Privacy law does not usually trend like a celebrity breakup, but California’s CAADCA appeal has managed to turn children’s online privacy into a full-blown constitutional cliffhanger. At the center of the fight is the California Age-Appropriate Design Code Act, a law meant to push online businesses to put kids’ privacy and safety ahead of engagement tricks, data hoarding, and design choices that quietly nudge young users into oversharing. Supporters call it a long-overdue guardrail for the modern internet. Critics call it an overbroad law that risks regulating speech and forcing companies into awkward, invasive age-checking practices.
That tension is exactly why the California CAADCA appeal matters. This is not just a niche court battle for privacy lawyers with heroic coffee habits. It is a test of how far a state can go when it tries to protect children online through product design rules instead of old-school content moderation mandates. The legal fight has already shaped the future of youth privacy legislation, and it may influence how lawmakers across the country write the next generation of online safety laws.
What Is CAADCA, Exactly?
CAADCA stands for the California Age-Appropriate Design Code Act. The law was designed to apply to certain businesses covered by California privacy law that offer an online service, product, or feature likely to be accessed by children. And in California, “children” is not limited to the under-13 crowd familiar from COPPA. CAADCA uses a broader under-18 standard, which immediately raises the difficulty level from “annoying compliance project” to “somebody please call the lawyers and product team.”
The law aims to make companies think about children before launching digital products, not after a scandal hits. In practical terms, it expects covered businesses to build privacy protections into the design of their services. Some of the best-known provisions include:
- estimating the age of child users with a reasonable level of certainty, or applying child protections to everyone,
- setting privacy defaults at a high level for children,
- providing clear, age-appropriate privacy information,
- signaling when precise geolocation is being collected,
- warning children if monitoring or tracking features are active, and
- restricting certain uses of children’s personal information, profiling, and dark patterns.
The idea behind the law is simple enough: if a business knows young people are likely to use a service, the business should not design that service as though every user is an infinitely patient, fully informed adult who reads every privacy notice like it is beach fiction.
Why the California CAADCA Appeal Became Such a Big Deal
The appeal exploded in importance because the law sits at the intersection of several legal fault lines. It is about children’s online privacy, yes, but it is also about the First Amendment, vagueness doctrine, platform regulation, and the increasingly uncomfortable question of whether protecting minors online now requires businesses to know more about users in order to collect less from them.
That is the paradox haunting the entire case. A law written to protect kids from excessive data collection can, in practice, pressure companies to do age estimation. Critics say that may encourage more data collection or broader identity checks. Supporters respond that privacy-by-design rules are exactly what is needed because the current internet economy rewards surveillance, frictionless profiling, and engagement tactics that are not exactly famous for restraint.
The appeal also matters because California often functions as America’s regulatory laboratory. When California sneezes, the compliance industry catches a cold, builds a webinar, and bills by the hour. Other states have already looked at youth privacy and design-code models, so every ruling in this case sends a message far beyond California.
A Clear Timeline of the CAADCA Appeal
2022: California Passes the Law
California enacted the Age-Appropriate Design Code Act in 2022. The law was framed as a first-in-the-nation measure aimed at protecting children’s privacy, safety, and well-being online. It drew inspiration from the broader design-code concept already associated with child-centered digital privacy rules.
2023: Enforcement Gets Blocked
Before CAADCA could take effect, NetChoice, a trade association representing major online businesses, challenged the statute. A federal district court in California issued a preliminary injunction in 2023, blocking enforcement. The court was persuaded that key parts of the law likely raised serious First Amendment problems, especially where the statute seemed to require businesses to evaluate and mitigate the risk that children would encounter harmful material.
2024: The Ninth Circuit Partly Revives the Law
In 2024, the Ninth Circuit took a mixed approach. It did not bless the law outright, but it also did not accept the broad argument that the whole statute should stay frozen. The appellate court left the injunction in place for the data protection impact assessment provisions tied to harmful-content risk analysis and sent the rest back for a more careful facial-challenge analysis. In plain English, the court basically said: not so fast, everybody. Try again with better legal precision.
2025: The District Court Blocks the Entire Law Again, and California Appeals
On remand, the district court again concluded that the law should be blocked in full, this time emphasizing the statute’s “coverage definition” and treating the law as a content-based burden on online services likely to be accessed by minors. California Attorney General Rob Bonta appealed that ruling in April 2025, arguing that delaying the law would continue to leave children without important online protections.
2026: A Mixed Ninth Circuit Ruling Reshapes the Battlefield
In March 2026, the Ninth Circuit issued another major opinion. The court rejected the idea that NetChoice had, at this stage, shown that the entire law was facially unconstitutional. It also concluded that the age-estimation requirement could not be struck down across the board on the record presented. But the court kept the injunction in place for several data-use and dark-pattern provisions, concluding that some of the law’s language was too vague to clearly tell businesses what conduct was prohibited.
That means the CAADCA appeal did not end with a clean victory lap for either side. Instead, the ruling narrowed the injunction, preserved challenges to specific provisions, and sent the case back for more proceedings. The law’s future is clearer than it was before, but not exactly crystal-clear.
The Core Legal Arguments in the Appeal
1. The First Amendment Argument
NetChoice argued that CAADCA regulates speech, not just data practices. One major theory was that the law’s definition of services “likely to be accessed by children” effectively depends on content, audience, and design choices. If a platform offers games, cartoons, music, or other features that appeal to minors, the law may apply. Critics of the statute say that makes the law content-based and constitutionally suspect.
California, by contrast, argued that the law is fundamentally a privacy and product-design statute. In that view, CAADCA does not tell companies what viewpoints they may express. It tells them how to handle children’s data and design risks when minors are likely to be in the room. That distinction matters because courts generally treat direct speech regulation differently from business conduct and privacy regulation.
2. The Facial Challenge Problem
A huge issue in the appeal was whether the whole law could be blocked on its face. A facial challenge is the legal equivalent of saying, “This thing is broken almost everywhere, not just in one bad application.” The Ninth Circuit leaned hard on that standard. It said the challenger had not adequately shown that unconstitutional applications of the law substantially outweighed constitutional ones.
That point matters because the court viewed CAADCA as potentially applying to a broad range of online services, not just social media giants. If a law reaches ride-sharing features, ticketing tools, payment apps, educational services, gaming products, or location-based utilities, the court wants a fuller picture before striking down everything in one swing.
3. The Vagueness Argument
Even when courts are unwilling to kill an entire statute, they can still slice out provisions that are too fuzzy. That is exactly what happened here. Terms like “materially detrimental,” “well-being,” and “best interests of children” may sound noble, but noble language is not always compliance-friendly language. A business trying to launch a product needs to know what is banned, what is required, and what lands it in court.
When a statute uses open-ended phrases without clear limits, judges worry about arbitrary enforcement and chilled conduct. That is why some CAADCA provisions remained enjoined even after the Ninth Circuit rejected the theory that the whole law should stay blocked.
The Most Important Provisions Businesses Are Watching
Age Estimation
The age-estimation requirement is one of the most debated features of CAADCA. Businesses can estimate age with a reasonable level of certainty appropriate to the risk, or apply child-level privacy protections to all users. On paper, that sounds flexible. In practice, it creates design, legal, and technical headaches. Companies must decide whether to build age-assurance systems, use proxies, or choose the more sweeping option of treating all users as though they may be minors.
Privacy by Default
High-privacy default settings are a centerpiece of the law. This is classic privacy-by-design logic: do not make children dig through six menus, decode vague labels, and accidentally opt into a data-hungry setup that benefits the platform more than the user. Supporters love this feature because defaults shape behavior. Critics worry about ambiguity in the statute’s exceptions and how the standard should be applied to mixed-age audiences.
Geolocation and Monitoring Signals
Some of CAADCA’s cleaner requirements have broad intuitive appeal. If a service is collecting a child’s precise geolocation, the child should get an obvious sign while that collection is happening. If a parent, guardian, or another user can monitor the child’s activity or track location, the child should be signaled. These provisions sound less like speech regulation and more like straightforward transparency rules.
Restrictions on Profiling, Data Minimization, and Dark Patterns
This is where the appeal gets thornier. The law tries to limit profiling by default, unnecessary collection and retention of personal information, and manipulative design techniques that push children toward giving up more data or privacy protections. Conceptually, those goals are popular. Legally, however, some of the wording proved vulnerable because courts want specific boundaries, not moral fog.
What the California CAADCA Appeal Means Going Forward
The biggest takeaway is that the appeal did not end the debate over children’s online privacy. It refined it. The latest rulings suggest that courts may be open to robust youth privacy protections, but they want statutes written with sharper tools and fewer mushy slogans. “Protect kids” is a compelling policy goal. “Protect kids using terms no one can confidently apply in a product meeting” is a litigation starter kit.
For lawmakers, the message is clear: future child privacy laws must be narrowly drafted, operationally realistic, and specific about what businesses must do. For companies, the message is also clear: waiting for total legal certainty is risky. Even with ongoing litigation, the policy direction is obvious. Regulators, courts, parents, and the public increasingly expect online services to justify their treatment of minors’ data, not hide behind default settings built for maximum extraction.
For parents, the appeal is a reminder that the legal system is trying to catch up with a digital environment that has changed faster than old privacy rules ever anticipated. For teens, it is about whether the products they use every day are designed with their interests in mind or simply designed to keep them scrolling, clicking, and sharing.
Experience-Based Scenarios: What the CAADCA Appeal Looks Like in Real Life
The most revealing part of the California CAADCA appeal is not the case caption or the court jargon. It is what the dispute looks like for people who actually live with the consequences. Consider a product manager at a mid-size education app. Before CAADCA, her team might have focused on retention, onboarding speed, and reducing clicks between sign-up and daily use. After the law and the appeal, her questions change. Do we need a teen-specific default? Are notifications too aggressive? Are we collecting more data than we need? Suddenly, privacy is not a paragraph in the footer. It is part of product strategy.
Now picture a parent using a family safety app with location tracking. From that parent’s perspective, CAADCA can feel refreshingly common-sense. If a child is being tracked, why should the child not receive an obvious signal? Parents may still want monitoring tools, but many also understand that secret tracking is a recipe for distrust. In that sense, some parts of the law do not feel radical at all. They feel overdue.
Then there is the startup founder who hears “age estimation” and immediately sees budget spreadsheets catching fire. Large platforms can hire outside counsel, build internal compliance programs, and run age-assurance experiments. A smaller company may hear the same requirement and think, “Great, now I need a privacy architect, a policy consultant, and maybe a support team for confused users who just wanted to buy concert tickets.” The appeal matters to this group because every line between a valid rule and an enjoined rule changes how expensive compliance becomes.
Teen users experience the issue differently. Most do not read judicial opinions, which is healthy and correct. But they do notice when privacy settings are easier to understand, when location collection is visible, when profiles are more locked down by default, or when a service suddenly asks age-related questions. Their experience of the CAADCA appeal is not theoretical. It shows up in screen design, prompts, defaults, and how much friction a platform introduces before letting them roam.
Privacy lawyers and in-house counsel probably have the least glamorous experience of all, but it may be the most important. They are the ones translating statutory language like “best interests of children” into engineering tickets, design approvals, and risk memos. When a court says that some of that language is too vague, those teams are not surprised. They have been living inside the ambiguity for months. The appeal, from their perspective, is a lesson in how legal uncertainty can quietly shape product development long before final judgment arrives.
What ties all these experiences together is this: the CAADCA appeal is really about the architecture of everyday digital life. It is about who bears the burden of safety online. Should that burden stay mostly on children and parents, who are expected to read every setting and outsmart every manipulative interface? Or should more of the burden fall on the businesses that build the systems in the first place? California answered that question one way. The courts have been testing how far that answer can go. And the rest of the country is watching closely.
Conclusion
The California CAADCA appeal is not just another courtroom skirmish over tech policy. It is one of the most important legal battles over children’s online privacy, platform design, and constitutional limits on state regulation. California tried to move the conversation from “What content should kids see?” to “How should services be designed when kids are likely to use them?” That shift is ambitious, influential, and legally messy.
So far, the courts have said two things at once. First, states are not automatically barred from imposing child-centered privacy and design rules. Second, those rules must be drafted with much more precision than a broad statement of good intentions. That is the real lesson of the CAADCA appeal. The future of youth digital regulation will not belong to the loudest slogan. It will belong to the law that is specific enough to survive review and practical enough to work in the real world.
