Cracks in the State Privacy Law Foundation: State Privacy Law Challenges See Success in District and State Courts
A recent spate of successful legal challenges has provided some relief from the ever-swelling wave of state privacy laws. The legal bases of these challenges vary, but taken together, they highlight that state privacy laws – while growing in popularity across state legislatures – may be on shaky legal ground. As explained in more detail below, the successful challenges to date include a challenge to the enforcement of the regulations promulgated under the California Privacy Rights Act (CPRA), as well as First Amendment challenges to children’s and teens’ privacy protections around content moderation and age verification requirements. Summaries of three of the recent successful cases follow.
California Chamber of Commerce v. California Privacy Protection Agency. In 2020, California voters approved the CPRA – a ballot initiative that supplemented California’s omnibus privacy law, the California Consumer Privacy Act (CCPA). Among other things, the CPRA gave rulemaking authority to a new entity called the California Privacy Protection Agency (Agency). The Agency used that authority to promulgate new privacy rules in March 2023. The agency planned to begin enforcing the new rules – which supplemented and added to existing California privacy rules – in July 2023.
But on June 30, 2023, a California state superior court ruled that any CPRA regulation may not be enforced until one year after the regulation is promulgated – significantly delaying the rollout of the new privacy rules. Focusing on the structure of the law, the court found that California voters intended to establish a 12-month gap between promulgation of CPRA regulations and enforcement. A more detailed analysis of the California state superior court ruling is available here. The case is currently pending on appeal and could heat up in the final months of 2023.
While this decision gave companies subject to the CPRA additional time to comply with the new regulations, it has not stopped the California Attorney General from sending several inquiry letters to large California employers requesting information about their compliance with the statute and existing CCPA regulations.
NetChoice v. Bonta. In 2022, California enacted the California Age-Appropriate Design Code Act (the CA AADC), which imposes new requirements for businesses that provide an online service, product, or feature that is “likely to be accessed by children.” The CA AADC goes well beyond the requirements of the federal Children's Online Privacy Protection Act (COPPA) in both its scope and its substantive reach.
On September 18, 2023, a federal district judge in the Northern District of California preliminarily enjoined enforcement of the CA AADC after finding that much of the law likely violates the First Amendment. The court noted that almost every aspect of the CA AADC involves some type of speech regulation, such as its restrictions on collecting and using data, its requirement to prepare Data Protection Impact Assessments (DPIA), and its mandate for companies to create and implement content moderation policies. The court concluded that the challenged provisions of the statute violated the First Amendment because the State did not show relevant harm to children, did not advance the State’s interest in protecting children, and/or suppressed more speech than necessary to achieve CA AADC’s goal of protecting children. Because these provisions were not severable, the court found that the entire law had to be enjoined.
NetChoice v. Griffin. In April 2023, the Arkansas governor signed the Social Media Safety Act (the Act) into law. The Act requires social media companies to verify the age of all account holders who reside in Arkansas by submitting age-verifying documentation through a third-party vendor before accessing a social media platform. Under the law, minors are denied an account and prohibited from accessing “social media platforms” without parental consent if they cannot provide a digital copy of their driver’s license or any other commercially reasonable age verification method.
A few weeks before the Bonta decision in California, a federal district judge in the Western District of Arkansas granted a motion for preliminary injunction, finding that the Social Media Safety Act likely violates the First Amendment. The court found that the Act burdens both adults’ and minors’ access to constitutionally protected speech. Though the court declined to make a final decision on whether the law is content-neutral, the court applied intermediate scrutiny to the Act and found that the law is not narrowly tailored to achieve an important government interest. Specifically, the court agreed with NetChoice that the law would significantly deter many users from entering a website by requiring adults to provide personally identifiable information to access a website. The court also found that the Act bars minors from accessing large amounts of constitutionally protected speech online and emphasized that the governmental interest in protecting children does not allow a limitless suppression of constitutionally protected speech, even when the law addresses a serious social problem. The court concluded that the Act “impedes access to content writ large.”
States in 2023 have continued to aggressively push forward on new privacy laws. However, this recent spate of successful challenges to state privacy laws may provide a road map for future challenges to similar laws – particularly with respect to state laws regulating minors’ access to social media.
Wiley’s deep and experienced bench of attorneys represent clients in privacy-related litigation and government investigations, and Wiley's attorneys regularly work with clients to comply with state privacy laws. Please contact any of the authors on this alert to discuss your privacy needs.
 Note: Wiley represented an amicus in this case.