California introduced the Age-Appropriate Design Code Act aimed at enhancing child online safety and data privacy.
California’s Age-Appropriate Design Code Act (CAADCA) was introduced as a groundbreaking law aimed at strengthening online protections for children under 18. Signed into law in September 2022 by Governor Gavin Newsom, the CAADCA was modeled after the UK’s Children’s Code (Age-Appropriate Design Code) and sought to impose stricter regulations on businesses offering online services accessible to minors. The law was set to take effect on July 1, 2024, however, legal challenges have delayed its enforcement.
The CAADCA will require businesses to implement strong privacy protections for minor users.
The CAADCA establishes several key obligations for online businesses operating in California. One of its main provisions requires that default privacy settings be set to the highest level of protection for child users, ensuring that minors were not automatically exposed to unnecessary data collection or tracking. The law also mandated that businesses conduct Data Protection Impact Assessments (DPIAs) to evaluate potential risks to children’s privacy and well-being. These assessments are intended to help companies effectively and proactively identify how their platforms might expose minors to harmful content, excessive data collection, or algorithmic manipulation.
Businesses will be expected to estimate the age of users to ensure compliance with child safety protections.
The legislation also placed a strong emphasis on age estimation and verification. Under the CAADCA, businesses are expected to implement reasonable age-detection mechanisms to ensure that child users receive appropriate privacy protections. This provision is aimed at preventing companies from applying a one-size-fits-all approach to digital privacy, instead requiring them to tailor experiences to different age groups. Additionally, the law explicitly prohibits the use of dark patterns, which are deceptive design techniques that manipulate users into providing personal information or taking actions against their best interests.
The CAADCA has faced legal challenges that have stalled its enforcement.
Despite its strong child protection goals, the CAADCA has faced significant legal and constitutional challenges. In March 2025, the U.S. District Court for the Northern District of California issued a preliminary injunction, blocking the law’s enforcement. The court found that certain provisions likely violated the First Amendment by imposing vague and overly broad requirements on online businesses. Critics argue that the law’s lack of clarity on what constitutes an “age-appropriate” design creates compliance difficulties for tech companies and could result in excessive self-censorship or over-policing of content. These concerns have fueled ongoing litigation, delaying the enactment of the CAADCA.
The CAADCA has ignited a broader discussion about child safety in the digital space.
While the timeline for the implementation of the California Age-Appropriate Design Code Act remains uncertain, its introduction has sparked a larger conversation about child digital safety in the United States. With growing regulatory pressure at both state and federal levels, businesses should remain proactive in adapting their practices to align with evolving standards. Whether through compliance with existing data protection laws or voluntary adoption of age-appropriate design principles, tech companies should prioritize child safety. When enforced, compliance may require significant changes including investment in privacy-enhancing technologies, age verification systems, and risk assessments.
