On August 16, 2024, the U.S. Court of Appeals for the Ninth Circuit issued an opinion partially upholding—and partially vacating—the District Court for the Northern District of California’s preliminary injunction preventing the California Age-Appropriate Design Code Act (CAADCA or the Act) from going into effect. Specifically, the Ninth Circuit upheld the district court’s injunction related to Data Protection Impact Assessment (DPIA) provisions while the district court further considers whether the remaining portions of the law are likely to be severable or unconstitutional on their own. Although the Ninth Circuit’s decision has not yet gone into effect, businesses subject to the CCPA may soon find themselves on the hook for complying with many provisions in the CAADCA.
What is the CAADCA? In 2022, the California legislature passed the CAADCA, which was scheduled to go into effect on July 1, 2024. The CAADCA generally applies to businesses covered by the California Consumer Privacy Act (CCPA) offering online services, products, or features “likely to be accessed by children” under 18 years old (i.e., minors). At a high level, the Act generally prohibits covered businesses from using minors’ personal information in a variety of ways and would require businesses to undertake many affirmative obligations, including conducting onerous DPIAs to identify material risks to minors (e.g., exposure to harmful content, targeting or exploitation by harmful contacts, potential harms from algorithms) and document and mitigate those risks before the online service could be accessed by minors. Businesses would need to provide these DPIAs to the California Attorney General upon written request. A more detailed overview of the Act’s key provisions is available in our prior client alert here.
What was the Ninth Circuit reviewing and how did it rule? Before the CAADCA went into effect, the U.S. District Court for the Northern District of California found that the Act likely facially violates the First Amendment, and that the unconstitutional provisions could not be severed from the remaining provisions. The court then preliminarily enjoined enforcement of the Act in its entirety. On appeal, a unanimous Ninth Circuit panel concluded that the CAADCA’s DPIA requirements “clearly compel[] speech by requiring covered businesses to opine on potential harms to children,” “deputize[] private actors into censoring speech based on its content,” and are likely not “the least restrictive means,” for advancing the state’s interest in protecting children.1 Under the Ninth Circuit’s view, the DPIA requirements are likely to fail a strict scrutiny analysis and are therefore likely unconstitutional. The court also found, however, that the record was not sufficiently developed to determine whether the rest of the CAADCA facially violates the First Amendment on its own and whether the offending portions of the law are severable from the remainder.
The Ninth Circuit therefore upheld the CAADCA injunction with respect to provisions involving DPIA requirements—California Civil Code Sections 1798.99.31(a)(1)-(4) (requirements to conduct DPIAs, create a timed plan for mitigating risks, and produce DPIAs to the California Attorney General), (c) (DPIA process requirements); 1798.99.33 (when DPIAs must be completed); and 1798.99.35(c) (90 days cure period for violations if in compliance with DPIA requirements)—and vacated the rest of the injunction. Unless the parties seek rehearing at the Ninth Circuit or U.S. Supreme Court review (or an extension for either), all of the CAADCA except the DPIA provisions will go into effect in the coming weeks and the case will be returned to the district court for further proceedings. It remains unclear whether the California Attorney General will seek to enforce applicable portions of the CAADCA before the district court has had the opportunity to further evaluate whether a preliminary injunction of any of the provisions that are no longer enjoined is appropriate.
What comes next in the CAADCA challenge? On remand, NetChoice may ask the district court to further evaluate these issues and consider additional arguments that the remaining provisions of the CAADCA are invalid or not severable that the court did not yet address, including challenges based on preemption, the commerce clause, prior restraint, overbreadth, and vagueness. The district court may conclude that more or all of the law should be enjoined while the case is tried. At a minimum, under the Ninth Circuit’s opinion, the DPIA portions of the law will remain enjoined until the case reaches a conclusion.
What does this mean for other state laws with similar requirements?
- DPIA requirements. Although the Ninth Circuit brushed aside concerns that its ruling may jeopardize DPIA requirements in other state privacy laws and regulations, it nonetheless likely opens the door to additional challenges of similar requirements to conduct (and make available to state attorneys general) privacy impact assessments under other state laws and regulations. As the Ninth Circuit explained, DPIA requirements “that compel[] businesses to measure and disclose to the government certain types of risks potentially created by their services might not create a problem.”2 The issue with the CAADCA’s DPIA requirements is that “the risk that businesses must measure and disclose to the government is the risk that children will be exposed to disfavored speech online.”3 This suggests that plaintiffs may succeed in challenging other DPIA requirements, at least where they have a colorable claim that businesses are required to identify disfavored speech, or are deputized to censor disfavored speech. For example, one potential candidate for such a challenge may be the California Privacy Protection Agency’s proposed draft regulations regarding “risk assessment” requirements for CCPA-covered businesses that bear many similarities to the CAADCA’s DPIA requirements.4 Notably, these draft regulations have not yet undergone formal rulemaking and may still be revised, especially in light of the Ninth Circuit’s ruling. Another potential candidate is the Maryland Kids Code, a law modeled on the CAADCA and passed earlier this year that includes similar DPIA requirements. Similarly, many states have passed comprehensive privacy legislation that includes a data protection assessment requirement, which could be called into question under the Ninth Circuit’s reasoning. Although the Ninth Circuit’s ruling would not be binding in challenges of these types of laws depending on the jurisdiction, other courts may find its reasoning persuasive and enjoin similar DPIA requirements as unconstitutional.
- Dark pattern restrictions. In dicta, the Ninth Circuit indicated that dark patterns may not constitute protected speech that would trigger First Amendment scrutiny in all circumstances. The court suggested that even where dark park patterns are likely to impact categories of protected speech (e.g., social media companies’ editorial decisions), these restrictions may be more appropriately scrutinized as content-neutral restrictions than as content-based restrictions. Under this analysis, dark pattern restrictions in the CAADCA and other laws (at least within the Ninth Circuit) would be more likely to withstand facial First Amendment challenges.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will continue to monitor updates related to the CAADCA in order to assist clients with compliance with this and other privacy laws and regulations. For more information, please contact Tracy Shapiro, Eddie Holman, Erin Delaney, or another member of the firm's data, privacy, and cybersecurity practice.
[1]NetChoice, LLC v. Bonta, No. 23-2369, slip op. at 26, 34 (9th Cir. Aug. 16, 2024).
[4]A summary of the California Privacy Protection Agency’s draft regulations is available here and a more detailed analysis is available in our Data Advisor blog post here.
