Businesses Should Continue Preparatory Compliance Efforts Despite Injunction Against California Kid’s Online Privacy and Safety Law (CAADCA)

On September 15, 2022 California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act (CAADCA) into law. The CAADCA takes effect July 1, 2024, and brings vast changes to the online compliance landscape with regard to children's privacy and safety. Some key changes include defining a child as anyone under 18 years of age, requiring data protection impact assessments for online products and services that are "likely to be accessed by children," and mandating all default privacy settings provided to children be set to a high level of privacy unless the business can demonstrate a compelling reason that a lower setting is in the best interests of children.

NetChoice v. Bonta

In December 2022, NetChoice, a trade association of online businesses including multiple major technology companies, filed suit asserting that the CAADCA is preempted by federal statute and is facially unconstitutional. On September 18, 2023, roughly one year after the CAADCA was signed into law, a federal court granted NetChoice's request for a preliminary injunction prohibiting the enforcement of the CAADCA on the grounds that it likely violates the First Amendment to the U.S. Constitution because the Act’s “speech restrictions . . . fail strict scrutiny and also would fail a lesser standard of scrutiny” including the “advancing a substantial government interest” level of scrutiny used for commercial speech. In particular, the court granted the preliminary injunction when it found that NetChoice’s suit was likely to succeed for the following reasons:

Even though the court did not address whether businesses have the right to collect personal information from children under the age of 18, the court found that a law restricting the availability and use of data by some speakers but not others regulates protected speech in violation of the First Amendment.
The requirement for businesses to conduct a DPIA to evaluate risks to children, provide privacy notices geared towards children, and enforce its content moderation policies is a regulation of the distribution of speech in violation of the First Amendment.

Moreover, the court found that the challenged provisions of the CAADCA, which it found invalid, are not functionally severable from the remainder of the statute, and thus it enjoined enforcement of the entire statute rather than just the invalid portions. Having determined NetChoice was entitled to relief on a First Amendment basis, the court declined to determine whether NetChoice is likely to succeed on the merits of its other claims grounded in the dormant Commerce Clause, Children’s Online Privacy Protection Act (COPPA), and Section 230.

Looking Ahead: Recommendations for Businesses

Only time will tell whether the CAADCA in its current form will ever be enforced. Even if the California Attorney General is ultimately able to overcome NetChoice's First Amendment arguments, the multiple remaining unaddressed claims in the case, coupled with the court’s finding that many of the act’s provisions are not functionally severable, make enforcement on July 1, 2024, unlikely. However, businesses that are in scope for the CAADCA should not take this as a sign to wholly abandon preparatory compliance efforts.

Domestic and international governments are concerned with children's online privacy and safety and are likely to continue to attempt to regulate in this space. Moreover, there is a regulatory trend towards increasing online protections for teens (ages 13-17) as well as for young children (below age 13). Domestically, this year we have seen various laws passed aimed at protecting minors on social media platforms. Additionally, Lawmakers in Maryland and Minnesota intend to bring back legislation modeled after the CAADCA. These laws may take the CAADCA challenges into account and be drafted to avoid similar challenges. Internationally, the United Kingdom's Children's Code which contains 15 standards that online services need to follow has been in effect for just over two years. Various other countries have laws that protect children online to some degree.

Businesses should recognize that more regulation is likely in the children’s online privacy and safety space. Rather than abandoning CAADCA preparatory compliance efforts, businesses should examine how they can holistically evaluate privacy and safety aspects of their products and services that may be accessed by individuals under 18 years of age. This exercise, guided by the CAADCA, will be helpful groundwork for compliance with future children's online privacy and safety laws as well as the CAADCA if it ultimately is enforced in its current or a similar revised form.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.