California Age Appropriate Design Code Injunction Vacated in Primary Part

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

California Age Appropriate Design Code Injunction Vacated in Primary Part

The Ninth Circuit Court of Appeals ruled August 16 that the preliminary injunction previously barring enforcement of the California Age Appropriate Design Code Act (CAADCA) is vacated with respect to all portions of the law other than certain provisions related to Data Protection Impact Assessments. The case will be remanded back to the District Court for further consideration.

TAKEAWAY

CAADCA, which was originally scheduled to take effect July 1, 2024, was enjoined in 2023 based on a District Court finding that CAADCA “likely violates the First Amendment” on the basis that the law is poorly tailored to the State’s goal of protecting children’s well being. Now that most of the injunction has been vacated, and the July 1 effective date has come and gone, the portions of the law that are no longer enjoined are technically in effect and enforceable…now. This means that online products and services likely to be accessed by children under the age of 18 are technically now required to either estimate the age of users with a “reasonable level of certainty” or apply child-appropriate protections (including applying the highest level of privacy settings as a default) for all users, among other requirements. The scope of CAADCA is much broader than other federal and state childrens’ privacy laws, so many websites and services that have never had to consider children’s privacy protections may suddenly find themselves thrown into the fire. The question remains, however, whether the law will actually be enforced in the near term, particularly considering that the case is still pending, and the specific content of the law (e.g., which pieces are and aren’t severable from the portions of the law that are still enjoined) must still be decided by the District Court.

EUROPE

NOYB Takes Action Against X For Use of AI Training Data Without Consent

Advocacy group noyb announced August 12 its filing of complaints against X in nine EEA jurisdictions based on allegations that X has been using the personal data of its users to train its AI technologies (like Grok) since July 5, 2024 without consent or another legal basis for processing under GDPR. Noyb is seeking an urgency decision to stop the processing without consent, a full investigation of the matter, and a prohibition on future use of personal data for machine learning or artificial intelligence models without opt-in consent from data subjects.

MOUNTING PRESSURE

Noyb’s filings come shortly after (and acknowledge) the Irish Data Protection Commission’s (DPC’s) August 8 announcement that X had agreed to suspend its processing of certain personal data for the purpose of training its AI Grok while the DPC and its EU/EEA peers examine whether the processing complies with the GDPR. Complaints against X’s processing of personal data for AI training have been filed with the DPC by other advocacy groups as well, including a complaint filed August 5 on behalf of Euroconsumers and Altroconsumo.

GDPR requires that companies obtain freely given consent in order to collect or use consumer data. Learn more about how Sourcepoint can help with GDPR compliance.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.