On August 16, 2024, the U.S. Court of Appeals for the Ninth Circuit issued an opinion partially upholding—and partially vacating—the District Court for the Northern District of California’s preliminary injunction preventing the California Age-Appropriate Design Code Act (CAADCA or the Act) from going into effect. Specifically, the Ninth Circuit upheld the district court’s injunction related to Data Protection Impact Assessment (DPIA) provisions while the district court further considers whether the remaining portions of the law are likely to be severable or unconstitutional on their own. Although the Ninth Circuit’s decision has not yet gone into effect, businesses subject to the CCPA may soon find themselves on the hook for complying with many provisions in the CAADCA.
What is the CAADCA? In 2022, the California legislature passed the CAADCA, which was scheduled to go into effect on July 1, 2024. The CAADCA generally applies to businesses covered by the California Consumer Privacy Act (CCPA) offering online services, products, or features “likely to be accessed by children” under 18 years old (i.e., minors). At a high level, the Act generally prohibits covered businesses from using minors’ personal information in a variety of ways and would require businesses to undertake many affirmative obligations, including conducting onerous DPIAs to identify material risks to minors (e.g., exposure to harmful content, targeting or exploitation by harmful contacts, potential harms from algorithms) and document and mitigate those risks before the online service could be accessed by minors. Businesses would need to provide these DPIAs to the California Attorney General upon written request. A more detailed overview of the Act’s key provisions is available in our prior client alert here.
What was the Ninth Circuit reviewing and how did it rule? Before the CAADCA went into effect, the U.S. District Court for the Northern District of California found that the Act likely facially violates the First Amendment, and that the unconstitutional provisions could not be severed from the remaining provisions. The court then preliminarily enjoined enforcement of the Act in its entirety. On appeal, a unanimous Ninth Circuit panel concluded that the CAADCA’s DPIA requirements “clearly compel[] speech by requiring covered businesses to opine on potential harms to children,” “deputize[] private actors into censoring speech based on its content,” and are likely not “the least restrictive means,” for advancing the state’s interest in protecting children.1 Under the Ninth Circuit’s view, the DPIA requirements are likely to fail a strict scrutiny analysis and are therefore likely unconstitutional. The court also found, however, that the record was not sufficiently developed to determine whether the rest of the CAADCA facially violates the First Amendment on its own and whether the offending portions of the law are severable from the remainder.
The Ninth Circuit therefore upheld the CAADCA injunction with respect to provisions involving DPIA requirements—California Civil Code Sections 1798.99.31(a)(1)-(4) (requirements to conduct DPIAs, create a timed plan for mitigating risks, and produce DPIAs to the California Attorney General), (c) (DPIA process requirements); 1798.99.33 (when DPIAs must be completed); and 1798.99.35(c) (90 days cure period for violations if in compliance with DPIA requirements)—and vacated the rest of the injunction. Unless the parties seek rehearing at the Ninth Circuit or U.S. Supreme Court review (or an extension for either), all of the CAADCA except the DPIA provisions will go into effect in the coming weeks and the case will be returned to the district court for further proceedings. It remains unclear whether the California Attorney General will seek to enforce applicable portions of the CAADCA before the district court has had the opportunity to further evaluate whether a preliminary injunction of any of the provisions that are no longer enjoined is appropriate.
What comes next in the CAADCA challenge? On remand, NetChoice may ask the district court to further evaluate these issues and consider additional arguments that the remaining provisions of the CAADCA are invalid or not severable that the court did not yet address, including challenges based on preemption, the commerce clause, prior restraint, overbreadth, and vagueness. The district court may conclude that more or all of the law should be enjoined while the case is tried. At a minimum, under the Ninth Circuit’s opinion, the DPIA portions of the law will remain enjoined until the case reaches a conclusion.
What does this mean for other state laws with similar requirements?
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will continue to monitor updates related to the CAADCA in order to assist clients with compliance with this and other privacy laws and regulations. For more information, please contact Tracy Shapiro, Eddie Holman, Erin Delaney, or another member of the firm's data, privacy, and cybersecurity practice.
[1]NetChoice, LLC v. Bonta, No. 23-2369, slip op. at 26, 34 (9th Cir. Aug. 16, 2024).
[4]A summary of the California Privacy Protection Agency’s draft regulations is available here and a more detailed analysis is available in our Data Advisor blog post here.