California Law to Protect Minors’ Online Privacy and Purchasing Is Partially Affirmed
In response to concerns that many social media purveyors are exploiting the online experiences of minors for their own profit, California’s legislature amended its Parent’s Accountability and Child Protection Act in 2022 to require online businesses to better protect children. The new law titled “The California Age-Appropriate Design Code Act” (CAADCA or the Act) was challenged by NetChoice, a national trade association that advocates for “limited government” and believes that the “internet has thrived under light-touch regulation.” NetChoices’ members include Amazon, Google, Meta, Netflix, and X.
The CAADCA, codified as Cal. Civ. Code § 1798.99.30(b) (1), was enacted to promote “robust online privacy protections for children under the age of 18 and ensure that products they are likely to access are “designed in a manner that recognizes the distinct needs of children.”
In response to NetChoice’s challenge to the constitutionality of CAADCA and assertions that the state statute unlawfully preempted Federal law, the United States District Court for the Northern District of California held that the trade association “was likely to succeed in its argument that portions of the Act violated the First Amendment…and were not severable from the valid remainder of the CAADCA.” Presiding District Judge Beth Labson Freeman entered a preliminary injunction that prevented the entire law from going into effect. California Attorney General Rob Bonta appealed to the Ninth Circuit, which affirmed the CAADCA in part and vacated it in part on August 16.
In a press release from his office, Bonta and California Governor Gavin Newsom said, “We’re pleased that the Ninth Circuit reversed the majority of the district court’s injunction, which blocked (the Act) from going into effect. Bonta said, The California Department of Justice remains committed to protecting our kids’ privacy and safety from companies that seek to exploit their online experience for profit.”
The opinion of the unanimous three-justice panel was authored by a panel of the Ninth Circuit Court of Appeals, composed of Circuit Justice Milan D. Smith, and joined by Mark J. Bennett and Anthony D. Johnstone. They said that NetChoice was likely to succeed in showing that the Act’s requirement that businesses “mitigate the risk that children may be exposed to harmful or potentially harmful materials online facially violates the First Amendment.”
Thus they enjoined enforcement of that requirement. However, the panel also vacated the rest of the district court’s preliminary injunction because “it is unclear…whether other challenged portions of the CAADCA facially violate the First Amendment, and it is too early to determine whether the unconstitutional provisions…were severable from its valid remainder.” They remanded the case back to the district court for the Northern District of California to determine what parts of the Act could be severable and become law.
Smith began the opinion with the legislative history of the new law. He said that the State’s legislature enacted the California Consumer Privacy Act in 2018 to give consumers “an effective way to control their personal information.” In 2020, the State’s voters approved a ballot measure that allows the Attorney General to disseminate regulations that require businesses to regularly submit risk assessments to the California Privacy Protection Agency. The AG issued a regulation that requires businesses that serve more than ten million consumers a year to “disclose various metrics… to delete, correct, and know consumers’ personal information,” as well as the number of them who “opt out” of sharing. The CAADCA followed two years later.
A key feature of the 2022 Act was the requirement that online businesses create a Data Protection Impact Assessment (DPIA) report for each online item that is “likely to be accessed by minors” and to assess whether their product design “may expose children to harmful or detrimental content”…prior to offering new products or services. Companies must then explain what they are going to do to eliminate identified risks. In addition, online providers must take other precautions including rules that they estimate the age of child users, implement default settings that maximize privacy, and provide tools for parents or guardians to use to maximize privacy and report concerns. The AG is also authorized to bring civil actions against companies that violate the regulations. However, the Act allows the AG to offer a 90-day “cure period” for businesses before he pursues civil penalties.
The Ninth Circuit then discussed the requirements for preliminary injunctions and concluded that it met the requirements to “consider the scope of the DPIA provision and whether its unconstitutional applications substantially outweigh its constitutional ones.” The opinion determined that the district court correctly concluded that the DPIA report requirement does “regulate the speech of covered businesses and triggers review under the First Amendment,” which requires a strict scrutiny analysis, rather than the easier intermediate scrutiny review needed by commercial speech.
Smith said other solutions that did not violate the First Amendment, such as incentivizing companies to voluntarily offer content filters or blockers, educating children and parents on the importance of these tools, or relying on criminal laws would be better options. Thus the opinion concluded that the district court was correct when it determined the DPIA reports “facially violate the First Amendment.” The Ninth Circuit also faulted DPIA reports because of the “high level of generality of the Act’s wording that “provide(s) little help to businesses” that want to identify which material “may actually harm kids.
The opinion then explains why it is “premature” to discuss issues unrelated to the controversial DPIA report’s First Amendment problems. Smith wrote, “because it is unclear to us whether NetChioce is likely to succeed in its facial challenges” to issues unrelated to the First Amendment,” it is too early to consider as a whole whether the invalid portions of the CAADCA are severable from the valid remainder of the statute.” He continued, “Nevertheless we do have enough information to review the district court’s determination that the DPIA report is “unlikely to be severable from provisions of the law that NetChoice does not challenge on First Amendment grounds.”
He concluded, “Regardless of whether there is a severability clause, courts must also examine whether the invalid portion of a statute is “grammatically, functionally, and volitionally” severable from the valid remainder of the statute.” The opinion said that NetChoice did not show why CAADCA “cannot function without the DPIA report requirement.” He continued, for example, “…it is a much closer question whether the Act’s 90-day cure period can be complied with, even without the DPIA report. However, we cannot discern at this stage of the litigation if elimination of the 90-day cure period affects whether provisions concerning the Attorney General’s civil enforcement of valid sections of the CADCA are volitionally severable.” The answers will hopefully come when the district court takes up the Act’s non-First Amendment violations.
