October 1, 2024
By Lynn Parker Dupree; Laura E. Brashear
The California Age-Appropriate Design Code Act (CA AADC) was passed in September 2022, with the stated aim of prioritizing the privacy, safety, and well-being of children online.[1] In particular, the law seeks to protect online consumers under the age of 18.[2] Under the CA AADC, businesses that provide online services, products, or features that are “likely to be accessed by children” must comply with certain requirements.[3] These requirements apply to any for-profit California business that collects consumers’ personal information and satisfies certain other thresholds related to revenue or size.[4]
While the CA AADC is the first law of its kind in the U.S., it was derived from the United Kingdom’s Age-Appropriate Design Code (UK AADC), which has been in effect since 2020.[5] At the heart of the UK AADC is the concept that the “best interest of the child” should be prioritized when designing online services and products that are likely to be accessed by children.[6] This standard maps back to the General Data Protection Regulation (GDPR), which recognizes that children “merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”[7]
Similar to the UK AADC, the CA AADC requires businesses to consider the best interests of children when designing, developing, and providing any online product or service that is likely to be accessed by children.[8] The CA AADC enumerates several mandates and prohibitions that a business must adhere to when developing and providing these online services.
Under the CA AADC, a business must:
Under the CA AADC, businesses are prohibited from:
Before it became effective on July 1, 2024, the CA AADC was challenged in federal district court by NetChoice, LLC, a national trade association of online businesses.[24] NetChoice moved for preliminary injunction on the grounds that the CA AADC violates the First Amendment.[25] On September 18, 2023, the U.S. District Court for the Northern District of California found that NetChoice was likely to succeed on its claim and granted the motion for preliminary injunction enjoining the Attorney General of California from enforcing the CA AADC.[26]
In its order, the Court expressed concerns with several of the mandates and prohibitions in the CA AADC. For example, the Court noted that the DPIA mandate does not require businesses to assess the potential harm of product designs, but instead focuses on the risks associated with the business’s data management practices.[27] Moreover, while the CA AADC requires businesses to create a timed plan to mitigate or eliminate risks, there is no requirement to actually mitigate the identified risks.[28]
The Court was also “concerned with the potentially vast chilling effect” of the age estimation provision.[29] The CA AADC’s mandate to estimate the age of the user requires consumers, including children, to provide more personal information thereby “exacerbat[ing] the problem.”[30] The alternative, if the business does not estimate age, requires the business to apply the same privacy protections for children to all users, essentially restricting the adult population to viewing only content fit for children.[31]
The preliminary injunction was appealed to the Court of Appeals for the Ninth Circuit.[32] On August 16, 2024, the Ninth Circuit affirmed the district court’s decision enjoining enforcement of the provisions of the CA AADC relating to the DPIA report requirements, finding they violated the First Amendment.[33] However, the Ninth Circuit vacated and remanded the district court’s decision regarding the other provisions of the CA AADC.[34]
Given the ongoing challenge to the CA AADC, it is uncertain whether age-appropriate design codes will gain traction in other states. For example, in March 2024, the Vermont General Assembly passed its own AADC.[35] However, the bill was subsequently vetoed by Governor Phil Scott, who in a letter to the General Assembly cited the California litigation, stating: “We should await the decision in that case to craft a bill that addresses known legal pitfalls before charging ahead with policy likely to trigger high risk and expensive lawsuits.”[36] Instead of pursuing AADC-type legislation, both Colorado and Virginia passed amendments to their comprehensive privacy laws to add online privacy protections aimed at children.[37]
Maryland, on the other hand, unanimously passed its own Age-Appropriate Design Code Act (MD AADC), which is slated to go into effect on October 1, 2024.[38] The MD AADC incorporated several key changes that addressed some of the concerns expressed by the district court in NetChoice v. Bonta. Unlike the CA AADC, the MD AADC expressly defines “best interests of children,”[39] and while the CA AADC required businesses to estimate the age of child users, the MD AADC does not include any such age estimation requirement. The MD AADC still includes the requirement to prepare a DPIA for any “online product reasonably likely to be accessed by children.”[40] However, the MD AADC has the added provision that the DPIA must include a description of the steps the business “has taken and will take to comply with the duty to act in a manner consistent with the best interests of children.”[41]
Given the recent decision by the Ninth Circuit, it is unclear which provisions of the CA AADC will ultimately go into effect. It is also possible that the MD AADC will face similar constitutional challenges before taking effect in October. Regardless, recent federal enforcement actions have shown that children’s online privacy will continue to be an area of focus.[42] Given that, it would be prudent for businesses to consider children’s online privacy as early as possible in the development of any online product or service. Incorporating AADC requirements that are not being contested into the front-end design of the product or service is more efficient than making changes at the end of a product’s development. An effective development process also includes training employees so they can actively incorporate them as they make design decisions. Finally, it is important to craft all privacy policies, including how to exercise privacy rights, in easy, clear, and age-appropriate
[1] See Cal. Civ. Code § 1798.99.29.
[2] Id. § 1798.99.30(b)(1).
[3] See id. §§ 1798.99.31(a)–(b).
[4] See id. §§ 1798.99.30, 1798.140(d).
[5] See Info. Comm’rs Off., Age appropriate design: a code of practice for online services 5 (Oct. 17, 2022), https://ico.org.uk/media/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services-2-1.pdf.
[6] See id. at 23–26.
[7] GDPR Recital 38.
[8] Cal. Civ. Code § 1798.99.29.
[9] Id. § 1798.99.31(a)(1).
[10] Id. § 1798.99.31(a)(2).
[11] Id. §§ 1798.99.31(a)(3)–(4).
[12] Id. § 1798.99.31(a)(5).
[13] Id. § 1798.99.31(a)(6).
[14] Id. §§ 1798.99.31(a)(7), (9).
[15] Id. § 1798.99.31(a)(8).
[16] Id. § 1798.99.31(a)(10).
[17] Id. § 1798.99.31(b)(1).
[18] Id. § 1798.99.31(b)(2).
[19] Id. § 1798.99.31(b)(3).
[20] Id. § 1798.99.31(b)(4).
[21] Id. §§ 1798.99.31(b)(5)–(6).
[22] Id. § 1798.99.31(b)(7).
[23] Id. § 1798.99.31(b)(8).
[24] See NetChoice, LLC v. Bonta, 692 F. Supp. 3d 924, 936 (N.D. Cal. Sept. 18, 2023).
[25] Id. The CA AADC was also challenged on the grounds that it violates the dormant Commerce Clause and is preempted by both the Children’s Online Privacy Protection Act (COPPA) and Section 230 of the Communications Decency Act.
[26] Id. at 937, 959, 966.
[27] Id. at 950.
[28] Id.
[29] Id. at 951.
[30] Id.
[31] Id. at 952.
[32] NetChoice, LLC v. Bonta, No. 23-2969 (9th Cir. filed Oct. 23, 2023).
[33] NetChoice, LLC v. Bonta, No. 23-2969, 2024 WL 3838423, *14 (9th Cir. Aug. 16, 2024).
[34] Id. at *15.
[35] See H.121, 2024 Gen. Assemb., Reg. Sess. (Vt. 2024), https://legislature.vermont.gov/bill/status/2024/H.121.
[36] Philip B. Scott, Letter from Governor Scott to Vermont General Assembly (Jun. 13, 2024), https://governor.vermont.gov/sites/scott/files/documents/H.121%20-%20Veto%20Letter.pdf.
[37] See S.B. 41, 74th Gen. Assemb., Reg. Sess. (Co. 2024); S.B. 361, 2024 Gen. Assemb., Reg. Sess. (Va. 2024).
[38] See Md. Code Ann., Com. Law § 14-4613 (effective Oct. 1, 2024).
[39] Id. § 14-4601(C).
[40] Id. § 14-4604(A)(1).
[41] Id. § 14-4604(B)(4).
[42] See, e.g., Fed. Trade Comm’n, “FTC Investigation Leads to Lawsuit Against TikTok and ByteDance for Flagrantly Violation Children’s Privacy Law,” (Aug. 2, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-investigation-leads-lawsuit-against-tiktok-bytedance-flagrantly-violating-childrens-privacy-law.
Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.
Hybrid Conference
Intellectual Property Law Institute 2026 – New York
September 28-29, 2026
New York
At the PTAB Blog
June 18, 2026
Articles
California Reaches Record $12.75 Million CCPA Settlement with General Motors Over Driver Data
June 4, 2026
Federal Circuit IP Blog
Federal Circuit Affirms § 102(b) Invalidity; Source Code Commands Are Not Hearsay
May 14, 2026
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.