In 2022, California enacted the Age-Appropriate Design Code Act (CAADCA), a comprehensive statute aimed at protecting the online privacy and safety of children under eighteen. The law imposes affirmative obligations on online businesses likely to be accessed by children, requiring them to conduct Data Protection Impact Assessments (DPIAs) that identify risks of material detriment to children, including exposure to harmful content, and to create plans to mitigate those risks. The law also mandates specific privacy settings, age estimation protocols, and prohibitions on using 'dark patterns' to manipulate children. NetChoice, a trade association representing major internet companies including Amazon, Google, and Meta, sued to block the law, arguing it violated the First Amendment by compelling speech and regulating content moderation. The district court granted a preliminary injunction, enjoining the entire law on the grounds that the DPIA requirement was unconstitutional and that the unconstitutional provisions could not be severed from the rest of the statute. The State appealed, challenging the scope of the injunction and the legal analysis regarding facial challenges.
The Ninth Circuit, in an opinion by Judge Milan D. Smith, Jr., began by analyzing the DPIA report requirement, which compels businesses to assess and report on risks that children may be exposed to harmful or potentially harmful content. The court rejected the State's argument that this was merely incidental regulation of conduct, holding instead that it compels protected speech. The court emphasized that the law deputizes private businesses to act as censors for the state by forcing them to opine on what constitutes 'harmful' content and to mitigate it. Because the speech compelled involves subjective opinions on controversial issues of public concern rather than purely factual commercial data, the court determined that strict scrutiny applies, not the lower standard for commercial speech. Under strict scrutiny, the court found the State unlikely to succeed because the requirement is not the least restrictive means of protecting children; the State could achieve its goals through less restrictive methods like voluntary filters or education. Consequently, the court affirmed the injunction against the DPIA mandate and provisions that are grammatically inseparable from it, such as those requiring the disclosure of DPIA reports to the Attorney General. However, the court vacated the injunction regarding the remaining provisions of the CAADCA. The panel reasoned that the district court erred by not properly applying the rigorous standard for facial challenges established in Supreme Court cases like *Moody v. NetChoice*. The district court had focused too heavily on as-applied challenges to social media companies without determining if the law's unconstitutional applications substantially outweigh its constitutional ones across all covered businesses. Furthermore, the court found it too early to determine if the unconstitutional DPIA provisions are functionally severable from the rest of the statute, as the record was insufficient to assess whether the remaining provisions could operate independently.
The decision partially blocks the CAADCA, immediately preventing California from enforcing the requirement that businesses create DPIAs assessing risks of children viewing harmful content. However, the law remains in effect for other provisions, such as those regarding default privacy settings and prohibitions on dark patterns, pending further proceedings. The case is remanded to the district court to determine if the invalid DPIA provisions are severable from the valid remainder of the statute and to conduct a proper facial challenge analysis for the remaining sections. This creates a period of uncertainty for online businesses, which must now navigate which parts of the law are enforceable while the lower court resolves the severability and constitutionality of the unchallenged sections.
Podcast (federal-narrative-summaries): Play in new window | Download
