The CA Age Appropriate Design Code

The Ninth Circuit's ruling on California's Age Appropriate Design Code Act lands with major implications for privacy law broadly. The court applied strict scrutiny — the highest First Amendment standard — to the law's Data Protection Impact Assessment (DPIA) requirement, finding that California had effectively deputized businesses to censor speech by compelling them to document and assess potential harms in government-prescribed ways. The DPIA provision was struck down; the remainder of the case was remanded to the district court for reassessment. While focused on children's privacy, the ruling signals something larger: courts are demanding that governments be precise about the harms they claim to be preventing when regulating speech or compelling disclosures. The broader question raised is whether advocacy groups like NetChoice will now look to challenge DPIA-like provisions in other state privacy statutes — the CCPA, Maryland's restrictive sensitive data language, and Colorado's AI laws among them. The concept of "harm" in privacy has long been treated elastically by regulators, but courts have historically required more concrete, economic harm to sustain claims. If the First Amendment can be invoked against government mandates to assess and document privacy harms, the enforcement landscape for a wide range of state privacy laws could shift considerably depending on how those provisions are worded. Post-Chevron, the episode surfaces the deeper structural question: should privacy standards that have long lived in regulatory blog posts and agency guidance now be codified into statute? The FTC's position that browsing data constitutes personal information is one example of guidance that carries enormous practical weight but may not survive First Amendment or administrative law scrutiny in court. The takeaway is that privacy law is entering a phase of more intensive judicial review, and companies should expect more court-based challenges to the specificity — or lack thereof — of how harms and compliance obligations are defined in law.

**Jonathan:** Hey, Lisa. Hot off the presses, California age appropriate design code and the Ninth Circuit just ruled on that. Can you tell us a bit about it? **Alysa:** Yes. Hot off the presses is right. This is a big deal. It's a big deal for age appropriate design code act implications but also just privacy laws. So the court, the appellate court, focused on one issue and it was the data protection impact assessments, essentially saying strict scrutiny under First Amendment, which for the legal nerds, that's the highest standard — because they said the law, essentially what California did, is deputized businesses to censor speech. They were compelled, forced by the government to create DPIAs. And even though they were not gonna be published on websites, they were forced to write down certain speech to address what the state thought were potential harms, and that was ambiguous, and that they could not do that under the First Amendment. So that provision, the DPIA provision of the age appropriate design code act, struck down, and then the rest of the case sent back down to the district court to essentially do over, reassess. **Jonathan:** Is that what does that mean for privacy laws? It doesn't mean anything. **Alysa:** Well, I think it does because if DPIA is data protection impact assessments, risk assessments — **Jonathan:** Mhmm. **Alysa:** — by companies internally assessing what are the benefits, what are the potential harms with this issue, and what harms in the privacy context are enough. And if DPIAs potentially violate the First Amendment now — this was about children's privacy — but in privacy laws, we're talking about sensitive personal information. We're talking about just personal information, not sensitive, to different groups of individuals. I think it's a good question on whether you're gonna have advocacy groups like NetChoice or others look to challenge laws, for example, like the CCPA, on some of these provisions, or Maryland's law that has pretty restrictive language around sensitive personal information, or even some of the AI laws that we are seeing, like in Colorado. So I think it really raises the question of where do we net out — not to use the word net with NetChoice — but where will we net out after some of these statutes are, in fact, challenged? **Jonathan:** Yeah. So, like, in a — so for example, I was under the assumption that just the violation of your privacy is the harm. And does this mean that's not necessarily the case? And then even asking businesses to think about the harm, it's not their job? I mean, is that thinking about that right? To think about the amorphous harm, the concept of — what is harm? **Alysa:** And we've seen in the data breach cases, for example, when those were litigated, they were really looking at economic harm, concrete harm to individuals. And while we certainly hear regulators talk about harms to be a much broader, more elastic concept. I think what you're seeing is courts push — we need to be more specific when we are saying something may harm — and if you are going to not do certain things or force disclosures to do certain things, those harms need to be more particular. Businesses need to have more specificity, and essentially a higher burden on what those — the state or the federal government, depending on the law that's challenged — has to be more articulate about the harms that they're trying to protect. **Jonathan:** And do you think, Alysa, that — I mean, some aspects of the privacy laws, ambiguous anyway, it might need more specificity. So for example, the FTC blog on browsing data being personal, should that be encoded in law, especially after Chevron? Are we just gonna see more of this? **Alysa:** Yes. We are going to see more court-based challenges on where to draw the line. And yes, government has an interest in protecting privacy, but what is a reasonable place and how specific does the government need to be? I think there's some big questions on whether blog posts are gonna carry the day. **Jonathan:** Thanks, Lisa.