California has been active in the kids space. First, the Ninth Circuit’s recently ruled on the California’s Age-Appropriate Design Code Act. Second, the governor has just signed a new law aimed at social media sites.
The Ninth Circuit ruling may cause some confusion about what parts of the law are effective, and what are not. As a reminder, the Act mirrors the UK’s Age Appropriate Design Code. As we have written previously, it was intended to regulate companies that offer online services to children. A temporary injunction delaying the law’s July 1, 2024 effective date was entered last year. The Ninth Circuit has affirmed part of that injunction, but not all of it. What does this mean for businesses who offer online services to children?
What Has Been Enjoined?
Under the law, companies would have been required to conduct data protection impact assessments documenting an eight-factor assessment of potential risk of harm to children for their online services offered to children. The court held that this report “compelled speech” and thus was subject to First Amendment scrutiny. And under that scrutiny, the Ninth Circuit ruled that there could have been a less restrictive way to accomplish protecting children than requiring a DPIA.
What Is Unclear?
The case was remanded to the district court for further ruling. In particular, because the law does not have a severability provision. Meaning that if part of it -here the DPIA provision- cannot be severed from the rest of the law, the remainder of the law, or parts of it, would not similarly be invalid. The Ninth Circuit ruled that the district court will need to assess this, in particular those provisions of the law that grammatically were tied to the DPIA requirement. This included the following requirements in the law:
- That the company estimate children’s age with a level of certainty “appropriate to the risks” from the company’s data management practices.
- That the company configure privacy-by-default unless a different setting “is in the best interests of children.”
- That the company provide information about privacy in language “suited to the age of the children likely to access” the service.
What Was Not Contested?
Not all of the provisions of the law were contested. Those that were not contested included:
- Collecting precise location information only if it is strictly necessary and other restrictions are followed.
- Not engaging in “dark patterns” to encourage children into sharing more information than necessary for the service.
- Using information collected to estimate age for any purpose other than estimating age.
What Else Is Happening With Kids?
Since the decision, Governor Newsom signed a new law aimed at social media sites that are “addictive” to children. The law, “Protecting Our Kids from Social Media Addiction Act” will go into effect January 1, 2027. It will prohibit providing “addictive feeds” to minors. It also gives parents certain rights. These include letting parents decide whether kids see messages chronologically, or based on the sites’ algorithms. Parents will also have the ability to stop kids’ access during the school day and at night. The California law is similar to one in New York, which we wrote about recently and will be effective after AG rulemaking.
Putting it into Practice: As we await further rulings on the Age Appropriate Design Act, companies that offer online services to children should keep in mind the law’s non-DPIA requirements, other similar laws, and the likelihood that the California AG will move forward with the fight to keep the law on the books and to enforce it.