On March 12, 2026, the U.S. Court of Appeals for the Ninth Circuit issued an opinion narrowing the injunction that had prevented enforcement of the California Age-Appropriate Design Code (CA AADC). The law was originally scheduled to take effect July 1, 2024, but enforcement was blocked after a district court issued a preliminary injunction in litigation brought by NetChoice. The Ninth Circuit concluded that NetChoice was unlikely to succeed on its facial First Amendment challenge and held that the district court's complete block of the law was too broad.
As a result, the court lifted the injunction for certain provisions of the CA AADC while keeping other provisions blocked. As always, children's privacy remains a rapidly shifting area of the law, and we will learn more throughout the year about how the CA AADC will be interpreted and enforced.
Key Takeaways
-
The Ninth Circuit lifted the preliminary injunction for several provisions, including the law's coverage definition and age estimation requirement.
-
The court left in place the injunction on the law's data use restrictions and dark patterns provision.
-
Certain provisions of the CA AADC may now be enforced unless the district court issues another injunction on remand.
-
For companies that have taken a wait and see approach to age appropriate design code laws pending constitutional challenges, this is a development worth watching closely.
-
The CA AADC was more trailblazing (at least under US law) when originally passed. Other states now have similar laws, as child and teen privacy and safety law have been a focus for state legislatures. Some companies may have already implemented product changes that will satisfy the newly in-force CA AADC requirements.
Coverage: Services “Likely to Be Accessed by Children”
The CA AADC applies to businesses that provide an online service, product, or feature likely to be accessed by children under the age of 18. A service is considered likely to be accessed by children when it is reasonable to expect, based on several indicators, that children will access the service. Those indicators include situations where:
-
The service is directed to children under COPPA.
-
Evidence shows the service is routinely accessed by a significant number of children.
-
The service includes advertisements marketed to children.
-
The service is substantially similar to another service that is commonly accessed by children.
-
The service contains design elements that are known to appeal to children, such as games, cartoons, music, or celebrities popular with children.
-
Internal company research shows that a significant portion of the audience consists of children.
The Ninth Circuit agreed with the state that this definition focuses on the type of service being offered rather than regulating speech. The court also noted that children can access a wide variety of services, including ride sharing platforms, ticketing services, payment platforms, fitness applications, health tools, and educational products.
Age Estimation Requirement
The court also vacated the injunction blocking the CA AADC's age estimation requirement and sent the issue back to the district court for further consideration. Under the law, covered businesses must either:
-
Estimate the age of child users with a reasonable level of certainty that matches the risks created by the company's data practices, or
-
Apply the privacy and data protections afforded to children to all users.
The Ninth Circuit highlighted that businesses can avoid age estimation entirely if they apply child level privacy protections to all users and that on remand, the parties and the district court may wish to consider the effect of that opt-out language on any burden on expression that may arise from the age estimation requirement.
Provisions That Remain Blocked
The Ninth Circuit agreed with the district court that several data use restrictions and the dark patterns provision should remain blocked while the case continues. These provisions would otherwise limit how companies can use children's personal information. For example, they would prohibit businesses from:
-
Using children's personal information in ways that are materially detrimental to their physical or mental health or well being.
-
Profiling children by default unless certain safeguards are in place and profiling is necessary for the service.
-
Collecting, selling, sharing, or retaining personal information that is not necessary to provide the service unless the company can show it is in the best interests of children.
-
Using dark patterns to encourage children to provide more personal information or give up privacy protections.
Because the injunction remains in place for these provisions, they are not currently enforceable.
Enforcement and Penalties
With parts of the injunction lifted, the California Attorney General may now enforce the CA AADC provisions that are no longer blocked, including the coverage definition and age estimation requirement, unless the district court issues another injunction after reconsidering the case. Violations of the CA AADC may lead to civil penalties of up to:
-
$2,500 per child for negligent violations, and
-
$7,500 per child for intentional violations.
Any enforcement will risk the Attorney General again defending the law's constitutionality as unconstitutionally vague or an as-applied First Amendment challenge.
Summary of Requirements:
To comply with the newly enforceable CA AADC provisions, companies that provide online services, products, or features likely to be accessed by children must implement several design, privacy, and data-handling safeguards. In particular, businesses must:
-
Estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers.
-
Configure all default privacy settings provided to children by the online service, product, or feature to settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children.
-
Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.
-
If the online service, product, or feature allows the child's parent, guardian, or any other consumer to monitor the child's online activity or track the child's location, provide an obvious signal to the child when the child is being monitored or tracked.
-
Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.
-
Provide prominent, accessible, and responsive tools to help children, or if applicable their parents or guardians, exercise their privacy rights and report concerns.
The law also places several restrictions on how companies may collect and use children's data. Specifically, businesses may not:
-
Collect, sell, or share any precise geolocation information of children by default unless the collection of that precise geolocation information is strictly necessary for the business to provide the service, product, or feature requested.
-
Collect any precise geolocation information of a child without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.
-
Use any personal information collected to estimate age or age range for any other purpose or retain that personal information longer than necessary to estimate age. Age assurance shall be proportionate to the risks and data practice of an online service, product, or feature.