Is the California Age-Appropriate Design Code currently in force or blocked?

The California Age-Appropriate Design Code is in a mixed state — partially enjoined and partially live — rather than cleanly in force or fully blocked, because the NetChoice v. Bonta litigation has proceeded provision by provision rather than resolving the law as a whole, and the most accurate answer is that its enforceable scope is unsettled and should be confirmed against current court sources. The law was enacted as AB 2273 in 2022, and NetChoice, a technology trade association, challenged it on First Amendment grounds almost immediately. A federal district court initially issued a broad injunction blocking the law, finding NetChoice likely to succeed on significant parts of its challenge. On appeal, the Ninth Circuit did not simply affirm or reverse that injunction wholesale; it engaged with the law's provisions individually. In 2024 the court addressed the Data Protection Impact Assessment requirement and concluded that compelling businesses to assess whether their content could harm children likely violated the First Amendment as compelled speech, and that portion of the injunction was affirmed. In a further ruling in 2026, according to law-firm and industry reporting on the decision, the Ninth Circuit issued a split outcome that narrowed the broader injunction: it held that NetChoice had not met the demanding standard for facial First Amendment relief as to the law's coverage definition and its age-estimation provision, while agreeing that certain provisions — including challenged data-use restrictions and the dark-patterns prohibition — raised vagueness or speech concerns, and it returned the case to the district court for further proceedings on issues such as age estimation and severability. The consequence is that some provisions remain enjoined, the broad injunction has been narrowed, and the precise set of currently enforceable obligations is being worked out in ongoing proceedings. For a business, this means you cannot rely on a simple binary; you must check the current posture of specific provisions before treating any of them as enforceable or as safely ignorable. It also means the safest planning approach is to build to the durable direction the law represents — data minimization for minors, high-privacy defaults, avoidance of manipulative design — because that direction is reinforced by other laws that are firmly in force regardless of the AADC's litigation outcome. To track the case and confirm enforceable scope, use the Policy Change Tracker , and ground the broader US framework with the United States advertising compliance guide . The organizing principle is that the AADC is partially enjoined and still litigated, so its status is mixed and provision-specific, and current court sources should be checked before relying on any part.

Why did the courts find the DPIA requirement constitutionally problematic?

The courts found the California AADC's Data Protection Impact Assessment requirement constitutionally problematic because it would compel businesses to assess and opine on whether their service's design and content could harm children, and the Ninth Circuit concluded in 2024 that this likely amounts to compelled speech that presses private companies into judging and policing lawful content — a serious First Amendment concern. To understand the reasoning, start with what the DPIA requirement actually demanded. Under the AADC, covered businesses would have to complete data protection impact assessments that, among other things, evaluate whether the design of their online service could harm children, including by exposing them to harmful or potentially harmful content. On its face this resembles a routine privacy-assessment obligation, but the court focused on the content-harm dimension. Requiring a business to formally assess whether content could harm children, and to act on that assessment, effectively conscripts the business into making judgments about the harmfulness of lawful expression and adjusting its service accordingly. The First Amendment is skeptical of government requirements that compel private parties to speak — including to generate government-favored assessments of content — and of schemes that deputize private companies to restrict or judge lawful speech. The court viewed the DPIA mandate as having both qualities: it compelled the creation of assessments about content harm, and it pushed companies toward acting as gatekeepers of lawful content based on those assessments. That combination is what made the requirement constitutionally fragile, and it is why the DPIA provision has been among the most durable parts of the injunction against the law. The broader lesson, which extends well beyond the AADC, is that US online-safety laws which require companies to evaluate and mitigate the harmfulness of content face a steeper constitutional climb than laws that regulate data handling in a content-neutral way. A rule that says 'collect less data from children' or 'default minors to private settings' operates on data practices and is more readily defensible; a rule that says 'assess whether your content could harm children and change your service accordingly' operates on speech and invites compelled-speech and censorship objections. For businesses, the practical implication is that the data-minimization and default-setting elements of the children's-privacy direction are the safer foundation to build on, while content-harm assessment obligations remain legally uncertain in the US. For the contrasting EU approach to systemic-risk assessment, see the European Union DSA compliance guide , and audit your own data practices with the AI Compliance Audit . The organizing principle is that the DPIA requirement compelled content-harm judgments and thus implicated speech, which is why it drew First Amendment scrutiny where pure data rules would not.

What parts of the AADC's direction still matter for advertisers even if provisions are enjoined?

Even where specific AADC provisions are enjoined, the law's underlying direction still matters for advertisers because that direction — data minimization for minors, high-privacy defaults, avoidance of manipulative design, and limits on targeted advertising to minors — is reinforced by other laws that are firmly in force, so building to it is prudent regardless of how the AADC litigation resolves. The mistake advertisers make is to read 'this provision is enjoined' as 'this concern has gone away,' when in fact the children's-protection direction is converging across multiple legal instruments. Consider data minimization. The AADC pushes services to collect and use less data from children, and that same principle is now embedded in the amended federal COPPA Rule — which limits retention and tightens consent for children's data — and in numerous state comprehensive privacy laws that restrict processing of minors' data and targeted advertising to them. So even if the AADC's specific data-use restrictions are contested, an advertiser that minimizes minors' data is aligned with COPPA and state law that are in force. Consider high-privacy defaults. Defaulting minors to the most protective settings rather than requiring them to opt out is a pattern regulators consistently favor, and several state laws restrict targeted advertising and profiling for minors by default. Consider manipulative design. Dark-patterns prohibitions — bans on design that manipulates users into choices against their interests — appear across state privacy laws and FTC consumer-protection enforcement, so avoiding manipulative design aimed at minors is sound practice independent of the AADC's dark-patterns provision. And consider targeted advertising to minors specifically: restrictions on profiling-based advertising to children and teens are a recurring feature of the broader landscape, from COPPA's unbundled consent for third-party targeted advertising to state-law prohibitions on targeting known minors. The throughline is that the AADC is one expression of a direction that many in-force laws share, so the safe compliance posture is to build to the direction — minimize minors' data, default to privacy, strip manipulative design, and avoid profiling-based targeting of minors — rather than to wait for the AADC's enforceable scope to be finalized and risk being caught flat-footed by the laws that are already enforceable. For the federal piece, see the COPPA amendments guide , and for the state minors wave see the state age-verification guide . To map your exposure across these overlapping regimes, use the Legal Compliance Scan . The organizing principle is that the AADC's direction is reinforced by in-force laws, so advertisers should build to that direction regardless of which AADC provisions survive.

What does 'likely to be accessed by children' mean, and which services does it cover?

'Likely to be accessed by children' is the AADC's threshold concept, and it is broader than the federal COPPA standard because it reaches services that children are likely to use even if those services are not specifically directed at children and even if the operator lacks actual knowledge of a particular child user — which is why it sweeps in many general-audience services and is also part of why the standard has been contested. Under COPPA, the federal children's-privacy law, coverage generally turns on whether a service is directed to children under 13 or whether the operator has actual knowledge it is collecting data from a child under 13. The AADC uses a different and broader trigger: it applies to businesses offering online services, products or features that are likely to be accessed by children, with children defined to include minors under 18 rather than only under 13. The 'likely to be accessed' framing is designed to capture the reality that children use many services that are not formally aimed at them — general social platforms, video sites, games and apps with broad appeal — so a service need not market itself to children to fall within scope; it need only be the kind of service children are likely to use. This breadth is significant for advertisers because it means the AADC's protective obligations would attach to a much wider range of services than COPPA, and it extends those protections to teenagers, a group that the under-13 federal regime largely does not cover. It is also part of the constitutional and practical controversy: a broad, somewhat open-ended coverage definition raises questions about how a business determines whether its service is 'likely' to be accessed by children, and how it then identifies which users are minors without itself collecting more data or imposing age verification — tensions that have featured in the litigation, including around the age-estimation provision. For a business assessing its own exposure, the practical approach is to evaluate honestly whether children and teens are likely among its users based on the nature, content and audience of the service, rather than relying on a formal 'not directed to children' label. If the answer is that minors are likely users, the prudent posture is to apply the durable protections — data minimization, high-privacy defaults, avoidance of manipulative design, and limits on targeting minors — because those align with the broader in-force legal direction even as the AADC's specific enforceability is worked out. To assess which of your services may be in scope and to map the overlapping obligations, use the Legal Compliance Scan , and define terms with the compliance glossary . The organizing principle is that 'likely to be accessed by children' is a broad, under-18 trigger that reaches many general-audience services, so advertisers should assess realistic minor usage rather than rely on a not-directed-to-children label.

How should advertisers prepare for a law that is still being litigated?

Advertisers should prepare for the California AADC the way they should approach any partially enjoined, still-litigated law: build to the durable direction the law represents, which is reinforced by other in-force laws, while actively monitoring the litigation so you can adjust to the specific provisions as their enforceability is settled — rather than either ignoring the law until it is final or over-committing to contested provisions that may not survive. The temptation with a law in flux is to do nothing until the courts produce a final answer, but that is risky for two reasons. First, the AADC's enforceable scope is being decided piece by piece, so there may be no single clean 'final' moment, and provisions can become enforceable while you wait. Second, and more importantly, the core protections the AADC embodies — data minimization for minors, high-privacy defaults, avoidance of manipulative design, and limits on targeted advertising to minors — are not unique to the AADC; they are reinforced by the amended federal COPPA Rule and by state comprehensive privacy laws that are already in force, so a business that waits for the AADC is still exposed under laws that do not depend on it. The disciplined preparation sequence is therefore: first, identify which of your services are likely to be accessed by children, using a realistic assessment of your audience rather than a formal label; second, minimize the data you collect from minors and restrict its use to what is necessary, which aligns with COPPA and state law; third, default likely-minor users to the most protective privacy settings; fourth, audit your service for dark patterns aimed at minors and remove them; fifth, avoid profiling-based targeted advertising to minors; and sixth, monitor the NetChoice v. Bonta litigation and confirm the enforceable status of specific provisions against official court sources before treating any single provision as binding or as safely ignorable. This approach captures the benefit of compliance — alignment with the converging legal direction and reduced exposure under in-force laws — without betting on the outcome of contested provisions. It also positions you to respond quickly as the litigation clarifies which obligations are enforceable, because you will already have built the durable foundation and will only need to layer on provision-specific requirements as they firm up. To audit your data practices use the AI Compliance Audit , to map multi-regime exposure use the Legal Compliance Scan , and to monitor the case use the Policy Change Tracker . The organizing principle is to build to the durable, reinforced direction now and monitor the litigation for provision-specific changes, rather than waiting for a final resolution that may never arrive cleanly.

California AADC 2026: NetChoice Ruling and DPIA Status

Quick Answer

The California Age-Appropriate Design Code Act, enacted as AB 2273 in 2022, is a children's online-safety law that requires online services likely to be accessed by children to prioritize their privacy and well-being by design, and it has been the subject of a long-running First Amendment challenge by the trade association NetChoice. The litigation, NetChoice v. Bonta, has narrowed the law rather than settling it cleanly. In 2024 the US Court of Appeals for the Ninth Circuit addressed the law's Data Protection Impact Assessment requirement and concluded that compelling businesses to produce DPIAs assessing whether their content could harm children likely violated the First Amendment as compelled speech, and that part of the injunction was affirmed. In a further ruling in 2026, according to law-firm and industry reporting on the decision, the Ninth Circuit issued a split outcome that narrowed the broader injunction: it held that NetChoice had not met the demanding standard for facial First Amendment relief as to the act's coverage definition and its age-estimation provision, while agreeing that certain provisions, including challenged data-use restrictions and the dark-patterns prohibition, raised vagueness and speech concerns, and it returned the case to the district court for further proceedings on issues such as age estimation and severability. The net effect is that the AADC is partially enjoined and partially live, its precise enforceable scope is unsettled, and its status should be confirmed against current official and court sources before relying on any single provision. What is durable for advertisers is the direction: data minimization for minors, high-privacy defaults, and scrutiny of manipulative design. Map exposure with the Legal Compliance Scan, audit data practices with the AI Compliance Audit, and track the case on the Policy Change Tracker.

California Age-Appropriate Design Code in 2026: The NetChoice Ruling, DPIAs and What Survives for Advertisers

What the California AADC Is

The California Age-Appropriate Design Code Act, passed as Assembly Bill 2273 in 2022, requires businesses that provide online services, products or features likely to be accessed by children to design those experiences with children's privacy and well-being as a priority. Modeled in spirit on the United Kingdom's Children's Code, it pushes services toward high-privacy defaults for minors, data minimization, and the avoidance of design that could harm or manipulate children.

For advertisers, the AADC matters because it targets the data practices and design patterns that underpin much of how younger audiences are monetized — extensive data collection, default settings tuned for engagement, and persuasive design. Even in its contested, partially enjoined state, it signals a regulatory direction that advertisers cannot ignore.

"The Age-Appropriate Design Code is not a single rule that stands or falls as a whole. The courts have been disassembling it provision by provision, and what survives is what advertisers must actually plan around.
— AuditSocials analysis of the California AADC litigation"

This guide explains the law, the NetChoice challenge, what the 2026 ruling changed, the DPIA problem, and what advertisers should do amid the uncertainty. Ground the US picture with the United States advertising compliance guide, and for the state-law minors wave see the state age-verification guide.

The NetChoice v. Bonta Challenge

The AADC has never had a clean run at enforcement because the trade association NetChoice challenged it on First Amendment grounds almost immediately, and the courts have engaged seriously with those arguments.

The Shape of the Dispute

The core claim: NetChoice argued that the AADC regulates protected speech and compels businesses to act as arbiters of what content could harm children, raising First Amendment problems.
Early injunction: A federal district court initially enjoined the law, finding NetChoice likely to succeed on significant parts of its challenge.
Appellate engagement: The Ninth Circuit took up the appeal and, rather than ruling the whole law in or out, examined its provisions separately — a pattern that has defined the case.

This provision-by-provision approach is why the AADC's status is genuinely mixed rather than simply "blocked" or "in force." For the parallel NetChoice litigation strategy across state minor-safety laws, see the state age-verification guide, and define terms with the compliance glossary.

What the 2026 Ruling Changed

According to law-firm and industry reporting on the decision, the Ninth Circuit issued a further ruling in 2026 that narrowed the injunction against the AADC and reframed which provisions remain blocked, producing a genuinely split result.

The Split Outcome

Facial relief narrowed: The court held that NetChoice had not met the demanding standard for facial First Amendment relief as to the act's coverage definition and its age-estimation provision, meaning the broad injunction was too sweeping.
Some provisions still suspect: The court agreed that certain provisions — including challenged data-use restrictions and the dark-patterns prohibition — raised vagueness or speech concerns.
Remand: The case was returned to the district court for further proceedings on issues such as the age-estimation requirement and severability — that is, which parts can stand independently.

Provision Status at a Glance

Provision	Judicial posture (per reporting on the rulings)
Data Protection Impact Assessment (DPIA)	Enjoined as likely compelled speech
Coverage definition	Facial relief not met; injunction narrowed
Age-estimation requirement	Remanded for further proceedings
Data-use restrictions	Raised vagueness or speech concerns
Dark-patterns prohibition	Raised vagueness or speech concerns

The practical takeaway is that the AADC is neither fully enjoined nor fully enforceable; its enforceable scope is being decided piece by piece, and the 2026 ruling moved the line rather than ending the contest. Because court outcomes can be appealed and refined, confirm the current status against official court sources before relying on any provision. Track the case on the Policy Change Tracker.

DPIAs and the Compelled-Speech Problem

The provision that has drawn the clearest judicial skepticism is the Data Protection Impact Assessment requirement, and understanding why illuminates the whole case.

Why the DPIA Requirement Is Vulnerable

The requirement: The AADC would require covered businesses to complete DPIAs assessing, among other things, whether the design of their service could harm children, including exposure to harmful or potentially harmful content.
The constitutional objection: In 2024 the Ninth Circuit concluded that compelling businesses to opine on whether content could harm children likely amounts to compelled speech and effectively presses private companies into judging and policing lawful content, which raises serious First Amendment concerns.
The status: That reasoning supported keeping the DPIA requirement enjoined, and it has been among the most durable parts of the injunction.

The lesson for regulators and businesses alike is that obligations forcing companies to assess and act on the harmfulness of content are constitutionally fragile in the US in a way that pure data-handling rules are not. For the contrast with the EU approach, where impact assessments sit in a different constitutional setting, see the European Union DSA compliance guide.

What Still Matters for Advertisers

Even with parts of the AADC enjoined, advertisers should not treat the law as irrelevant, because the durable direction it represents is reinforced by other laws that are firmly in force.

The Durable Signals

Data minimization for minors: Collecting less data from children and teens, and not using their data for purposes beyond what is necessary, is a direction shared with COPPA's amendments and multiple state privacy laws.
High-privacy defaults: Defaulting minors to the most protective settings, rather than requiring them to opt out, is a pattern regulators consistently favor.
Scrutiny of manipulative design: Dark-patterns prohibitions appear across privacy and consumer-protection law, so avoiding manipulative design for minors is prudent regardless of the AADC's fate.
Targeted-advertising limits: Restrictions on profiling and targeted advertising to minors are a recurring feature of the broader legal landscape.

In other words, the AADC's enforceable scope is uncertain, but the compliance posture it points toward is the safe one to build, because converging laws demand much of the same. For the federal children's-privacy overhaul, see the COPPA amendments guide, and map exposure with the Legal Compliance Scan.

How to Prepare Amid Uncertainty

The right response to a partially enjoined, still-litigated law is not to wait for final resolution but to build to the durable direction while monitoring the specifics.

Preparation Steps

Identify child-likely services: Determine which of your services are likely to be accessed by children, because that is the trigger concept that the broader minors-protection wave shares.
Minimize minors' data: Reduce collection and restrict use of data from minors to what is necessary, aligning with COPPA and state privacy laws that are in force.
Default to high privacy: Set the most protective defaults for users known or likely to be minors.
Remove manipulative design: Audit for dark patterns aimed at minors and remove them.
Limit targeted advertising to minors: Avoid profiling-based targeted advertising to minors, consistent with the converging legal direction.
Monitor the litigation: Track the case's progress and confirm enforceable scope against official sources before relying on any single provision.

Audit data practices with the AI Compliance Audit, and keep watch on developments through the Policy Change Tracker.

California AADC Readiness Checklist

[ ] Services likely to be accessed by children identified
[ ] Data collection from minors minimized to what is necessary
[ ] Use of minors' data restricted to necessary purposes
[ ] Most protective privacy settings defaulted for likely-minor users
[ ] Dark patterns aimed at minors audited and removed
[ ] Profiling-based targeted advertising to minors avoided
[ ] Alignment with COPPA amendments and state privacy laws confirmed
[ ] AADC litigation status monitored for enforceable scope
[ ] Current status confirmed against official court and state sources
[ ] Compliance built to the durable direction rather than to contested provisions alone

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Meta Rejection Predictor first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#California AADC#Children's Privacy#NetChoice#Age Assurance#DPIA#Kids & Teens#Data Protection#First Amendment#Advertisers#2026 Policy#United States#Compliance Guide 2026

Share This Report

Tweet Share

California Age-Appropriate Design Code in 2026: The NetChoice Ruling, DPIAs and What Survives for Advertisers

What the California AADC Is

The NetChoice v. Bonta Challenge

The Shape of the Dispute

What the 2026 Ruling Changed

The Split Outcome

Provision Status at a Glance

DPIAs and the Compelled-Speech Problem

Why the DPIA Requirement Is Vulnerable

What Still Matters for Advertisers

The Durable Signals

How to Prepare Amid Uncertainty

Preparation Steps

California AADC Readiness Checklist

Don't miss the next policy change.

Report Keywords — Run AI Compliance Audit

Share This Report

Related Posts

Synthetic Media Enforcement Index Q1 2026 — DSA Transparency Database Findings

Deepfake Political Ads 2026 — Platform-by-Platform Detection, Disclosure & Advertiser Liability

May 2026 Enforcement Digest: Who Got Banned, Fined or Paused Across 8 Platforms

Related Resources

All Tools

Platform Guides

Knowledge Hub

Policy Tracker