U.S. appeals court rules that most of California’s age-appropriate design law may go into effect

NetChoice, LLC, has repeatedly challenged CAADCA on constitutional and federal pre-emption grounds. Since 2022, the case, NetChoice, LLC v. Bonta, No. 25-2366, has been working its way through federal courts. 

The Ninth Circuit has now handed down a ruling that addresses some of the issues, allowing key parts of the law to go into effect, while others remain enjoined pending further litigation at the district court level. 

The following parts of the law have been approved to now go into effect: 

• Age Estimation
  Covered businesses (at a high level, those that provide online services, products or features likely to be accessed by children) must now either estimate the age of users with a reasonable level of certainty appropriate to the risks of their data practices or apply child-level privacy protections to all users. Under California law, “child” means an individual under 18.
• Default Privacy Settings
  All privacy settings for child users must be set to the highest level of privacy by default, unless the covered business can demonstrate a compelling reason that a different setting is in the best interests of children.
• Precise Geolocation Restrictions
  Covered businesses may not collect, sell, or share a child's precise geolocation data by default unless strictly necessary to provide the requested service. If collection does occur, businesses must display an obvious, continuous signal to the child for the entire duration of collection.
• Parental Monitoring Transparency
  If a service allows a parent, guardian, or anyone else to monitor a child's online activity or track their location, the covered business must provide an obvious signal to the child that monitoring is taking place.
• Age-Appropriate Disclosures and Enforcement
  Privacy policies, terms of service, and community standards must be presented in clear, age-appropriate language. 
• Privacy Tools
  Covered businesses must provide prominent, accessible, and responsive tools to help children (and, where applicable, their parents) exercise privacy rights and report concerns.

Several provisions remain enjoined pending further litigation, primarily due to constitutional vagueness concerns. These include: Data Protection Impact Assessment requirements; the prohibition on using a child's data in ways "materially detrimental" to their well-being; the prohibition on profiling that applies as a default position; data minimisation and purpose limitation rules; and the prohibition on using dark patterns (deceptive techniques used to manipulate users’ behaviour) to lead or encourage children to provide personal information.

The judgment is available here.