The Future of the CA Age-Appropriate Design Code Act- What Remains, What’s Still Open to Be Contested, and What Companies Must Consider for Minors’ Online Safety

•March 23, 2026

National Law Review – Employment Law•Mar 23, 2026

Why It Matters

The ruling determines which child‑privacy duties are enforceable, shaping compliance costs and legal risk for any online service accessed by minors.

Key Takeaways

•Any service with significant minor usage falls under CAADCA
•Court finds data‑use and dark‑pattern terms unconstitutionally vague
•Age‑estimation rule stays, verify or apply child protections universally
•Companies must provide clear, age‑appropriate privacy notices and monitoring signals
•Legal uncertainty persists; adopting best‑practice safety measures remains prudent

Pulse Analysis

The California Age‑Appropriate Design Code Act, enacted in 2022, was intended to extend child‑privacy protections beyond the federal COPPA framework. Industry coalition NetChoice quickly sued, arguing the statute infringed the First Amendment and exceeded state authority. After a series of district‑court injunctions, the Ninth Circuit has now issued its second major ruling, often called NetChoice II, which refines which sections survive constitutional scrutiny. The court’s analysis hinges on whether the law’s restrictions are content‑based, how narrowly they are tailored, and whether vague language deprives businesses of fair notice.

The March 12 2026 opinion holds that a facial challenge to the Act’s coverage definition is unlikely to succeed, because the eight indicators of likely minor access include both content‑neutral factors such as audience composition. Likewise, the age‑estimation requirement survives, allowing platforms either to verify ages or to extend child‑level safeguards to all users. Conversely, the court flagged several provisions as unconstitutionally vague—terms like “material detriment,” “best interests,” and the dark‑pattern prohibition lack clear standards. Those vague clauses may be rewritten by the legislature, but until then firms face enforcement risk if they cannot demonstrate compliance.

For operators of apps, websites, or services with any measurable teen audience, the prudent path is to adopt the provisions the court affirmed: publish concise, age‑appropriate privacy policies, signal when parental monitoring occurs, and provide easy tools for data‑rights requests. Simultaneously, companies should audit data‑use practices to avoid the undefined “material detriment” language, and eliminate any UI designs that could be construed as dark patterns. While litigation will likely continue and legislative amendments may clarify the ambiguous sections, proactive compliance not only mitigates legal exposure but also strengthens brand trust among parents and regulators.