On March 12, 2026, a three-judge panel of the US Court of Appeals for the Ninth Circuit issued its second opinion in NetChoice v. Bonta, narrowing the preliminary injunction against California’s Age-Appropriate Design Code Act (CAADCA) but leaving several of the law’s most consequential provisions enjoined. The court held that NetChoice had not met the demanding standard for facial First Amendment relief as to the act’s coverage definition or its age estimation provision, but it agreed that the act’s challenged data use restrictions and dark patterns prohibition likely are unconstitutionally vague. The case now returns to the US District Court for the Northern District of California for further proceedings on age estimation and severability.

The CAADCA is a broad children’s privacy and online safety statute that imposes obligations on online services “likely to be accessed by children,” including requirements relating to age estimation, privacy defaults, data protection impact assessments, limits on profiling and data use, geolocation settings, privacy disclosures and interface design. For companies that may fall within the statute’s scope, the Ninth Circuit’s decision is significant because it allows several of the statute’s substantive obligations to take effect while litigation continues in the district court.

Prior challenges and the law’s status entering this appeal

NetChoice sued before the CAADCA took effect, asserting facial constitutional claims and federal preemption theories. In September 2023, the Northern District of California preliminarily enjoined the statute in full.

In August 2024, the Ninth Circuit vacated most of that injunction after applying the US Supreme Court’s intervening decision in Moody v. NetChoice. But it left in place the injunction against the CAADCA’s data protection impact assessment (DPIA)/risk mitigation requirement and the provisions it held were not grammatically severable from that requirement. It also left enjoined the act’s 90-day notice-and-cure provision and remanded for reconsideration NetChoice’s remaining facial theories and severability.

On remand, NetChoice amended its complaint and renewed its preliminary injunction motion. The district court again enjoined the statute in its entirety and, in the alternative, enjoined several specific provisions. The state appealed, leading to the March 12, 2026, opinion addressed here.

NetChoice’s renewed challenges

NetChoice’s renewed motion advanced both a theory that the whole statute is unconstitutional under the First Amendment and provision-specific challenges.

Whole-statute theory

NetChoice’s lead argument targeted the CAADCA’s threshold coverage definition – the provision applying the act to online services, products and features “likely to be accessed by children.” NetChoice argued that this definition is content-based, triggers strict scrutiny across the statute and renders the CAADCA unconstitutional in its entirety.

Provision-specific challenges

NetChoice also challenged specific operative provisions, including:

  • The age estimation requirement in Civil Code Section 1798.99.31(a)(5).
  • The data use restrictions in Section 1798.99.31(b)(1)-(4).
  • The dark patterns restriction in Section 1798.99.31(b)(7).
  • The policy enforcement requirement in Section 1798.99.31(a)(9).
  • Separately, the continued enforceability of the act’s valid remainder in light of the already enjoined 90-day notice-and-cure provision.

NetChoice also continued to press Communications Decency Act Section 230, Children’s Online Privacy Protection Act (COPPA) preemption and dormant commerce clause theories, but those arguments did not drive the panel’s merits analysis in this appeal.

What the Ninth Circuit held

  1. NetChoice did not justify a facial injunction against the statute as a whole.

The Ninth Circuit held that NetChoice had not met its burden under Moody to mount a facial challenge based on the coverage definition. The panel emphasized that facial challengers must show the law’s “full set of applications” – what activities by what actors the law regulates – and then measure the allegedly unconstitutional applications against the statute’s legitimate sweep.

The court concluded that NetChoice had not made that showing. In the panel’s view, the CAADCA’s coverage provision is broad and applies to many businesses, including some that do not publish expressive content at all. The court stressed that the definition contains six separate indicators and does not operate identically across all covered businesses. If NetChoice’s core concern is how the law affects social media companies or publishers, the court suggested that concern may be better pursued through as-applied challenges rather than a facial attack on the statute as a whole.

  1. The age-estimation provision is not facially invalid on the present record.

The court also vacated the injunction against Section 1798.99.31(a)(5), which requires a covered business either to estimate the age of child users with a reasonable level of certainty appropriate to the risks arising from its data management practices or apply the child-level privacy and data protections to all consumers. The panel emphasized that the provision does not, on its face, clearly restrict content; that a business can avoid age estimation by applying the relevant protections to all users; and that the record was underdeveloped as to how the provision operates in practice. The panel also faulted the district court for assuming that compliance necessarily would require collection of additional sensitive data, noting that the state had submitted evidence of less intrusive methods.

  1. The data use and dark patterns provisions likely are void for vagueness.

The Ninth Circuit reached a different result for the data use restrictions in Section 1798.99.31(b)(1)-(4) and the dark patterns restriction in Section 1798.99.31(b)(7). It affirmed the injunction against those provisions on vagueness grounds, focusing on the statute’s reliance on open-ended terms, such as “materially detrimental,” “well-being” and “best interests of children.” The panel rejected the state’s argument that “best interests of children” could be imported from California family law, reasoning that family law uses of that standard are individualized and fact-specific, whereas the CAADCA requires companies to make prospective judgments at scale about children as a class of users. The court also held that the scienter language does not cure the notice problem, and it extended the same reasoning to the dark patterns restriction.

  1. The district court was too quick to treat the valid remainder as inseverable.

The panel also vacated the district court’s severability ruling to the extent it enjoined the statute’s otherwise valid remainder because of the already enjoined 90-day notice-and-cure provision in Section 1798.99.35(c)(2). Applying California severability law, the Ninth Circuit held that the present record does not establish that the legislature would have preferred no statute at all over a CAADCA without that cure mechanism. It therefore vacated the injunction as to the valid remainder and remanded for further proceedings on severability.

What remains enjoined and what may now take effect

After this decision, the CAADCA remains partially enjoined.

Provisions that remain enjoined

The following substantive provisions of the law remain enjoined:

  • The DPIA/risk mitigation requirement, which the Ninth Circuit held likely unconstitutional in the 2024 appeal, together with the provisions previously held not grammatically severable from it, which would require covered businesses to conduct and document pre-launch DPIAs evaluating risks of harm to children and identifying mitigation measures for products or features likely to be accessed by children.
  • The 90-day notice-and-cure provision in Section 1798.99.35(c)(2), which would require the California attorney general to provide notice of an alleged violation and allow a 90-day opportunity to cure before initiating an enforcement action.
  • The data use restrictions in Section 1798.99.31(b)(1)-(4), which would impose substantive limits on how children’s personal information may be used, including prohibiting uses that are “materially detrimental” to children, restricting profiling by default, requiring data minimization tied to a “best interests of children” standard and limiting secondary uses of data absent a compelling justification.
  • The dark patterns restriction in Section 1798.99.31(b)(7), which would prohibit the use of interface designs or user experience techniques that encourage children to provide unnecessary personal information, weaken privacy protections or take actions deemed materially detrimental to their well-being.

Provisions that are no longer covered by the broad preliminary injunction

The panel vacated the broader whole-statute injunction, vacated the injunction against the age estimation provision in Section 1798.99.31(a)(5) and vacated the order insofar as it barred enforcement of the act’s otherwise valid remainder on nonseverability grounds. As a result, California is no longer preliminarily barred from enforcing the nonenjoined remainder of the statute, including the following provisions:

  • Age estimation requirement – Covered businesses must estimate the age of child users with a reasonable level of certainty or apply child-level privacy and data protections to all users (i.e., treat all users of the service as children).
  • High-privacy default settings – Covered businesses must configure default privacy settings for children to a high level of privacy.
  • Child-appropriate privacy disclosures – Privacy information, terms of service, policies and community standards must be provided concisely and in language suited to the age of children likely to access the service.
  • Monitoring and geolocation-related disclosures or signals – An obvious signal must be displayed to children when their online activity is being monitored or tracked or when their precise geolocation data is being collected.
  • Tools for privacy rights and reporting concerns – Businesses must provide prominent, accessible and responsive tools that allow children and their parents or legal guardians to exercise privacy rights and report concerns.

The panel did not reach the merits of NetChoice’s separate challenge to Section 1798.99.31(a)(9), but the opinion’s operative disposition affirms only the injunction as to Sections 1798.99.31(b)(1)-(4) and (b)(7) in this appeal, while vacating the remainder of the district court’s second preliminary injunction.

What comes next

The case now returns to the district court. The immediate issues on remand include further factual development on the age estimation provision, renewed severability analysis concerning the valid remainder and the still enjoined notice-and-cure provision, and continued litigation of NetChoice’s remaining claims. The Ninth Circuit did not decide the ultimate merits of the case; it decided only the scope of preliminary relief on the present record.

Legal implications

The decision reinforces two key points. First, after Moody, broad facial First Amendment attacks on platform regulation statutes will be difficult without a developed record addressing the law’s full range of applications. If a company’s specific service involves expressive content or unique data needs that make the CAADCA’s requirements burdensome, you should begin documenting those impacts now to support potential as-applied challenges in the future. Second, open-ended standards, such as “best interests,” “well-being” and “material detriment,” remain vulnerable to vagueness challenges if they are not tied to more concrete statutory direction.

Practical implications

With portions of the CAADCA now potentially enforceable, companies should reassess whether they are within scope as online services “likely to be accessed by children.” If so, companies should develop a compliance roadmap for the unblocked requirements of the CAADCA, including documenting the six separate indicators implicating threshold coverage, identifying a reasonably certain age estimation strategy or high-level privacy protections for all users, and implementing the child-appropriate disclosure requirements. 

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.