Keypoint: A California federal district court granted NetChoice’s motion for preliminary injunction, finding that the California Age-Appropriate Design Code Act likely violates the First Amendment.
On September 18, 2023, the United States District Court for the Northern District of California granted NetChoice’s motion for preliminary injunction, enjoining Rob Bonta, Attorney General of the State of California, from enforcing the California Age-Appropriate Design Code Act (AADC). The ruling comes only weeks after federal district courts in Texas and Arkansas enjoined children’s online laws from going into effect in those states.
In the below post, we provide a brief background on the AADC, analyze the court’s ruling, and provide some context and takeaways on how it could impact privacy laws more generally.
Background on the AADC
Signed into law on September 15, 2022, the AADC applies to for-profit businesses that collect consumers’ personal information and satisfy the requirements of a business as defined in the California Consumer Privacy Act (CCPA). The AADC imposes requirements on businesses that “provide an online service, product, or feature likely to be accessed by children.” The AADC goes beyond the federal Children’s Online Privacy Protection Act, which protects children under the age of 13, and protects children under the age of 18.
The AADC is based on the United Kingdom’s Age-Appropriate Design Code and creates fifteen standards that covered businesses need to follow.
Of relevance to the court’s opinion, the AADC requires businesses to complete a data protection impact assessment (DPIA) before any new online services, products, or features likely to be accessed by children are offered to the public. Among other things, the DPIA must “identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business.” The DPIA also must address “whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature.” Businesses must document the risks and “create a timed plan to mitigate or eliminate” them before the online product, service or feature is accessed by children.
Among other provisions, the AADC also requires covered businesses to:
- Estimate the age of child users or apply the privacy and data protections afforded to children to all users.
- Configure all default privacy settings provided to children to the settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that the different setting is in the best interests of children.
- Provide privacy information and other documents such as terms of service in language suited to the age of children likely to access the product, service, or feature.
- Enforce published terms and other documents.
- Not use children’s personal information in a way that the “business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.”
- Not profile a child unless certain criteria are met.
- Not collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature, unless the business can demonstrate a compelling reason that doing so is in the best interests of children likely to access the product, service or feature.
- Not use dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected.
The law was set to go into effect on July 1, 2024.
Lawsuit
On December 14, 2022, NetChoice, LLC – a national trade association of online businesses – filed a suit challenging the AADC as facially unconstitutional. The complaint asserted six claims focused on violations of the U.S. Constitution, California Constitution, and federal preemption. In its claim, NetChoice asserted the AADC violates the First Amendment because it is an unlawful prior restraint on protected speech, is unconstitutionally overbroad, and regulates protected expression.
The district court held an extensive hearing on July 27, 2023. The court opened the hearing by stating “the question is whether this legislation passes muster under the First Amendment.”
Ruling
On September 18, 2023, the court issued a forty-five page opinion, finding that NetChoice had demonstrated a likelihood of success on the First Amendment claim and granting NetChoice’s motion for preliminary injunction. The preliminary injunction takes effect immediately.
The court first found that the AADC’s prohibitions – which restrict businesses from collecting, selling, sharing or retaining any personal information for most purposes – “limit the ‘availability and use’ of information by certain speakers and for certain purposes and thus regulate protected speech.” The court next found that the AADC’s mandates such as its DPIA mandate, requirements to “affirmatively provide information to users,” and age estimation and privacy provisions also regulate speech. The court then applied the First Amendment standard for commercial speech, finding that it need not decide whether to apply a higher standard argued for by NetChoice because the AADC could not even satisfy the lesser standard.
Applying this standard, the court analyzed ten of the AADC’s provisions, holding that all ten of them likely violate the First Amendment. Specifically, the court found unconstitutional the AADC’s provisions on (1) DPIAs, (2) age estimation, (3) high default privacy settings, (4) age-appropriate policy language, (5) internal policy enforcement, (6) knowingly harmful use of children’s data, (7) profiling children by default, (8) restriction on collecting, selling, sharing and retaining children’s data, (9) unauthorized use of children’s personal information, and (10) use of dark patterns. The court also ruled that it could not sever the likely invalid portions of the AADC from the remainder and enjoined the entire statute.
Context and Takeaways
As a starting point, it must be emphasized that the trial court’s ruling will almost certainly be appealed to the Ninth Circuit. Therefore, this decision – while significant – is far from final. In fact, the District Court Judge that issued this opinion was recently reversed by the Ninth Circuit in another privacy-related ruling.
That said, the court’s ruling has (at least) three immediate takeaways.
First, the ruling could create a chilling effect on other states that may want to pass AADC-like legislation when the 2024 state legislative session opens. As we documented this past year, numerous other states considered AADC-copycat bills, perhaps most notably Minnesota, which almost passed such a bill.
Second, the ruling will be analyzed for its potential impact on Connecticut’s children’s privacy law passed this year as part of Senate Bill 3. As we previously analyzed, the Connecticut law is vastly different than the AADC, but it has some conceptual similarities such as conducting DPIAs. Further, a trial court ruling from California on a different law is not be binding on a Connecticut federal court.
Third, the ruling will be analyzed for its potential impact on other types of privacy laws. For example, the court took issue with the AADC’s purpose limitation restriction, which “prohibits a covered business from using a child’s ‘personal information for any reason other than a reason for which that personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the best interests of children.’” The court reasoned that the State “provides no evidence of a harm to children’s well-being from the use of personal information for multiple purposes.” Although there are important distinctions to be drawn, purpose limitation provisions are found in other privacy laws such as the Colorado Privacy Act.
The court also took issue with the AADC’s dark patterns provision, including the AADC’s prohibition on “the use of dark patterns to encourage children to ‘provide personal information beyond what is reasonably expected to provide that online service, product, or feature.’” The court held that “the State has not shown a harm resulting from the provision of more personal information ‘beyond what is reasonably expected’ for the covered business to provide its online service, product, or feature.” Again, while there are important distinctions to be drawn, the concept of dark patterns is found in numerous other privacy statutes.
Further, the ruling takes issue with the AADC’s DPIA requirement – a concept that is found in many state privacy laws although, again, there are important distinctions such as the scope of the DPIA required by the other laws.
In the end, while there are many unknowns right now, what can be said is that the court’s ruling raises many questions for privacy professionals to consider.