Judge Blocks California’s Age-Appropriate Design Code Act (“CAADCA”)

Ars Technica is reporting that a federal judge has ordered a preliminary injunction stopping California’s attorney general from enforcing California’s Age-Appropriate Design Code Act (“CAADCA”), finding that the “law likely violates the First Amendment.”   According to the Ars Technica‘s reporting, the judge found that “the age estimation and privacy provisions thus appear likely to impede the ‘availability and use’ of information and accordingly to regulate speech,” and “the steps a business would need to take to sufficiently estimate the age of child users would likely prevent both children and adults from accessing certain content.”

If you are unfamiliar with CAADCA, also known as AB-2273, the text of the legislation is linked here:  https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=202120220AB2273&showamends=false.  The key provisions are in Section 1798.99.31, which states as follows:

(a) A business that provides an online service, product, or feature likely to be accessed by children shall take all of the following actions:

(1) (A) Before any new online services, products, or features are offered to the public, complete a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by children. A business shall biennially review all Data Protection Impact Assessments.

(B) The Data Protection Impact Assessment required by this paragraph shall identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business. The Data Protection Impact Assessment shall address, to the extent applicable, all of the following:

(i) Whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature.

(ii) Whether the design of the online product, service, or feature could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts on the online product, service, or feature.

(iii) Whether the design of the online product, service, or feature could permit children to witness, participate in, or be subject to harmful, or potentially harmful, conduct on the online product, service, or feature.

(iv) Whether the design of the online product, service, or feature could allow children to be party to or exploited by a harmful, or potentially harmful, contact on the online product, service, or feature.

(v) Whether algorithms used by the online product, service, or feature could harm children.

(vi) Whether targeted advertising systems used by the online product, service, or feature could harm children.

(vii) Whether and how the online product, service, or feature uses system design features to increase, sustain, or extend use of the online product, service, or feature by children, including the automatic playing of media, rewards for time spent, and notifications.

(viii) Whether, how, and for what purpose the online product, service, or feature collects or processes sensitive personal information of children.

Ars Technica further opined that fixing the legislation would require California lawmakers to “remove the age estimation provision, and remove the provision requiring platforms to report on design features that could be harmful to kids.”  On the other hand, Ars Technica acknowledged in its reporting that the Judge had expressed her belief that updating the law to fix its problems was likely to make it “obsolete.”

The Silicon Valley Privacy Law Blog will continue to follow this issue as it develops.