On August 31, 2023, NetChoice, a national trade association of large online businesses, filed supplemental briefing in its challenge to the California Age-Appropriate Design Code (“CA AADC”). The success or failure of NetChoice’s lawsuit will determine whether companies need to be CA AADC-compliant on July 1, 2024 when the law is anticipated to take effect.
The California Age-Appropriate Design Code
On September 15, 2022, California Governor Gavin Newsom signed the CA AADC into law. The new statute, modeled after the UK’s Age-Appropriate Design Code, applies to businesses that provide an online service, product or feature “likely to be accessed by children” under the age of 18. This threshold is much broader than the federal Children’s Online Privacy Protection Act (“COPPA”), which only applies to operators of websites or online services that either (1) are directed to children under the age of 13 or (2) have actual knowledge they collect personal information from children under the age of 13 online.
The CA AADC also imposes on businesses a variety of new obligations that are not required under COPPA. Among other requirements, the CA AADC obligates businesses to consider and prioritize the “best interests of children” when designing, developing, and providing an online service, product, or feature. The law further requires businesses to adopt privacy-by-design and privacy-by-default features for applicable online services, products or features. Businesses also must complete a Data Protection Impact Assessment (“DPIA”) before offering a new online product, service or feature to the public, and upon written request, provide a copy of the DPIA to the California Attorney General.
The law prohibits businesses from using a child’s personal information (1) for any reason other than the reason for which the information was collected and (2) in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health or well-being of a child. When complying with these obligations, businesses must estimate the age of child users with a reasonable level of certainty or provide the required privacy protections to all consumers, regardless of age. Companies that fail to comply with the CA AADC’s requirements could face injunctions and civil penalties up to $2,500 per affected child for each negligent violation and up to $7,500 per affected child for each intentional violation.
The NetChoice Litigation
On December 14, 2022, NetChoice filed suit against the California Attorney General in the District Court for the Northern District of California (the “Court”), alleging that the CA AADC violates the First Amendment and Dormant Commerce Clause and is preempted by both COPPA and Section 230 of the Communications Decency Act (“Section 230”). On February 17, 2023, NetChoice filed a request for a preliminary injunction to block the law from going into effect while the litigation is ongoing. The Court held a preliminary injunction hearing on July 27, 2023. The following month, both NetChoice and the California Attorney General filed supplemental briefs with the Court.
NetChoice argues the CA AADC censors free speech in violation of the First Amendment. According to NetChoice, the CA AADC regulates speech because it restricts the publication of free speech based on whether the speech is “likely to be accessed by children” and potentially harms minors. NetChoice alleges that the law fails both the strict scrutiny and intermediate scrutiny standards for regulation of speech.
Under strict scrutiny, the law must be (1) necessary to advance a “compelling” governmental interest, (2) narrowly tailored to serve that interest, and (3) the least restrictive means available to achieve that interest. Under intermediate scrutiny, the law must advance a substantial or important governmental interest in a narrowly tailored way that suppresses speech no more than necessary. NetChoice argues that the CA AADC fails both tests because (1) the law does not actually achieve its stated purpose—preventing harm to minors; (2) the law is overbroad and ambiguous, and therefore not “narrowly tailored” to prevent harm to minors; and (3) other California and federal laws serve as less restrictive means for preventing harm to minors.
Additionally, NetChoice argues the CA AADC is unconstitutional under the Dormant Commerce Clause because it regulates behavior and activities that take place outside of California. The group further alleges that the law is preempted by both COPPA and Section 230 and therefore violates the Constitution’s Supremacy Clause. In particular, NetChoice suggests that, because COPPA and the CA AADC both regulate how websites handle minor’s data, COPPA preempts the CA AADC. NetChoice argues that the CA AADC also is preempted by Section 230 because Section 230 limits the liability of a website with respect to content published by a third party.
Conclusion
The outcomes of the motion for preliminary injunction and the case itself will have major implications for businesses across the U.S. If the CA AADC goes into effect, it will be the most significant children’s privacy legislation in the U.S. since the passage of COPPA in 1998. The CA AADC also will impose substantial new compliance obligations on companies with an online presence. Until the Court rules on the motion for preliminary injunction, businesses should continue to prepare for the CA AADC to take effect on July 1, 2024.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code