“More needs to be done to create a safe online space for children to learn, explore, and play.”

This was the unanimous finding of the California legislature in 2022, and, since that time, other stakeholders have agreed. Voters, parents, the President, and legislators have all suggested that something will, and needs to, change to make sure that children can use the internet safely and privately.  But exactly how federal or state laws will evolve to protect children’s privacy remains an unsettled and evolving landscape. As with many areas of privacy regulation, California is likely a leader in how to regulate children’s safety and privacy on the internet, and tracking developments in that state is worthwhile to understand what could happen in other jurisdictions.

This post describes recent developments regarding California’s Age Appropriate Design Code Act (“CAADCA”) and suggests several takeaways: 

  • In the near future, in many jurisdictions, there likely will be increased regulation of children’s information and access to the internet.
  • This regulation is likely to be complex and multifaceted.
  • There will be continued constitutional litigation over what children’s online privacy regulation is permissible.
  • While there is not yet any proposal for legislation containing private rights of action, there likely will be provisions allowing for government enforcement of new legislation and there likely will be significant penalties for businesses that do not comply.

The CAADCA

In September 2022, the California legislature unanimously enacted the CAADCA and attempted to expand protections for children using the internet – and obligations for web entities that collect or use children’s information. Modeled off a UK law (the UK Age Appropriate Design Code), the CAADCA aims to build on protections contained in an existing federal law, the Children’s Online Privacy Protection Act (“COPPA”).  Specifically, it expands the scope of individuals that COPPA protects, the entities that COPPA regulates, and the restrictions and obligations on these entities.

The CAADCA creates a whole new set of protected individuals (individuals between 13 and 18) and a whole new set of regulated entities (businesses likely accessed by children). The CAADCA also creates an extensive series of new restrictions and obligations. Businesses covered by the CAADCA may not, among other things, use personal information of any child in a way that it knows, or has reason to know, is “materially detrimental” to the physical health, mental health, or well-being of a child; profile a child unless certain criteria are met; collect, sell, or share certain personal information of a child; or use “dark patterns” to lead or encourage children to share personal information. The CAADCA also requires a covered business to:

  • Complete “Data Protection Impact Assessments” (surveys to assess and mitigate risks that arise from data management practices).
  • As a default, apply protections applicable to children to all consumers, unless the business can estimate the age of child users with a reasonable degree of certainty
  • Provide notice of privacy settings and notice of any monitoring or tracking; and
  • Provide prominent, accessible, and responsive tools to help children exercise their privacy rights.

While the CAADCA creates no private right of action, it does include significant civil penalties. Any business that violates the CAADCA is subject to an injunction and is liable for civil penalties of not more than $2,500 per affected child or not more than $7,500 per affected child for a willful violation.

District Court Enjoins CAADCA and California Response

In December 2022, a trade association of online businesses, NetChoice, filed suit in the Northern District of California to enjoin the enactment of the CAADCA. Among other things, NetChoice alleged that the CAADCA impermissibly regulated speech in violation of the First Amendment and sought a preliminary injunction preventing the statute from going into effect.

In September 2023, the court issued an order and preliminarily enjoined the CAADCA. In doing so, it noted that the CAADCA regulated expressive conduct and was subject to some level of constitutional scrutiny. The court acknowledged that “protecting the physical and psychological well-being of minors” constituted a compelling state interest. Nevertheless, it found that certain requirements of the CAADCA were not narrowly tailored to the state’s interest. The court found that none of these requirements of the CAADCA would, likely, alleviate or prevent any harm to children. Because the court then found that the requirements of the CAADCA were not severable from the law itself, the court enjoined the CAADCA from going into effect.

The district court opinion does not end the legal battle over the CAADCA, and certainly it does not mean the end of California’s attempt to craft regulations protecting children’s online privacy. California has appealed the district court opinion to the Ninth Circuit, and it is possible that, on appeal, all or portions of the CAADCA could be reinstated.

California has also approached the same issue through legislation. Two bills introduced in the current legislative session would expand child privacy regulations – and purport to compliment the CAADCA. The first, the Children’s Data Privacy Act, would prohibit businesses from collecting, using, sharing, or selling personal data of minors without affirmative authorization. The second, the Social Media Youth Addiction Law, would make it unlawful for the operator of an “addictive social media platform” to provide an “addictive feed” to a user, unless the operator has reasonably determined that the user is not a minor or the operator has obtained verifiable parental consent.

Other States Consider Similar Measures

How the pending legal challenge to the CAADCA and what pending legislation is enacted will, almost certainly, impact other states as well.  In the year after the CAADCA passed, legislatures in seven other states—Connecticut, Maryland, Minnesota, Oregon, New Jersey, New Mexico, and Nevada—all introduced virtually identical measures.  

At the same time as states move forward, Congress has also debated and considered its own online children’s privacy legislation, the Kids Online Safety Act.  This statute would create a “duty of care” for online platforms to protect minors from mental health harms, addiction-like behaviors, bullying, and predatory marketing practices. It would also require platforms to include safeguards on children’s information and would allow independent researchers to have access to data sets to assess harms on children. And, in current form, it would be enforced by the Federal Trade Commission.

These developments suggest a prudent course of action: Any business that offers online products or features that is likely accessed by children under 18 should track pending legislation and litigation and consider a children’s online privacy compliance program, as part of an overall compliance program, to address obligations in privacy law.