Future of Privacy Forum’s Post

Get up to speed on the California AADC Litigation with our new blog!

Yesterday, the Ninth Circuit delivered us the latest development in the ongoing saga of the California Age-Appropriate Design Code. The panel AFFIRMED the injunction with respect to data protection impact assessments, holding that NetChoice is likely to succeed in showing that DPIAs in California AADC violate the First Amendment. However, with respect to other parts of the California AADC, the injunction was vacated and remanded to the District Court. Some observations: - Several weeks ago, I sent some analysis to the FPF community about what the NetChoice/CCIA v. Moody decision would mean for this case and how I thought it was particularly important because of the court’s concern about proper facial challenges. Part of why this case is being remanded is precisely because of the facial challenge issue - it’s unclear from the current record whether other challenged provisions of the California AADC facially violate the First Amendment. - I think technically speaking, the California AADC is now partially enforceable? However, given that one of the other key issues is that unclear whether the DPIAs can be severed from the rest of the law, I’m not sure I’d rush out to claim anything is now “in effect.” But this is not legal advice! Just worth pointing out as the AG released a press release yesterday claiming a victory in this case and that might make some folks anxious. - On that note, I’m not going to try and read the tea leaves on if the whole thing ends up being struck down, some is but some goes into effect, etc. But it’s fair to say that DPIAs were a primary piece of the California AADC and one of the more contentious pieces. The other one on my mind would be the requirement to do age estimation, which the Ninth Circuit didn’t get into. - What happens in California is interesting, but I’m more interested in what this means for the bigger picture as kids privacy and online safety has been a huge legislative priority. FWIW, I did a pretty detailed side-by-side between California and Maryland AADC and it was genuinely unclear to me if there was enough different there. Maryland doesn’t use the word “content,” and the Ninth Circuit spends a lot of time talking about how the California DPIAs are really about harmful content. HOWEVER, Maryland talks about exposure to “harmful contacts” or “harmful conduct” - are these in the realm of content regulation? I don’t think that’s been decided yet. - Similar to the above point, I think anyone that’s looked at the California AADC’s DPIA requirements would see that these would’ve been unlike the typical assessments seen in other privacy laws. There was some concern about the future of privacy law after the District Court’s ruling and maybe that’s not totally gone, but I think the Ninth Circuit opinion does a good job explaining the First Amendment concerns about California AADC specifically. You can read the opinion here: https://lnkd.in/eBz6db6W

Citizen: hey there's a weird creepy nerd on my lawn trying to talk to my kids, the state should do something State legislator: fear not, I will chuck this heavy document at the weird creepy nerd to make them leave Weird creepy nerd: ha ha, I dodged the document, that means I get to stay on this lawn State legislator (soon): no that means I figure out how you dodged the first one and throw a better one next time (The Supreme Court, and now the Ninth Circuit, are giving advice to state legislators on how to draft laws that will (1) address hard-to-define but "I know it when I see it" creepy conduct, and (2) hold up in court. Realistically, the child protection laws that companies have to plan for will be those written by legislators who have copies of Moody v. NetChoice and NetChoice v. Bonta to guide them)

NetChoice v Bonta, the California Age Appropriate Design Code case, came down from the Ninth Circuit today. This was IMO a pretty easy on the substance, and pretty hard in needing to apply the Supreme Court's NetChoice v. Moody facial/as applied logic to a big sprawling law. The 9th Circuit did a very good job on both. https://lnkd.in/gqCeVEBV The easy part was about the law's requirement to assess risks that were *defined by the kinds of content* children might see, and then mitigate those risks. Obviously that is a speech regulation. The panel gave the AG lawyer a hard time for trying to pretend otherwise. The fact that this mandate was called a "Data Protection Impact Assessment" and talked about both things at once doesn't change this bottom line. As the court notes (later, in tailoring analysis), lawmakers coulda just made a law about data and not pinned it to speech. And as the court also notes, the fact that this content-based law is unconstitutional tells us zip, zero, nada, zilch, bagel, donut about whether ACTUAL privacy laws are OK. You know, the ones that don't require straight-up speech restrictions. This whole part of the law -- conducting the DPIA, writing it up, mitigating risks of kids seeing proscribed content -- is a content-based restriction. This is not commercial speech, the law gets strict scrutiny, and it fails. As do a handful of related administrative parts. One reason it fails is the reason Jack Balkin and I wrote about in our Moody brief for Francis Fukuyama: BECAUSE EMPOWERING USERS WOULD BE A LESS RESTRICTIVE MEANS. Also maybe enforcing existing laws against bad guys! https://lnkd.in/g9kqHmex hen the court says it cannot facially invalidate some remaining provisions, and those need much closer analysis. Several of these are what I would consider normal privacy laws. No real speech issue. But a few are Big Deals that the 9th was surely happy to dodge. In that "unresolved and actually a big deal" list are (a) the age assurance requirement, which uses carefully wiggly language but is at least (unlike in KOSA) acknowledged to exist. (b) the requirements to publish a whole bunch of info in language understandable by kids of a (presumably often very wide) range of ages, and to enforce platform speech rules in... whatever way the AG thinks they should be enforced, I guess? (c) the "dark patterns" rule, which in the statute looks like a regular old circa 2018 privacy-based use of the term, but which "design expert" amici told the court includes things like infinite scroll? Anyhow the 9th is like we don't know what this even is, we are tired, send it back. (Will continue in comments, just a bit more!)

The Ninth Circuit issued a ruling in NetChoice v. Bonta, partially upholding and partially vacating a preliminary injunction of the California Age-Appropriate Design Code (CAADCA), a law requiring companies that provide online platforms that children under 18 years old are likely to access to, among other things, complete a data protection impact assessment (DPIA); estimate the age of child users with a reasonable level of certainty appropriate to the risks arising from its data practices or apply CAADCA’s data protections to all users; and configure default privacy settings for children to offer a high level of privacy unless the company can demonstrate a compelling reason why a different setting is in the best interest of child users. The court affirmed the District Court's preliminary injunction to block the portions of the law that facially violate the First Amendment, specifically the requirement that businesses conduct a DPIA to opine on and mitigate the risk that children may be exposed to harmful or potentially harmful materials online because it impermissibly and unconstitutionally placed content-based restrictions on children’s online privacy. The court made clear that non-content-based consumer privacy protections do not violate the constitution and vacated the remainder of the District Court’s injunction because it is unclear from the record whether the other challenged provisions of the CAADCA facially violate the First Amendment, and it is too early to determine whether the unconstitutional provisions of the CAADCA were likely severable from its valid remainder.

The 2024 state legislative season buzzed with proposals aimed at bolstering online protections for children and teens. The most popular concept? A 2.0 version of the design-code framework first adopted by California in September 2022. Policymakers made several key changes in an attempt to address the First Amendment vulnerabilities that have plagued the California #AADC. Maryland became the first state to adopt the model when the legislature passed the Maryland AADC on April 6, 2024. FPF’s latest blog post, by Bailey Sanchez and Daniel Hales, analyzes the fundamental changes between the two bills and what we’re keeping an eye on next: https://lnkd.in/efZjw-XZ

What has Maryland learned from California on kids' privacy? The legislature recently passed the Maryland Age-Appropriate Design Code, an evolution of the California AADC that passed in September 2022 and has since become the subject of ongoing litigation. FPF’s latest blog post outlines how the Maryland AADC differs from its predecessor in numerous critical ways, including: ➡ No express age estimation mandate ➡ Defining and upholding the “best interests of children” ➡ Changes to data protection impact assessment (DPIA) obligations ➡ Stricter processing restrictions ➡ No mention of enforcing published terms. Get the full analysis from FPF’s Bailey Sanchez and Daniel Hales here: https://lnkd.in/gEqqVSbU

BREAKING - MAJOR BILL: Senator Rand Paul rises in defense of free speech, warning that the Kids Online Safety Act is a bill designed to block free speech guaranteed by the First Amendment to the US Constitution. He argues that censoring speech based on anxiety will open Pandora's box, leading to unintended and widespread suppression of political, social, and religious speech. WATCH 1- Senator Rand Paul says free speech should be protected under the First Amendment. 2- He says the Kids Online Safety Act will lead to censorship by allowing speech to be regulated based on what causes anxiety. Paul warns that this could result in the regulation of political, social, and religious speech, leading to broader suppression of free speech. The senator describes the bill as opening Pandora's box, with far-reaching and potentially harmful consequences for free speech. NOTE: For those who need to remember what the legislation is all about, The Kids Online Safety Act (KOSA) Focus: Enhances the safety and well-being of minors online by requiring social media platforms and other online services to implement stronger safety measures. For instance, 1- Platforms must provide tools for parents to supervise and control their children’s online activities. 2- Platforms are required to disable addictive features and allow minors to opt out of algorithmic recommendations. 3- Mandates regular independent audits and transparency reports from tech companies. 4- Platforms must mitigate risks associated with harmful content, such as cyberbullying and exploitation. Senator Rand Paul warns that the power will be granted to unelected bureaucrats, also known as regulators, which will open the door to significant censorship of free speech. NOTE: KOSA is an update of COPPA (Children's Online Privacy Protection Act), which was passed in October 1998. But what's the difference between KOSA and COPPA? COPPA focuses on protecting the privacy of children under 13, while KOSA aims to enhance overall online safety and well-being for minors. COPPA emphasizes parental consent and data protection, whereas KOSA focuses on safety features, transparency, and preventing harmful content. COPPA is enforced by the FTC, while KOSA includes broader measures requiring cooperation from various stakeholders, including tech companies and state authorities.

Civil Society Organizations Urge Markup Delay for Privacy Bill, Restoration of Civil Rights Protections https://lnkd.in/es-Zyr9z The Lawyers’ Committee for Civil Rights Under Law, The Leadership Conference on Civil and Human Rights and the American Civil Liberties Union (ACLU), joined by 53 other national organizations, urged House Energy and Commerce Committee leadership to postpone the upcoming markup of the American Privacy Rights Act (APRA) and restore key civil rights protections and algorithmic auditing provisions. Without reversal, the groups urge against APRA moving forward. The advocates stated: “Privacy rights and civil rights are no longer separate concepts — they are inextricably bound together and must be protected. Abuse of our data is no longer limited to targeted advertising or data breaches. Instead, our data are used in decisions about who gets a mortgage, who gets into which schools, and who gets hired — and who does not. All too often, those data-driven decisions come with discriminatory outcomes, which have been compounded as algorithmic technologies and AI have advanced at an unprecedented pace … A privacy bill that does not include civil rights protections will not meaningfully protect us from the most serious abuses of our data.” The authors concluded with a call-to-action for lawmakers on the future of APRA: “The markup should be delayed so that greater stakeholder consultation can occur. If the civil rights provisions are not restored, the bill should not advance.”

Maryland recently enacted the Age-Appropriate Design Code Act, setting new standards for children's online privacy and safety. Learn how this compares to California's law and what it means for businesses in this Perkins Coie LLP blog post. #Privacy #PrivacyLaw #OnlinePrivacy #ChildrensPrivacy