A view from DC: Youth privacy in California rises again, kind of

In what has become an annual springtime tradition, we received a new legal update 12 March to the ongoing saga surrounding the California Age-Appropriate Design Code Act. A panel of judges on the U.S. Court of Appeals for the Ninth Circuit issued another ruling, this time with mixed results.

Like last year, just as the first crocuses began to appear, the fate of the first-ever AADC to be passed in the U.S. changed yet again. Last year I called the district court's full preliminary injunction of the law a checkmate in a game of chess that was only one part of a longer tournament. This latest game ended in a draw.

Since well before the AADC was scheduled to go into effect 1 July 2024, the entire law has been frozen by a lower court's order. Though the appeals court has now ruled that this total block was overbroad, most of the substance of the law remains enjoined.

Reflecting this mixed result, both sides immediately interpreted the court's decision as a win.

In a press release, NetChoice called the decision a "major victory." The trade association pointed to the impact of its efforts on the law as a whole, writing, "Of the six substantive provisions NetChoice challenged, five remain enjoined after today's decision, and the remaining provision is hanging by a thread."

In a rapid-fire blog, the Electronic Privacy Information Center gleefully quoted the court's chastising comments against NetChoice's pursuit of similar legal strategies even after its prior cases have ended up establishing entirely new Supreme Court precedent to approach First Amendment analysis in the social media age. EPIC celebrates those few provisions of the AADC that are now in effect, and concludes, "perhaps, NetChoice will finally get the message that they cannot get away with broad, unsupported, hand wavy constitutional challenges anymore."

Return of the Moody blues

The Ninth Circuit decision again highlights the relevance of the Supreme Court's decision in Moody v. NetChoice, which some have interpreted to have a narrow finding, but certainly has proven to at least have broad impact on the many other legal challenges also brought by NetChoice.

The Moody standard inserts into a facial First Amendment challenge — that is, a challenge to a law before it goes into effect arguing that it violates free speech protections — a new complex initial assessment of whether a legal provision, considered in all its possible applications to various situations, implicates protected speech more than it doesn't. It is as if a court is asked to picture each situation in which the legal provision would be triggered as a pebble in a large pile of pebbles. In the California AADC case, each pebble represents a situation where a business provides an online service "likely to be accessed" by minors.

After sorting all the pebbles into piles, one for speech-impacting situations and one for those that don't implicate free speech protections, the court can make a determination about the facial impact of the law and proceed with the steps of free speech analysis.

In short, NetChoice's ultimate failure to win the court over on a facial challenge to the scoping provision of the law, which would have allowed for the entire law to continue to be enjoined, comes down to a failure to assemble a large enough pile of pebbles. The trade association focuses too much on the pebbles representing social media companies and publishers without demonstrating that those pebbles in fact outweigh all the other possible businesses that the law applies to.

Since many that are not in the business of publishing or spreading content will be implicated by the law, the court is not convinced that there is sufficient evidence that the pile of speech-impacting pebbles is larger.

There is also an air of fatigue in the court's analysis, wishing that we were able to move beyond these drawn-out preliminary injunction proceedings and move to actual First Amendment analysis in practice. To this end, the panel wrote, "If NetChoice's prime concern is the CAADCA's effect on social media companies or publishers, it could have brought an as-applied challenge on behalf of some of its members."

After reviewing this Moody analysis, the appeals panel goes on to review the district court's analysis of the individual challenged provisions of the law, finding that NetChoice met its burden to reach a preliminary injunction on two, including the dark patterns and data use limitations, but did not succeed for the age estimation requirement.

A gutted, but now enforceable, law

Suffice to say, although the vast majority of the California AADC remains enjoined, important aspects of the law are now enforceable, including requirements for companies to estimate user ages, strict limits on how they can collect and share a minor's precise geolocation information, and the requirement to configure default settings to provide a "high level of privacy" for minors.

It is worth underscoring the age range here. Although the legal proceedings consistently refer to covered users as "children," the meaning of this word under the California AADC does not track its colloquial usage. Like many other youth privacy and safety laws, the California law is meant to provide coverage for all minors under age 18. For that reason, I always refer to these users as "minors" rather than "children," to provide a consistent reminder that we are beyond the territory of data privacy in the familiar under-13 context.

At the time the California AADC was passed, its substantive requirements were novel, but now they have been mostly outpaced by other state laws. The age estimation requirement, for example, sounds almost quaint when compared with the many ongoing attempts to impose age assurance requirements on social media companies and others. It is notable, however, that the California AADC has a broad scope of application, so this requirement to "estimate the age of child users with a reasonable level of certainty" may, for now, create a new compliance hurdle for some companies.

Similarly, geolocation restrictions and privacy-by-design requirements have shown up in AADC legislation across a number of other states, including Maryland, which is fully in effect despite ongoing litigation, and Vermont, which goes into effect 1 Jan. 2027. Though the idea of privacy-protective defaults has spread, newer state laws have gone farther by embracing a duty of care to for the best interests of children. 

Still, California's AADC has moved from a red light to a yellow light for privacy compliance teams. Proceed with caution because some of the law's privacy protections for young people are now officially active.

Nevertheless, NetChoice's press release includes the threat of continued legal action, promising to "continue to vociferously make our case that the entire law, which is a Trojan Horse for mass digital censorship in America, is unconstitutional and must be stopped."

Please send feedback, updates and springtime traditions to cobun@iapp.org. 

This article originally appeared in The Daily Dashboard and U.S. Privacy Digest, free weekly IAPP newsletters. Subscriptions to this and other IAPP newsletters can be found here.