Nothing But NetChoice: Federal Court Blocks Enforcement of California Age-Appropriate Design Code

A federal court in the Northern District of California recently granted a preliminary injunction in NetChoice v. Bonta that enjoins enforcement of the California Age-Appropriate Design Code (“Code”), which would have taken effect on July 1, 2024.

The injunction will be in place during the pendency of the NetChoice action and will therefore limit near-term enforcement risk for entities that would have been subject to the Code. The opinion also concludes that the Code is likely unconstitutional as violating the First Amendment, suggesting the court may eventually issue a final judgment striking down the Code entirely. This post explores the decision, what it means for entities that would be subject to the Code, and its implications for the broader state privacy law landscape.

Tip Off: Background on the Code

As we’ve previously written, the Code would impose extensive obligations on entities that qualify as a “business” under the CCPA and provide an online service, product or feature “likely to be accessed by children” under the age of 18.

The Code would prohibit various processing activities using a child’s personal information by those businesses, including generally prohibiting using a child’s personal information for any reason other than the reason for which the business collected the information. The Code also includes a number of affirmative compliance mandates. It would, for example, impose novel requirements for businesses to configure default privacy settings to provide a “high level” of privacy, to consider and prioritize the “best interests of children” when creating an online service, product, or feature, and to complete DPIAs before offering those services, products, or features and provide those DPIAs to the California Attorney General upon request.

The California Attorney General would have exclusive authority to enforce the Code. Violations would be punishable with monetary penalties up to $2,500 per affected child for each negligent violation and up to $7,500 per affected child for each intentional violation.

Full Court Press: NetChoice Litigation Challenges the Code’s Constitutionality

NetChoice, a technology industry trade organization that counts companies like Google, Amazon, Meta, and TikTok as members, filed an action in federal court in California claiming the Code violates the First Amendment. To that end, NetChoice alleged that the Code is an unlawful prior restraint on protected speech, is unconstitutionally overbroad, and regulates protected expression but fails strict scrutiny or any other applicable level of scrutiny. NetChoice also claimed the Code violates the Dormant Commerce Clause and is preempted by both COPPA and Section 230 of the Communications Decency Act. NetChoice then moved for a preliminary injunction enjoining enforcement of the Code pending final disposition of its claims.

Flagrant Foul: Court Holds the Code Is Likely Unconstitutional on First Amendment Grounds

The court granted NetChoice’s motion on First Amendment grounds. To obtain a preliminary injunction, NetChoice had to show it was likely to succeed on the merits, that it would suffer irreparable harm without a preliminary injunction, and that the balance of the equities and public interest support a preliminary injunction.

The court held that NetChoice established a likelihood of success on its argument that the Code unconstitutionally restricts protected speech. The court concluded that the Code’s prohibitions and mandates regulate speech and therefore require First Amendment scrutiny. With respect to the Code’s general prohibitions on the collection, sale, sharing, and retention of children’s personal information, the court stated those prohibitions limit the availability and use of information “by certain speakers and for certain purposes and thus regulate protected speech.” The court reached the same conclusions for the Code’s affirmative obligations as well. For example, the court found the Code’s requirements to create DPIAs and disclose them to the government regulate the distribution of speech and that the notices and disclosures required by the Code also regulate speech by requiring various statements.

Having concluded the Code regulates protected speech, the court then applied intermediate scrutiny to assess the Code’s constitutionality. The court considered applying strict scrutiny, but determined the Code could not survive intermediate scrutiny such that it did not need to determine whether strict scrutiny applied. Under intermediate scrutiny, California had the burden of demonstrating the Code advanced a substantial governmental interest and that the measure was drawn to achieve that interest with respect to speech that is neither misleading nor related to unlawful activity.

The court concluded the Code likely would not survive intermediate scrutiny. The opinion reasoned that although California has a substantial interest in protecting minors’ wellbeing online, the Code is insufficiently tailored to advance that interest. For example, the court held that the Code’s requirements to “[e]nforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children” was not well tailored. California did not show a causal link between compliance with its privacy disclosures and children’s ability to make informed decisions or harm to children’s well-being. The court further concluded that the policy enforcement provision facially regulates policies and terms beyond those related to children or even privacy.

The court reached similar conclusions, based on similar reasoning, for other requirements under the Code, including for the DPIA, age estimation, high default privacy setting, and age-appropriate policy language mandates and for the general restrictions on the collection and use of children’s personal information. Additionally, the order enjoined enforcement of the entire Code because the challenged provisions were too intertwined with the rest of the Code to be severed from the Code’s other provisions.

As for the other preliminary injunction factors, the opinion provided that requiring businesses to prepare to comply with the Code without knowing whether it is valid, and potentially subjecting businesses to enforcement of an invalid law, established a risk of irreparable harm sufficient to support a preliminary injunction. The court also concluded that the prospect of preventing violations of a party’s constitutional rights meant the balance of the equities and public interest factors supported a preliminary injunction.

Game Planning: What the Decision Means for Businesses

The NetChoice decision means that companies racing to prepare for compliance with the Code’s requirements can deprioritize those projects, but those projects should not be set aside entirely.

While the court’s decision is obviously favorable for businesses by preventing near-term enforcement of the Code during the pendency of the NetChoice action, it does not fully resolve the case. As a result, there remains uncertainty as to whether the injunction will be upheld on appeal (news reports indicate the Office of the California Attorney General stated it will “respond in court as appropriate”), whether the Code will be permanently struck down, and when such decisions will occur.

If subsequent decisions reversing the injunction or upholding the Code are rendered after its July 1, 2024 effective date, covered businesses may need to rush to implement compliance measures—especially because the 90-day enforcement cure period is only available for businesses “in substantial compliance” with the Code. Therefore, while businesses that would be covered by the Code do not presently need to prioritize Code compliance initiatives, those businesses should still consider compliance contingency plans to the extent feasible and continue to monitor the NetChoice docket for further developments.

Seeing the Floor: Implications for the State Privacy Law Landscape

The NetChoice decision continues an emerging trend of judicial decisions limiting children’s privacy-related requirements on constitutional grounds. Besides the NetChoice decision, federal district courts in Arkansas and Texas held last month that state laws that would require certain online services to verify users’ ages and to get parental consent to access social media platforms or adult content are likely unconstitutional and granted preliminary injunctions enjoining enforcement of those laws. Collectively, those decisions show that state legislatures have yet to find a children’s privacy statutory model that avoids constitutional issues—notwithstanding policymakers’ focus on children’s privacy and online activities. We may therefore see new models or approaches to children’s privacy regulation.

The reasoning in NetChoice also raises questions about the validity of other state privacy legal requirements. For example, the NetChoice court held that requiring DPIAs and mandating disclosure of the DPIAs to the government regulates speech subject to the First Amendment and that the Code’s DPIA requirements did not survive intermediate scrutiny. Similar arguments could be asserted with respect to DPIA requirements in comprehensive state consumer privacy laws, such as those in Colorado, Connecticut, and Virginia.

NetChoice’s arguments also outline other potential challenges to those laws. Because the court found that the First Amendment argument described above was a sufficient ground for its injunction, the court did not address NetChoice’s other First Amendment and Dormant Commerce Clause arguments. Those arguments, therefore, could provide additional bases to challenge the constitutionality of other state privacy laws or specific provisions of those laws.

Businesses facing enforcement actions under other state privacy laws could thus consider using the NetChoice action as a roadmap to challenge the constitutionality of those laws. While that approach would likely antagonize regulators and may not make sense where there are prospects for a reasonable and fair settlement offer, the possibility of a constitutional challenge could still provide leverage in settlement negotiations and provide businesses facing significant penalties an alternative to negotiated settlement.

* * *

If you would like to discuss the NetChoice decision or its implications for your organization, please reach out to any member of the Wyrick Robbins privacy team.