EPIC Urges Ninth Circuit to Rule Kids Privacy Law Doesn’t Violate Constitution

Yesterday, EPIC submitted an amicus brief in NetChoice v. Bonta, a case in which tech industry trade group NetChoice is attempting to overturn a kids privacy law, the California Age-Appropriate Design Code (“CAADC”), on First Amendment grounds.

EPIC’s brief urges the Ninth Circuit to reverse the district court’s dangerous ruling that the CAADC’s regulation of websites “likely to be accessed by children” alone makes the law presumptively unconstitutional—a ruling which threatens the validity of many well-established privacy laws, like the Children’s Online Privacy Protection Act (COPPA). EPIC also urged the court to vacate the injunction against the CAADC’s data protection provisions.

This marks EPIC’s fourth amicus brief in the case, which has bounced between the Northern District of California and the Ninth Circuit through multiple appeals and remands.

How the law works: The CAADC’s coverage definition clarifies that only websites likely to be accessed by kids need to develop special, strong privacy protections for young users (or simply protect all users’ privacy to a high degree). The law provides many ways for a website to know whether it is covered, including whether kids are known to constitute a certain percent of the website’s visitors and whether it hosts kids-focused content and advertisements. The law’s data protection provisions prohibit harmful data practices, for instance, collecting more data than what is necessary to provide services to child users.

The lower court’s split decision: The district court struck down the CAADC based on its coverage definition, ruling the law was unconstitutional because it imposed a burden on companies (needing to give kids high privacy protections) based on the content they show (kids-focused content). The court also ruled that the privacy protections were unconstitutionally vague. But the court rejected NetChoice’s argument that the data protection provisions facially violated the First Amendment by interfering with tech companies’ ability to use surveillance-based targeting to show content to kids.

Why the coverage definition does not make the CAADC presumptively unconstitutional: EPIC argues that the district court’s analysis of the coverage definition is legally wrong and would endanger many important data protection laws. Many data protection laws apply to businesses based on the content or information that the business publishes, not to censor any topic or viewpoint, but to appropriately target relevant businesses. For example, the CAADC only requires privacy protections from websites where kids are likely to visit, which isn’t censorship but smart policymaking. If this approach were unconstitutional, it would threaten fundamental and long-standing data protection laws such as the Children’s Online Privacy Protection Act, the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, and the Video Privacy Protection Act. All of these laws impose requirements on companies based on the type of information they handle. In a separate case, data brokers are trying to get the Third Circuit to rule privacy laws unconstitutional on similar grounds.

Responding to NetChoice’s data protection provision arguments: EPIC also responds to NetChoice’s reliance on the recent Supreme Court case Moody v. NetChoice. In that case, the Supreme Court issued non-binding guidance explaining that social media companies engage in protected expression through “content moderation”—the specific practice of setting values-based community and content guidelines and enforcing those guidelines by removing or downranking violative content. For example, guidelines against hate speech will be enforced by removing or downranking content the company judges to be hate speech.

NetChoice is attempting to stretch Moody’s narrow guidance into a broad rule that any law affecting how companies display content violates the First Amendment. Under their theory, data protection laws would be unconstitutional simply because a company with less data about children might show them slightly different content. 

EPIC’s brief emphasizes how limited the Moody decision actually was. The Supreme Court specifically declined to rule that other activities—like surveillance-based algorithms that NetChoice also wants protected—count as expression. The Ninth Circuit should not expand Moody beyond what the Supreme Court actually decided. Going by first principles and precedent, each of the challenged data protection provisions regulates privacy-invasive business practices, not speech.

EPIC regularly advocates for free expression, privacy, online safety, and tech company accountability.