a Comparative Analysis of the California and UK Age-Appropriate Design Codes on our website. 

The Timeline of Events: 

• The California AADC was introduced in the California Assembly as AB 2273 in February 2022, passed the legislature, and was signed by Governor Newsom in September 2022. The law’s intended enforcement date was July 1, 2024. 
• NetChoice, a trade association, filed a complaint in the U.S. District Court on December 14, 2022, alleging that the California AADC is unconstitutional, opening NetChoice v. Bonta. 
• NetChoice filed for a preliminary injunction in February 2023, which District Court Judge Beth Labson Freeman granted in September of that same year. 
• The following month, October 2023, California Attorney General Rob Bonta filed to appeal the preliminary injunction with the U.S. Court of Appeals. 

The Enjoinment 

The United States District Court for the Northern District of California issued a preliminary injunction, preventing enforcement of the California AADC pending a ruling on the case’s merits based on the Court’s view that NetChoice is likely to succeed on its claim that the law violates the First Amendment. In granting the injunction, the Court considered NetChoice’s allegation that most of the California AADC is an unlawful prior restraint on protected speech. The Court was concerned by many of the law’s provisions and assessed concerns with:

• Provisions that required estimating user age; conducting data protection impact assessments (DPIA); configuring high default privacy settings; using age-appropriate language for policies and privacy information; enforcing published terms, policies, and community standards; and restricting the collecting, selling, sharing, and retaining of children’s personal information. 
• Provisions that prohibited using children’s personal information in a knowingly harmful way; profiling children by default; using a child’s personal information for any reason other than for which it was collected; and using “dark patterns” to encourage children to provide excessive personal information or to forgo privacy protections. 

The Court acknowledged that the State has a substantial interest in protecting minors, but found that NetChoice would likely succeed on claims that the law is unconstitutionally vague and that California struggled to satisfy the other aspects of intermediate scrutiny. 

Three Main Takeaways: 

1. The California AADC Highlighted Existing Discussions About How to Protect Youth Privacy and Safety and Has Been Influential in Other States.

Most experts agree that there are concerns about young people’s privacy and safety online, but there are uncertainties about who should address these concerns and how. There is growing interest from policymakers in new regulation that provides privacy and safety protections for minors beyond COPPA’s parental consent framework and for minors over the age of 12. Even in states that did not copy it exactly, concepts from it have appeared in other state laws. This increasingly diverse patchwork of state laws complicates compliance. Some examples of concepts from the California AADC that appear in other state bills include:

• Knowledge Standards: State legislation has gone beyond COPPA’s “directed to children” or “actual knowledge” standard. Recent U.S. laws include novel language such as “likely to be accessed by a child” that may be vague and difficult to interpret. 
• Age Appropriateness: Legislators continue to draft provisions modeled from the AADC that require “age-appropriate” standards, ask businesses to consider the “best interest of the children,” or evaluate whether features may be “harmful” to young people. However, these terms are largely undefined in the U.S. and without additional research and guidance, pose a significant barrier to understanding how to interpret these online protections.
• Age Assurance Technologies: Legislators have proposed the need for using technology to either infer or verify a user’s age before allowing them to use certain services, including in some states social media or adult content. 

You can read more about the knowledge standards of currently enacted laws in our blog and accompanying resource. You can also read about using a risk-based approach that balances privacy and equity in our age assurance infographic and accompanying blog. 

2. The California AADC’s Enactment, and Its Enjoinment, Influenced Subsequent Regulation.

Several states followed California’s lead by introducing copycats or variants of the AADC, and one even became law. The Maryland legislature made an effort to remove the vulnerabilities of California’s AADC when writing their version and also passed a comprehensive privacy law during the same legislative session. See FPF’s blog on the Maryland AADC, our chart comparing it to the California AADC, and our blog on Maryland’s Online Data Privacy Act. 

The District Court’s finding that the California AADC provisions are likely to be unconstitutional may have caused some legislators to hesitate to propose AADC-style bills or to diverge in ways that would address some of the litigation’s concerns. Here are two examples of laws that diverged from the AADC style.

• Connecticut Data Privacy Act (CTDPA) – Read FPF’s blog about the law and our chart comparing it to the California AADC.
• Florida Digital Bill of Rights (SB 262) – Read FPF’s blog about the law and chart comparing it to the California AADC.

Despite these proactive changes by state legislatures, the implications of a final constitutionality ruling are unclear. NetChoice v. Bonta raises questions about the constitutionality of laws with similar provisions. Even laws beyond youth privacy contain provisions like purpose limitations, dark pattern prohibitions, or age assurance requirements. If the District Court’s ruling stands, future legislation will need to be more narrowly tailored to specific harms and aims of the law.

3. The California AADC is now one of Several Youth Privacy and Safety Laws Facing Constitutional Challenges. 

The outcomes of these cases will impact how youth privacy legislation is written, implemented, and enforced. The constitutional challenges to the California AADC address common youth privacy provisions such as data use and minimization, transparency, DPIAs, age assurance, and parental consent. Some of the laws at issue would effectively ban people under the age of 18 from using certain online services, while others could effectively require the age estimation of all users. While youth privacy and safety legislation proliferated in the states following the California AADC, many of those enacted have been constitutionally challenged. See FPF’s Overview of Contested Youth Privacy & Safety Provisions in Pending State Law Litigation. 

Since the UK and California AADCs’ enactments, conversations have been happening around the world on how to best protect youth privacy and safety online through regulation. These efforts, like youth provisions in India’s DPDPA, are not subject to the same First Amendment concerns raised by NetChoice, and these laws are moving forward without facing the same challenges in court. These court decisions could greatly impact how kids and teens use the internet in the U.S. and may lead to a completely different online experience for children in America than those abroad.  

Conclusion

The passing of California’s Age-Appropriate Design Code was a catalyst for conversations in America around protecting kids and teens online. As more states introduce and adopt youth privacy and safety laws, legislators and companies will continue to look to existing regulations for guidance on drafting and complying with new laws. The oral arguments in NetChoice v. Bonta will provide insight into what youth privacy and safety provisions are most constitutionally problematic for legislation and regulation and will help shape future youth privacy and safety policymaking.

Additional FPF Resources 

• For more on recent federal enforcement actions, read FPF’s blog, Top Six Major Privacy Enforcement Trends: A U.S. Legislation Retrospective, and our policy brief, Youth Privacy in Immersive Technologies: Regulatory Guidance, Lessons Learned, and Remaining Uncertainties.
• Read our comments to the National Telecommunications and Information Administration (NTIA) in response to their request for comment on Kids Online Health and Safety. 
• Our report, The State of Play: Is Verifiable Parental Consent Fit for Purpose?, and infographic detail the effectiveness of the verifiable parental consent requirement under COPPA.