Keypoint: The appellate court ruled that the California Age-Appropriate Design Code Act’s impact assessment provision is unconstitutional and remanded the case back to the trial court to consider the constitutionality of the other challenged provisions.

On August 16, the Ninth Circuit Court of Appeals issued an opinion in NetChoice v. Bonta on the constitutionality of California’s Age-Appropriate Design Code Act (AADC). The appellate court affirmed the district court’s decision in part and vacated it in part. The appellate court affirmed the district court’s ruling that NetChoice was likely to succeed in showing that the AADC’s data protection impact assessment requirement violates the First Amendment. Based on that ruling, the appellate court affirmed the district court’s decision to enjoin enforcement of that requirement. The appellate court vacated the remainder of the district court’s ruling, determining that it is unclear from the record whether the remaining provisions of the AADC challenged by NetChoice violate the First Amendment. The appellate court remanded the case to the district court to consider the constitutionality of those provisions and whether the law’s unconstitutional provisions are severable from the remainder of the law.

In the below article, we provide an overview and analysis of the Ninth Circuit’s ruling.

Background on the AADC

Signed into law on September 15, 2022, the AADC applies to for-profit businesses that collect consumers’ personal information and satisfy the requirements of a business as defined in the California Consumer Privacy Act (CCPA). The AADC imposes requirements on businesses that “provide an online service, product, or feature likely to be accessed by children.” Under the AADC, a child is any individual under the age of 18. 

As is relevant to the Ninth Circuit’s opinion, the AADC creates two sets of requirements. First, the AADC requires businesses to complete a data protection impact assessment (DPIA) before a business offers to the public any new online services, products, or features likely to be accessed by children. The DPIA must “identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business.” The DPIA also must address, to the extent applicable, eight factors, including “whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature.” Businesses must document the risks and “create a timed plan to mitigate or eliminate” the risks before the online product, service or feature is accessed by children.

Second, the AADC contains a list of prescriptive requirements in sections 1798.99.31(a)(5)-(10) and (b). Specifically, sections (a)(5)-(10) require businesses to:

• Estimate the age of child users or apply the privacy and data protections afforded to children to all users.
• Configure all default privacy settings provided to children to the settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that the different setting is in the best interests of children.
• Provide privacy information and other documents such as terms of service in language suited to the age of children likely to access the product, service, or feature.
• Provide an “obvious signal” to a child if they are being monitored or tracked by a parent, guardian or any other consumer.
• Enforce published terms and other documents.
• Provide prominent tools to allow children or, if applicable, their parents or guardians, to exercise their private rights.

Section (b) then provides that businesses cannot:

• Use children’s personal information in a way that the “business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.”
• Profile a child unless certain criteria are met.
• Collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature, unless the business can demonstrate a compelling reason that doing so is in the best interests of children likely to access the product, service or feature.
• Collect, sell, or share a child’s precise geolocation information by default unless strictly necessary to provide the requested service.
• Use dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected.
• Use personal information collected to estimate age or age range for any other purpose or retain that personal information for longer than necessary to estimate age.

Lawsuit

The AADC was set to go into effect on July 1, 2024. On December 14, 2022, NetChoice, LLC – a national trade association of online businesses – filed a suit challenging the AADC as facially unconstitutional. The complaint asserted six claims focused on violations of the U.S. Constitution, California Constitution, and federal preemption. In its First Amendment claim, NetChoice asserted, in part, that the AADC violates the First Amendment because it is an unlawful prior restraint on protected speech, is unconstitutionally overbroad, and regulates protected expression.

District Court Decision

On September 18, 2023, the United States District Court for the Northern District of California granted NetChoice’s motion for preliminary injunction, enjoining Rob Bonta, Attorney General of the State of California, from enforcing the AADC. In its forty-five page decision, the district court found that the provisions of the AADC NetChoice challenged likely violated the First Amendment and the remaining provisions that NetChoice did not challenge were not severable. Specifically, NetChoice did not challenge sections 1798.99.31(a)(8) and (10), which require businesses to provide an obvious signal when children are being tracked and to provide prominent tools to exercise privacy rights. NetChoice also did not challenge sections 1798.99.31(b)(5), (6), and (8), which concern the processing of precise geolocation information and not using any personal information collected to estimate age or age range for any other purpose. Notably, the district court only considered NetChoice’s facial claims brought under the First Amendment. It declined to consider NetChoice’s other arguments. For more background on the district court’s decision, see our article available here.

Ninth Circuit Ruling

Turning first to the AADC’s DPIA requirement, the Ninth Circuit reasoned that the “DPIA requirement undoubtedly regulates protected speech, thereby implicating the First Amendment.” The appellate court found that “the DPIA report requirement clearly compels speech by requiring covered businesses to opine on potential harm to children.” The appellate court also rejected the Attorney General’s argument that the AADC “only requires a company to mitigate risks from its data management practices” and not content. The appellate court reviewed the DPIA requirements and found that those “factors require consideration of content or proxies for content.” According to the court: 

For instance, the CAADCA expressly requires a covered business to assess “[w]hether the design of the online product . . . could . . . expos[e] children to harmful, or potentially harmful, content on the online product”; “[w]hether the design . . . could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts”; and “[w]hether the design . . . could permit children to witness, participate in, or be subject to harmful, or potentially harmful, conduct.”

Applying a strict scrutiny standard, the appellate court concluded that the DPIA requirement violates the First Amendment and that “the State could have easily employed less restrictive means to accomplish its protective goals.” In a footnote, the appellate court was careful to distinguish content regulation from data management regulation, stating that it did not “reach whether a more limited DPIA report requirement for businesses to consider whether a product ‘uses system design features to increase, sustain, or extend use of’ a product by children . . . or whether a product ‘collects or processes sensitive personal information of children,’ . . . would survive First Amendment scrutiny.”

Turning to NetChoice’s challenge of the non-DPIA provisions, the appellate court concluded that it was “less certain” that NetChoice was likely to succeed on its facial challenges of those provisions. The court reasoned that “most of those provisions, by their plain language, do not necessarily impact protected speech in all or even most applications.” In particular, the court analyzed the AADC’s prohibition against using dark patterns and concluded that it was unclear whether a dark pattern itself constitutes protected speech. 

The appellate court also analyzed the AADC’s requirement that businesses “[p]rovide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.” The appellate court found that although that provision “compels speech and triggers First Amendment scrutiny . . . [i]n many circumstances, all or most of the speech compelled by this provision is likely to be purely factual and non-controversial.”

Ultimately, the appellate court found that the district court’s failure to properly consider the facial nature of NetChoice’s challenge to the non-DPIA provisions made it “practically impossible for [the court] to determine on appeal whether these provisions are likely to facially violate the First Amendment.” The appellate court also held that because it could not properly review those provisions, it could not reach the issue of whether the law’s unconstitutional provisions were severable from the law’s constitutional provisions.

In conclusion, the appellate court affirmed the district court’s preliminary injunction of the AADC’s DPIA provisions and vacated the remainder of the preliminary injunction, remanding the case to the district court for further proceedings.

Takeaways

The primary takeaway from the Ninth Circuit’s decision is that the AADC’s DPIA provisions are unconstitutional but it remains to be seen whether some of the AADC’s other provisions are unconstitutional and whether the unconstitutional provisions can be severed. For privacy professionals, the Ninth Circuit’s ruling also is crucial because, in a number of instances, the court recognized the distinction between unconstitutional content regulation and constitutional privacy regulation. In other words, while a privacy policy requirement focused only on data management practices implicates speech, such speech can be purely factual and non-controversial and therefore survive a First Amendment challenge. Nonetheless, for the AADC, it still remains to be seen where the line will be drawn with some of its provisions and, ultimately, whether the law can survive a severability analysis. 

The Ninth Circuit’s ruling also could impact whether (and how) businesses challenge other children’s focused laws such as the Maryland Age-Appropriate Design Code Act and the children’s data privacy laws enacted in Connecticut and Colorado. For example, the Maryland AADC bill drafters attempted to avoid the same content regulation issues that plague the California AADC. However, the Maryland AADC requires covered entities to prepare a DPIA that assesses four factors, including “whether the data management or processing of the online product could permit children to participate in or be subject to conduct that would result in . . . reasonably foreseeable and extreme psychological or emotional harm to children.” Business advocates may argue that such a requirement is content regulation.

Finally, since portions of the AADC are no longer enjoined and the law went into effect in July 2024, businesses will need to consider what to do with the provisions that are still under review by the district court. 

[View source.]