California’s expansive new children’s online privacy law faces first amendment challenge

The protection of children's online privacy has emerged as one of the most important data privacy issues in the United States. With the existing U.S. framework for protecting children's online privacy widely criticized as weak and outdated, there has been a flurry of legislative activity at both the state and federal levels.

Once again, California has led the way with the passage of the expansive California Age-Appropriate Design Code Act (AADC),^[1] enacted in 2022 and set to go into effect on July 1, 2024. However, a pending federal lawsuit, NetChoice LLC v. Bonta,^[2] seeks to block it, arguing it violates the First Amendment to the U.S. Constitution and is preempted by existing federal laws.  

With a preliminary injunction hearing set for July 27, businesses subject to the AADC are about to find out whether they must move quickly to come into compliance its requirements, which proponents of the law say are necessary to protect children online, but the lawsuit alleges are overbroad, vague, and would effectively censor significant amounts of online speech, including for adults.  

What is the AADC?

The AADC, billed as an expansion of children’s online privacy protections, will have a much wider reach than many realize.  It applies to any business that offers online services, products, or features “likely to be accessed” by California residents under the age of 18, and (i) collects consumers’ personal information and has at least $25 million of annual gross revenue; (ii) buys, sells, shares or receives the personal data of more than 100,000 consumers annually; or (iii) receives 50% or more of its annual revenue from the sale or sharing of personal data.

The AADC goes well beyond the Children’s Online Privacy Protection Act (COPPA). Whereas COPPA only applies to websites or online services “directed to children” or where the business has “actual knowledge” that it is collecting personal information from a child,^[1] the AADC applies whenever online services, products, or features are “likely to be accessed” by a child.^[2]  And whereas COPPA only applies to children under the age of 13, AADC’s definition of a “child” includes any California resident under the age of 18.

The AADC imposes numerous requirements and prohibitions on businesses falling within its scope. Among other requirements, and as NetChoice notes in its motion for a preliminary injunction, the new law requires covered businesses to prepare a Data Protection Impact Assessment (DPIA) for any online features that likely to be accessed by those under 18.  The DPIA must identify features that “could harm” those under 18 by exposing them to “potentially harmful” content, contacts, or communications, permitting them to “witness” any “potentially harmful” conduct, or using “algorithms” or other methods to delivering “targeted” content” and ads that “could harm” them.^[3]  Under the law, all online services, products, or features “likely to be accessed” by a child must “estimate” the age of child users to a “reasonable level of certainty”. Providers are also required to enforce all “published terms, policies, and community standards” – in other words, it eliminates a covered business’ discretion as to whether to enforce its own house rules.  Further, covered businesses are prohibited from using algorithms or “personal information”  unless “necessary to provide an online service, product, or feature with which a [minor] is actively and knowingly engaged,” or the provider demonstrates a “compelling reason” that the use “is in the best interests of children.

Regulated businesses must comply with these requirements, including completed DPIAs, by July 1, 2024. 

Violators face injunctions and civil penalties of up to $7,500 per “affected child,” which may be recovered via a civil suit brought by the California Attorney General. There is currently no private right of action.

For a more detailed discussion of the AADC’s requirements and prohibitions, see our September 7, 2022 alert.

The Netchoice lawsuit

NetChoice, a national trade association of large online businesses, filed its lawsuit on December 14, 2022.  It challenges the law on multiple grounds, including the First Amendment, the dormant Commerce Clause, and preemption by both COPPA and Section 230 of the Communications Decency Act (“Section 230”).  A motion for preliminary injunction is fully briefed, and a hearing on the motion is scheduled for July 27, 2023.  

First Amendment Challenge

NetChoice argues that although billed as a “data protection” regulation to protect minors, the AACD is in fact, an unconstitutional attempt to censor online speech under the guise of privacy through the imposition of vague standards that give California’s Attorney General broad discretion to bring a civil action against a covered business, all in violation of the First Amendment. 

Specifically, NetChoice argues:

1. The law imposes an unconstitutional prior restraint on speech by requiring covered businesses to (1) “mitigate or eliminate” speech that is “harmful, or potentially harmful” to users under 18; (2) eliminating covered businesses’ discretion as to whether to enforce their own moderation policies by requiring them to block or remove content that violates their private house rules; and (3) refrain from offering certain content to minors, and to all users unless age-assurance requirements are met.
2. The law is unconstitutionally overbroad, because it burdens a large amount of lawful speech.
3. The law is unconstitutionally vague because it rests on standards and phrases that are impermissibly vague, and thus fails to provide fair notice of what is prohibited, leading to arbitrary enforcement.
4. The law is a content-based restriction on speech that is subject to the highest level of constitutional scrutiny (so-called “strict” scrutiny).  As NetChoice argues, AACD’s “very premise – that providers must prioritize content that promotes the ‘well-being’ of minors and take other actions to protect minors from ‘harmful’ content – is content-based.”  NetChoice further argues that the law cannot survive strict scrutiny because the state has failed to identify a harm or risk to children that the law is necessary to address, and has thus not shown the law is “necessary to serve a compelling interest.”  Moreover, it argues, the state has failed to show, as it must, that the AACD is the “least restrictive means to achieve its purpose,” including why the already- existing COPPA and the 2018 California Consumer Privacy Act (CCPA), as amended by the 2020 California Privacy Rights Act (CPRA) are inadequate.

In response, the government argues businesses have no right to the personal information of children, and thus the law does not even implicate First Amendment speech rights, let alone violate them. And even if the First Amendment is at issue, the government says, the AACD does not impose a prior restraint because it does not regulate content, mandate government approval before businesses act, or restrict what content businesses make accessible to users.  Moreover, the government says the AACD is a facially neutral law that is not tested under strict scrutiny but only under intermediate time, place and manner scrutiny.  Finally, the government says the law is neither vague nor overbroad, and even if strict scrutiny applies, the law satisfies that standard, because it is sorely needed to protect children from “intrusive, privacy-violating practices all too common on the internet today,” and is “carefully tailored to address[] the most substantial threats to child online privacy.”

Other Grounds for Challenge

NetChoice’s suit also challenges the AADC on several other grounds, including a claim it violates the dormant Commerce Clause by unduly burdening interstate commerce, as well as claims that the AADC is preempted by both COPPA and Section 230 of the Communications Decency Act, the former because the AACD is inconsistent with and imposes liability for conduct that would not violate COPPA, and the latter because Section 230 preempts the AADC’s requirement that providers enforce their rules for third-party speech as well as the AADC’s restrictions for how services may use minors’ information in publishing third-party content.

Conclusion

California is not the only state looking to implement a massive online privacy law.  In addition to the AADC, at least seventeen other states have either passed or proposed legislation to boost privacy protections for children.  As states around the nation strive to regulate the Internet, the First Amendment will be increasingly intertwined with issues of data privacy and online safety.  However, companies with an online presence should not delay in evaluating the AADC’s potential application to them.  As organizations have learned over the course of the last few years with the passage or amendments of complicated privacy laws in the United States and abroad, it is critical to start efforts to adapt and expand existing privacy programs to meet new requirements as early as possible.  While the legal challenges play out, companies should evaluate the AADC’s potential application to them and take measures such as conducting confidential assessments of the legal risks associated with their online services and evaluating appropriate risk mitigation measures.

BCLP’s award-winning Data Privacy and Media & First Amendment Practices work together early and often to provide a seamless approach to advising clients at the intersection of data privacy, First Amendment, and other content issues.

Carlie Tenenbaum contributed to this article.

^[1]  Cal. Civ. Code § 1789.99.28.

^[2]  NetChoice, LLC v. Bonta, N.D. Cal. Case No. 5:22-cv-08861, filed December 14, 2022.

^[3] 15 U.S.C. §§ 6501(1), 6502.

^[4]  The AADC lays out six factors to consider when determining if a service is “likely to be accessed by children”, drawing on the standards in other privacy legislation like COPPA, as well as holistic factors like “design elements known to be of interest to children” and “advertisements marketed to children.” Cal. Civ. Code §1798.99.30(b)(4)(A)-(F).

^[5] Cal. Civil Code § 1798.99.31(a)(2).