NetChoice Challenges Constitutionality of California Age-Appropriate Design Code Act

When the California legislature passed the California Age-Appropriate Design Code Act (CAADCA or Act) AB 2273 in September of this year, it generated considerable controversy. Companies, trade associations, and even some non-governmental organizations questioned whether the law’s broad reach was not just counterproductive and likely to invade consumer privacy, but preempted by federal law and unconstitutional. The legal questions are about to be tested in a court case that could have far-reaching repercussions for online platforms and legislators alike. On December 14, 2022, NetChoice, an umbrella organization of tech companies including Amazon, Google, Meta, TikTok, and Twitter, announced that it had filed a complaint against California Attorney General Bonta, alleging that the CAADCA violates the Constitution and is preempted by federal law, including the Children’s Online Privacy Protection Act (COPPA).

Constitutionality

The CAADCA is designed to protect “children” – meaning all minors – from exposure to online harms. It directs covered businesses to consider “the best interests of the child” when publishing content and to “mitigate” speech that is “harmful or potentially harmful” to children. Businesses are required to create data privacy impact assessment (DPIA) reports prior to publishing any “online service, product, or feature” to the public “likely to be accessed by” any user under the age of 18. 

Acknowledging that “the well-being of children is undisputedly of great importance,” NetChoice nevertheless argues that the CAADCA, while characterized as a privacy bill, is overbroad. According to NetChoice, the Act “regulates far beyond privacy, is not confined to children, and is unnecessary to achieve the Legislature’s purported privacy goals. The Act will run roughshod over the constitutional and statutory rights of online services—and ordinary citizens who use and rely on those services—in a misguided effort to redesign the Internet and restrict speech.” NetChoice asserts that key terms used in the CAADCA, like “best interests of the child,” “likely to be accessed by” a minor, and others are too vague and subjective to pass constitutional muster. Moreover, the requirement that businesses mitigate speech that is “potentially harmful” to children violates its members’ First Amendment rights to publish and edit online content. 

Rather than protect minors, NetChoice says, the CAADCA will harm them by forcing businesses to over-moderate or face potentially punitive fines. Such censorship, the complaint claims, will limit access to information and would be harmful, “particularly for vulnerable youth who rely on the Internet for life-saving information.” Age-verification mandates, in turn, will undermine casual browsing, add to privacy concerns, and remove control from parents and children.

Preemption

NetChoice argues that the CAADCA is preempted by both COPPA and Section 230 of the Communications Decency Act (CDA). COPPA preempts states from imposing child-focused privacy requirements that are inconsistent with it. Under COPPA, online operators are not liable unless their service is directed to children under 13 or they have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. Section 230 of the CDA grants immunity from liability to service providers for publishing third-party content (The scope of Section 230 immunity is subject to a separate legal challenge before the U.S. Supreme Court in Gonzalez v. Google LLC, 21-1333). 

The federal Kids Online Safety Act (KOSA) (S.3663) includes similar vague language of the sort challenged by NetChoice. KOSA applies to “covered platforms” “likely to be accessed” by users 16 or younger and requires them to “act in the best interest” of children using their site and “protect minors from online harms.” This obligation includes a duty to prevent and mitigate heightened risks of harms that may arise from using the platform, using language similar to the CAADCA. On November 28, 2022, 90 non-profit organizations, including the ACLU, GLAAD, and a number of internet advocacy groups, wrote to Congress expressing concern that “KOSA was not only unconstitutional in its broadness but would harm young people by restricting their access to certain online content.” While there was an effort to include KOSA in the omnibus appropriations bill, it was not included. Nevertheless, as Congress and states seek ways to rein in the power of big tech and address concerns about potential exposure of minors to harmful content, the tension between a desire to protect children and teens, privacy considerations, the role of preemption, and consistency with constitutional standards will continue. Ultimately, the outcome of the NetChoice legal challenge will prove highly influential from a legal and policy perspective. 

The CAADCA is due to take effect July 1, 2024.