Updates

Ninth Circuit Strikes Down Portion of California AADC but Leaves the Rest Intact for Now

August 16, 2024

Today, August 16, 2024, the Ninth Circuit issued an opinion in NetChoice v. Bonta in which it affirmed in part and reversed in part a lower court order that found the California Age Appropriate Design Code (“CAADC”) unconstitutional. EPIC submitted an amicus brief in the case urging the Ninth Circuit to recognize the law as constitutional.

The Ninth Circuit’s opinion found it likely that one part of the CAADC, the Data Protection Impact Assessment (“DPIA”) provision, violates the First Amendment because it directs companies to evaluate how the way they manage children’s data might unnecessarily direct children toward harmful content. But the Court found that the impacts of the other parts of the law were too speculative to be able to conclude whether they violate the First Amendment, so the district court was wrong to find that the provisions violate the First Amendment at this stage of litigation. How the case proceeds in the future will potentially determine whether legislatures will be able to pass privacy and consumer protection laws.

For more background on the case, read EPIC’s analysis in these two blog posts.

The DPIA Provision

CAADC has many moving parts, including the DPIA provision and various design- and privacy-focused provisions. The DPIA provision directed online platform companies to determine whether and how the way they designed their services and managed users’ data could harm children, to file a private report with the state of California about their determinations, and to develop a plan to mitigate the harms they identified. CAADCA enumerated a variety of harms that companies should consider when creating the DPIA, such as whether their product design could match children with adults who meant them harm, whether their design collects more data from children than is necessary, whether it creates addiction-like behaviors in children, or whether it could expose children to harmful content. EPIC had previously published analysis explaining why the DPIA provision should not be found unconstitutional.

The Ninth Circuit focused entirely on the harms that mentioned content or proxies for content, finding that their inclusion meant that none of the DPIA could survive. According to the court, forcing a company to identify whether its platform design could needlessly expose children to harmful content or show them others committing harmful conduct is the same as “deputiz[ing] covered businesses into serving as censors for the State.” Importantly, in footnote 7, the court expressly stated that more narrowly crafted DPIA provisions that did not mention content could possibly survive First Amendment scrutiny. This means that future DPIAs focused on addictive design patterns, privacy violations, and the dangers of matching children with adults could more easily survive First Amendment scrutiny.

It is questionable whether the Ninth Circuit’s analysis of the DPIA provision faithfully followed the instruction the Supreme Court issued recently in the Moody/Paxton cases. In Moody/Paxton, the Supreme Court clarified that for facial challenges such as this one, litigants and courts must identify all of the possible applications of a provision, compare the constitutional applications with unconstitutional ones, and only rule the provision unconstitutional if the unconstitutional applications substantially outweigh the constitutional ones. But the Ninth Circuit’s opinion barely touched on the many clearly constitutional applications of the DPIA provision. Instead, it focused almost exclusively on the situation in which the DPIA provision would, in its interpretation, be enforced to make content-based decisions, and it ruled the entire DPIA provision unconstitutional on those grounds. It did not seem to balance this potentially unconstitutional application against the seven other unquestionably content-neutral ones. This type of questionable decision-making is why more specific, as-applied challenges to statutes are generally favored, and—not coincidentally—why NetChoice has favored broader facial challenges that can invalidate otherwise constitutional provisions.

The Non-DPIA Provisions

Besides the DPIA provision, the CAADC contains other design-based provisions, all of which the lower court had ruled violated the First Amendment. For example, it prohibits covered businesses from using dark patterns that convince or trick children into foregoing privacy protections, it prohibits tracking children’s geolocation, and it requires covered entities to give children high levels of privacy protection by default.

The Ninth Circuit reversed the lower court’s determination that these provisions violated the First Amendment, but it did not go as far as to hold that they were constitutional. Here, the court more faithfully followed Moody/Paxton, ruling that there was not enough evidence to rule that these provisions’ unconstitutional applications—if they exist—substantially outweigh their constitutional ones.

The Court also reserved for future stages of litigation the question of whether the whole law must be struck down because the DPIA is unconstitutional, or whether the constitutional portions may be separated from the DPIA and enforced.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate