The Ninth Circuit’s Latest CAADCA Ruling: Navigating an Evolving Compliance Landscape

By Andrew Serwin & Kieran de Terra on March 26, 2026

Posted in Adtech, Children's data, Privacy Litigation

California’s Age-Appropriate Design Code Act (CAADCA) remains at the center of one of the most significant legal battles in children’s privacy law. On March 12, 2026, the Ninth Circuit issued its latest decision in NetChoice, LLC v. Bonta, partially affirming and partially vacating the district court’s preliminary injunction that had blocked the law’s enforcement. For companies with digital products and services likely to be accessed by children, understanding the contours of this decision (and which provisions are now enforceable versus those that remain blocked) is essential for effective compliance planning.

This post summarizes the Ninth Circuit’s key holdings, analyzes the current status of the CAADCA’s provisions, and situates the decision within the broader context of heightened children’s privacy enforcement activity in California.

Background and Procedural History

The CAADCA was enacted unanimously by the California legislature in 2022 and was originally set to take effect on July 1, 2024. Modeled significantly on the UK’s Age Appropriate Design Code (in effect since September 2021), the CAADCA imposes obligations on businesses providing online services, products, or features “likely to be accessed by children,” including the requirement to conduct a Data Protection Impact Assessment (DPIA) before making available any online service, products, or features likely to be accessed by children. The term “children” is defined as consumers under 18 years of age, marking a contemporary departure from prior formulations of that concept under U.S. law.

The statute reflects California’s legislative declaration that “businesses that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that online service, product, or feature.” NetChoice, a trade association representing major technology companies including Amazon, Google, Meta, and Netflix, filed suit challenging the law on First Amendment grounds before it took effect.

The litigation has followed a complex path. In 2023, the district court granted a preliminary injunction blocking enforcement of the entire statute. While the case was on appeal to the Ninth Circuit, the U.S. Supreme Court’s 2024 decision in Moody v. NetChoice, LLC clarified the standard for facial challenges under the First Amendment, prompting the Ninth Circuit in NetChoice I (a separate case from SCOTUS’ Moody v. NetChoice, LLC)to vacate the majority of the preliminary injunction and remand for further proceedings. However, the court affirmed the injunction with respect to the DPIA requirement under the CAADCA and provisions not grammatically severable from it.

On remand, NetChoice sought a second preliminary injunction, which the district court again granted as to the entire statute. The State’s appeal of that decision produced the March 2026 ruling now under consideration.

The Ninth Circuit’s Analysis

The Ninth Circuit’s decision applied SCOTUS’ Moody framework for evaluating facial constitutional challenges. The court analyzed each challenged provision separately, assessing whether NetChoice could demonstrate that a “substantial number of the law’s applications are unconstitutional, judged in relation to the statute’s plainly legitimate sweep.”

The Facial Challenge to the Coverage Definition

NetChoice argued that the CAADCA’s definition of what constitutes a covered business (which makes the Act applicable to online businesses whose services are “likely to be accessed by children”) is content-based on its face and therefore subjects the entire statute to strict scrutiny. The district court agreed, finding that application of the statute’s enumerated indicators “unavoidably requires an evaluation of content.”

The Ninth Circuit disagreed, vacating the preliminary injunction as to the CAADCA as a whole. The court emphasized that the coverage definition consists of six separately enumerated indicators, each demanding a different inquiry. Critically, some of these indicators, such as whether a service is “routinely accessed by a significant number of children” based on audience composition data, do not require any evaluation of content. The court noted that children are capable of using ride-sharing services, electronic ticketing platforms, financial transaction services, and fitness or educational products, all of which could fall within the CAADCA’s scope based purely on demographic user data rather than content analysis.

The court faulted NetChoice for failing to develop a record establishing the full range of the CAADCA’s applications. As the court explained, facial challengers cannot “treat the law as having certain heartland applications, and mostly confine the battle to that terrain.” By focusing primarily on social media companies and publishers, rather than the full universe of online businesses that might be covered, NetChoice failed to carry its burden under Moody.

The Age Estimation Requirement

The CAADCA requires covered businesses to “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.” NetChoice challenged this provision as facially unconstitutional.

The Ninth Circuit vacated the preliminary injunction as to this provision and remanded for further consideration. Importantly, the court observed that the age estimation requirement does not, on its face, prevent access to content. Instead, it provides businesses with a clear alternative: rather than estimate user ages, a business may simply apply children’s privacy protections to all consumers. The court also noted that the record lacked sufficient development regarding the various methods businesses might use to comply with this requirement, including methods that would require no additional data collection.

The court left open the question of whether the term “data management practices” in the age estimation provision incorporates the content-related factors from the DPIA requirement (which remains enjoined) or carries its ordinary meaning. This statutory interpretation question will be addressed on remand.

Data Use Restrictions and Dark Patterns Prohibition

The Ninth Circuit affirmed the preliminary injunction as to four data use restrictions and the dark patterns prohibition, albeit on vagueness grounds rather than First Amendment grounds.

The challenged data use provisions prohibit covered businesses from using children’s personal information in ways that are “materially detrimental” to children’s “physical health, mental health, or well-being,” and require businesses seeking to profile children or collect their data to demonstrate that doing so is in “the best interests of children.” The dark patterns restriction similarly prohibits using manipulative design features to take actions that are “materially detrimental” to a child’s well-being.

The court found these provisions unconstitutionally vague because they fail to provide businesses of ordinary intelligence with reasonable notice of what conduct is prohibited. While the State offered extreme examples of prohibited conduct, such as using a child’s information to facilitate exploitation, the court observed that the more difficult questions involve everyday scenarios like sleep loss, distraction, or hurt feelings. The statute provides no guidance for distinguishing between these potential harms.

The court also rejected the State’s argument that “best interests of children” should be understood by reference to the family law standard used in custody determinations. That standard, the court explained, operates through individualized, case-by-case analysis of a specific child’s circumstances; an approach fundamentally incompatible with data privacy regulation that must govern covered businesses’ conduct prospectively and across millions of potential child users.

What Remains Blocked vs. What May Now Be Enforced

Following the Ninth Circuit’s decision, the CAADCA’s provisions fall into distinct categories:

Provisions That Remain Enjoined:

The DPIA requirement (enjoined since NetChoice I).
Provisions requiring businesses to avoid “materially detrimental” uses of children’s personal information.
Provisions requiring businesses to demonstrate that profiling or data collection is in the “best interests of children.”
The dark patterns prohibition (insofar as it relies on the “materially detrimental” standard).
The notice-and-cure safe harbor provision (enjoined since NetChoice I, with severability still under consideration).

Provisions Where the Injunction Was Vacated (Subject to Further Proceedings):

The age estimation requirement.
The definition of covered entities and associated substantive provisions not otherwise enjoined.

Additionally, by vacating the preliminary injunction as to the CAADCA as a whole, the Ninth Circuit lifted the blanket injunction that had covered several substantive provisions that NetChoice never individually challenged. These provisions are not currently subject to any preliminary injunction and may be enforceable, subject to further proceedings:

A requirement to configure all default privacy settings for children to a “high level” of privacy.
A requirement to publish privacy policies and terms of service in language suited to the age of children likely to use the service.
A requirement to provide an “obvious signal” to a child when a parent, guardian, or other consumer is monitoring the child’s online activity or tracking the child’s location.
A requirement to provide prominent, accessible, and responsive tools to help children or their parents exercise privacy rights and report concerns.
A prohibition on collecting, selling, or sharing precise geolocation information of children by default (unless strictly necessary and for a limited time), and a requirement to provide a visible signal to the child whenever geolocation is being collected.
A requirement that personal information collected for age estimation purposes be minimized and not used for any other purpose.

The practical effect is that substantial uncertainty remains. On remand, the district court must further develop the record regarding the scope of covered entities and reconsider the age estimation requirement in light of the Ninth Circuit’s guidance.

Practical Implications for Businesses

For businesses operating online services likely to be accessed by children in California, this decision creates a complex compliance environment. Several considerations merit attention:

Businesses should monitor developments in the ongoing litigation closely. The Ninth Circuit’s remand leaves significant questions unresolved, and the ultimate scope of enforceable CAADCA provisions may shift as the case proceeds.
To the extent businesses anticipate that certain provisions, such as the age estimation requirement, may ultimately become enforceable, advance preparation is prudent. The CAADCA offers businesses a choice: estimate user ages “with a reasonable level of certainty” or apply children’s privacy protections to all users. For some businesses, the latter approach may prove simpler and less burdensome.
Businesses should remember that the CAADCA provides for substantial civil penalties: up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation, recoverable through civil actions brought by the Attorney General.

The Broader Regulatory Landscape

The CAADCA should be understood as part of a larger national and international trend toward heightened children’s privacy regulation. In an era of sharply divided partisan approaches to data privacy in general, children’s privacy appears to be one area of common ground. Several states have enacted or are considering similar legislation, and federal proposals continue to circulate.

Businesses subject to the CAADCA may also face parallel obligations under the federal Children’s Online Privacy Protection Act (COPPA), which applies to services directed at children under 13 or that have actual knowledge of child users.

This ruling also reflects the judiciary’s continued grappling with how traditional First Amendment doctrines apply to digital platforms and data-driven business models. The Ninth Circuit’s insistence on detailed record development and its skepticism of facial challenges that focus on “heartland applications” signals that litigants seeking to invalidate children’s privacy laws will face a demanding evidentiary burden.

Conclusion

The Ninth Circuit’s March 2026 decision in NetChoice v. Bonta does not mark the end of the CAADCA’s legal journey. Significant questions remain to be resolved by the district court on remand, and further appellate review is possible. For now, the data use restrictions and dark patterns prohibition remain blocked on vagueness grounds, while the fate of the age estimation requirement and the statute’s broader application await further proceedings.

Clients should monitor this litigation actively, assess their potential exposure under the CAADCA’s various provisions, and treat children’s privacy compliance as a strategic priority likely to receive continued regulatory and judicial attention in the years ahead.

For questions regarding children’s privacy enforcement trends, contact the authors or any member of our Data Protection, Privacy, and Security team.