Published: September 2023

Navigate by Topic

In 2022, youth privacy legislative proposals began to boom across several states. From California's Age Appropriate Design Code Act to Utah's contentious Social Media Regulation Act and even to Louisiana’s HB 61 for online services contracts, states are introducing a full range of laws aimed at protecting minors' experiences online. To do so, they are deploying privacy tools coupled with standards for safety and mental health, putting the onus on companies to ensure they design with the "best interests" of young users in mind.

However, as evidenced by NetChoice's swiftly filed suit responding to the California AADC, a major legal debate around youth safety laws, focused on whether they conflict with free speech protections, is taking place. In district courts across the country, these laws are being challenged at the intersection of privacy rights and rights under the First Amendment to the U.S. Constitution.

The rubber is meeting the road now that court challenges are resulting in injunctions, most recently in a preliminary injunction of California's AADC ordered by Judge Beth Labson Freeman of the U.S. District Court for the Northern District of California. The order temporarily blocks the AADC from going into effect, pending the ongoing battle over the merits of the case.

In issuing the preliminary injunction, the judge peeked behind the curtain at the merits of the case and concluded NetChoice will likely succeed in arguing that the law violates First Amendment protections. This outcome is not unexpected, but the breadth of the judge's reasoning is surprising to many court watchers. The analysis in this case, if accepted by higher courts, has drastic implications for any law that restricts the collection and sharing of personal data in the U.S. Although the outcome could change, it is unlikely the law will go into effect in July 2024 as planned.

It is important for practitioners and policymakers alike to understand how U.S. free-speech protections can lead to these outcomes—and how future legislative proposals could avoid these pitfalls.

Background: Common requirements in new youth privacy laws

Although often not strictly focused on data privacy, the new wave of youth safety laws is important for privacy professionals because they usually impose changes in privacy programs for any company that interacts with young consumers.

One distinguishing characteristic of California's AADC is its data privacy impact assessment mandate. Any covered business with services likely to be accessed by children must add an analysis of any risk of material detriment to children arising from its data management practices to the DPIA of that service. The DPIA requirement has been at the core of the free-speech debate around the California AADC because it asks companies to mitigate or eliminate identified harms, which would likely include adjusting content for at least one subset of users. As explained below, government restrictions on content are often disallowed by the First Amendment.

Other new obligations from this law and similar laws include age verification requirements, "dark pattern" restrictions, default privacy settings, and limitations on the collection and storage of youth data.

  • expand_more

    Age assurance requirements

  • expand_more

    Prohibition of dark patterns

  • expand_more

    Strong default privacy settings

Steps to analyzing a free speech case

In the U.S., the First Amendment enshrines free speech as a fundamental democratic right, with centuries of precedent upholding its strong protection. Now, First Amendment challenges are becoming the primary battleground for youth privacy laws. Privacy pros should be aware the outcome of these constitutional challenges determines whether laws like the AADC remain intact, are significantly weakened or are otherwise completely abandoned.

A court's basic approach to analyzing a First Amendment challenge requires a series of legal steps. At each step, the parties argue over the proper application of First Amendment jurisprudence to the regulation in question, in this case California's AADC.

  • expand_more

    1. Is the government restricting speech?

  • expand_more

    2. Is the regulation content-based or content-neutral?

  • expand_more

    3. Does the law advance an important or substantial government interest?

  • expand_more

    4. Does restricting speech advance the goal of the law without going too far?

Alternative legal theories that challenge kids’ safety and privacy laws

Even if higher courts disagree with Freeman’s analysis — whether in her application of the Sorrell case, her chosen level of judicial scrutiny or her conclusions about balancing free speech and youth safety interests — other legal arguments could cause future trouble for similar regulatory regimes.

  • expand_more

    Could the law survive strict scrutiny?

  • expand_more

    Is age assurance a prior restraint of speech?

  • expand_more

    Is the law void for vagueness?

What remains after a successful constitutional challenge?

Are there valid and functional mechanisms for U.S. regulators to require age assurance and other youth privacy protections that avoid conflicts with the First Amendment?

The Supreme Court's Sorrell decision includes an important phrase that will likely continue to impact how data protection regulations are interpreted in the U.S.: "Privacy is a concept too integral to the person and a right too essential to freedom to allow its manipulation to support just those ideas the government prefers."

The First Amendment remains a powerful tool to dispute legislation within the U.S., and any law regarding speech must pass a high standard to be considered constitutionally sound. Federal laws on youth privacy both failed and passed on constitutional grounds previously. As organizations like NetChoice confront state-level attempts to regulate youth privacy, the courts are left to interpret the values of the First Amendment in the twenty-first century tech ecosystem.

Nevertheless, policymakers' attempts to address kids' safety and mental health issues online are not going to stop. As top-down regulations are delayed, building the lessons of these laws into privacy-by-design practices should still be top-of-mind for all privacy pros. Even if the government cannot mandate these practices, companies would do well to think about how to support young people who use their services in a way that respects their privacy, autonomy and healthy development.

Credits: 2

Submit for CPEs