On September 18, 2023, a U.S. District Court judge in the Northern District of California granted a preliminary injunction enjoining California’s attorney general from enforcing California’s California Age-Appropriate Design Code Act (the CAADCA, or AB 2273). California’s governor signed the CAADCA into law a year ago, and it had been set to take effect on July 1, 2024. The law requires businesses, before releasing any online products and services that are “likely to be accessed by children,” to comply with a list of enumerated mandates and prohibitions. This included estimating the ages of child users and configuring privacy settings for them or providing the most protective privacy settings for all users; assessing whether their offerings could harm children under the age of 18; and creating data privacy impact assessments (DPIAs) assessing how their data management practices may increase the risk of harm to children.
In December 2022, NetChoice, a national trade association of online businesses whose members include Big Tech, among others, filed a lawsuit challenging the enforceability of the CAADCA. The lawsuit alleges that the statute is (1) facially unconstitutional for violating the First Amendment and the Dormant Commerce Clause of the U.S. Constitution by regulating activity outside of California; (2) preempted by the federal Children’s Online Privacy Protection Act (COPPA); and (3) preempted by Section 230 of the Communications Decency Act (CDA). In February 2023, NetChoice moved for a preliminary injunction against enforcement of the CAADCA while the case is pending.
On September 18, 2023, U.S. District Judge Beth Labson Freeman entered the preliminary injunction, finding that NetChoice had shown “it is likely to prevail on its claim that enforcement of the CAADCA violates the First Amendment and therefore, could not be lawfully enforced by the State.” While the court did not ultimately determine whether the statute’s compelled speech requirements and speech restrictions were content-based restrictions requiring strict scrutiny review, it found that even under intermediate commercial speech scrutiny, the state could not show that the law’s mandates and prohibitions were not more extensive than necessary to accomplish a substantial government interest. To the contrary, the court found that many of the CAADCA’s provisions were both overbroad and underinclusive. For example, the court found that the requirement to estimate users’ ages was likely to lead businesses to collect more information about young users, such as photos and dates of birth, which was contrary to the statute’s purpose of limiting the amount of personal information businesses collect about young people.
Due to its finding that the statute violated the First Amendment, the court did not rule on whether the statute violates the Dormant Commerce Clause. The court also found that a facial challenge to the statute was “not the appropriate context” to determine whether it conflicted with CDA § 230. Finally, the court declined to find a likelihood of showing that COPPA preempts the CAADCA, because there was no evidence that the law conflicted with COPPA or would stand as an obstacle to its enforcement. In any event, the court found that because COPPA preemption would require a “nuanced analysis,” further inquiry was not necessary in light of the court’s issuance of an injunction on First Amendment grounds.
The state may appeal the injunction, which is likely unless it elects to pursue the case through final judgment or abandon the statute as drafted. In the meantime, the ruling could serve as a road map for challenging other expansive state privacy laws that impose compelled speech obligations, particularly those with DPIA requirements and laws that would impose content moderation obligations based on age estimations.