On March 4, 2025, the California Attorney General (AG) announced a further delay in the enforcement of the California Age-Appropriate Design Code Act (CAADCA) until April 5, 2025. Initially operative on July 1, 2024, CAADCA’s enforcement had already been postponed to March 6, 2025, due to a trade association’s challenge to the statute’s validity. This second postponement comes as businesses await the district court’s decision on the trade association’s motion for a preliminary injunction to prevent the AG from enforcing CAADCA.
CAADCA is a comprehensive children’s online privacy and safety law that applies to any online service, product, or feature likely to be accessed by California residents under 18 years of age. The law mandates that businesses operating within its scope conduct and document a Data Protection Impact Assessment (DPIA) to evaluate risks to children. Additionally, businesses must implement specific privacy and safety measures, such as configuring privacy-protective default settings and restricting the use of children’s personal information that is materially detrimental to their health or well-being.
The trade association initiated its legal challenge against CAADCA on December 14, 2022. As part of this proceeding, the AG is currently enjoined from enforcing CAADCA’s DPIA-related provisions on First Amendment grounds. The district court is now considering the trade association’s second motion for a preliminary injunction targeting CAADCA’s non-DPIA provisions. In the interim, the court approved a joint stipulation between the trade association and the AG to delay enforcement until April 5, 2025. This stipulation also prohibits the AG from retroactively enforcing any alleged CAADCA violations occurring before this date.
This delay provides businesses with much-needed clarity regarding the AG’s enforcement plans during the ongoing legal challenge. But businesses offering online services to children should remain aware that other laws and regulations also protect children’s online privacy and safety. For instance, the Maryland Age-Appropriate Design Code Act, which closely mirrors CAADCA, became effective on October 1, 2024, although it faces a similar validity challenge initiated by the trade association in February 2025. This challenge is in its pleadings stage, and the Maryland Attorney General is expected to respond to the trade association’s complaint by March 14, 2025. Furthermore, federal and state regulators continue to use existing laws, such as the Children’s Online Privacy Protection Act and consumer protection statutes, to enforce actions against businesses that mishandle children’s personal information or cause material harm to children.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments around laws and regulations involving children’s online privacy and safety. Please contact us if you have any questions.
