On August 31, 2023, NetChoice, a national trade association of large online businesses, filed supplemental briefing in its challenge to the California Age-Appropriate Design Code (“CA AADC”). The success or failure of NetChoice’s lawsuit will determine whether companies need to be CA AADC-compliant on July 1, 2024 when the law is anticipated to take effect.
The California Age-Appropriate Design Code
On September 15, 2022, California Governor Gavin Newsom signed the CA AADC into law. The new statute, modeled after the UK’s Age-Appropriate Design Code, applies to businesses that provide an online service, product or feature “likely to be accessed by children” under the age of 18. This threshold is much broader than the federal Children’s Online Privacy Protection Act (“COPPA”), which only applies to operators of websites or online services that either (1) are directed to children under the age of 13 or (2) have actual knowledge they collect personal information from children under the age of 13 online.
The CA AADC also imposes on businesses a variety of new obligations that are not required under COPPA. Among other requirements, the CA AADC obligates businesses to consider and prioritize the “best interests of children” when designing, developing, and providing an online service, product, or feature. The law further requires businesses to adopt privacy-by-design and privacy-by-default features for applicable online services, products or features. Businesses also must complete a Data Protection Impact Assessment (“DPIA”) before offering a new online product, service or feature to the public, and upon written request, provide a copy of the DPIA to the California Attorney General.
The law prohibits businesses from using a child’s personal information (1) for any reason other than the reason for which the information was collected and (2) in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health or well-being of a child. When complying with these obligations, businesses must estimate the age of child users with a reasonable level of certainty or provide the required privacy protections to all consumers, regardless of age. Companies that fail to comply with the CA AADC’s requirements could face injunctions and civil penalties up to $2,500 per affected child for each negligent violation and up to $7,500 per affected child for each intentional violation.
The NetChoice Litigation
On December 14, 2022, NetChoice filed suit against the California Attorney General in the District Court for the Northern District of California (the “Court”), alleging that the CA AADC violates the First Amendment and Dormant Commerce Clause and is preempted by both COPPA and Section 230 of the Communications Decency Act (“Section 230”). On February 17, 2023, NetChoice filed a request for a preliminary injunction to block the law from going into effect while the litigation is ongoing. The Court held a preliminary injunction hearing on July 27, 2023. The following month, both NetChoice and the California Attorney General filed supplemental briefs with the Court.
NetChoice argues the CA AADC censors free speech in violation of the First Amendment. According to NetChoice, the CA AADC regulates speech because it restricts the publication of free speech based on whether the speech is “likely to be accessed by children” and potentially harms minors. NetChoice alleges that the law fails both the strict scrutiny and intermediate scrutiny standards for regulation of speech.
Under strict scrutiny, the law must be (1) necessary to advance a “compelling” governmental interest, (2) narrowly tailored to serve that interest, and (3) the least restrictive means available to achieve that interest. Under intermediate scrutiny, the law must advance a substantial or important governmental interest in a narrowly tailored way that suppresses speech no more than necessary. NetChoice argues that the CA AADC fails both tests because (1) the law does not actually achieve its stated purpose—preventing harm to minors; (2) the law is overbroad and ambiguous, and therefore not “narrowly tailored” to prevent harm to minors; and (3) other California and federal laws serve as less restrictive means for preventing harm to minors.
Additionally, NetChoice argues the CA AADC is unconstitutional under the Dormant Commerce Clause because it regulates behavior and activities that take place outside of California. The group further alleges that the law is preempted by both COPPA and Section 230 and therefore violates the Constitution’s Supremacy Clause. In particular, NetChoice suggests that, because COPPA and the CA AADC both regulate how websites handle minor’s data, COPPA preempts the CA AADC. NetChoice argues that the CA AADC also is preempted by Section 230 because Section 230 limits the liability of a website with respect to content published by a third party.
The outcomes of the motion for preliminary injunction and the case itself will have major implications for businesses across the U.S. If the CA AADC goes into effect, it will be the most significant children’s privacy legislation in the U.S. since the passage of COPPA in 1998. The CA AADC also will impose substantial new compliance obligations on companies with an online presence. Until the Court rules on the motion for preliminary injunction, businesses should continue to prepare for the CA AADC to take effect on July 1, 2024.