California Age-Appropriate Design Code (CAADC): What U.S. Businesses Need to Know

California's Age-Appropriate Design Code Act imposes privacy-by-default, data minimization, and dark pattern restrictions on businesses serving minors online. Courts have blocked enforcement, but parallel federal and state obligations are active now, and the regulatory direction is clear. Here’s what businesses need to know.

California's Age-Appropriate Design Code Act is one of the most ambitious children's data privacy laws ever passed in the U.S. Signed in 2022 and modeled on the UK's Children's Code, it sets design-level requirements — not just consent checkboxes — for any online service that minors are likely to use.

Courts have blocked enforcement since before its July 2024 effective date, and the Ninth Circuit's March 2026 ruling upheld most of those injunctions. But for U.S. businesses, the CAADC is not an abstract risk. The compliance obligations it mirrors are already embedded in federal law and active California enforcement — and the states are moving fast.

This guide explains what the CAADC requires, where litigation stands, what obligations apply right now, and how to build a defensible data practices posture before the legal landscape settles.

CAADC: What Is the California Age-Appropriate Design Code Act?

The California Age-Appropriate Design Code Act (AB 2273) was signed into law in September 2022. Modeled on the UK's Age Appropriate Design Code, which itself was issued under the UK GDPR's Article 25 data protection by design framework, it was intended as the first GDPR-influenced children's privacy statute in U.S. state law.

The law applies to any business meeting the CCPA definition of "business" that develops or provides an online service, product, or feature "likely to be accessed by children" (defined as any user under 18). 

Enforcement authority rests with the California Attorney General rather than CalPrivacy. The AG must offer businesses in substantial compliance a 90-day cure window before initiating formal action, though accrued penalties are not capped by that period. There is no private right of action.

The law has not yet taken effect. Courts blocked enforcement before its July 2024 effective date, and in March 2026 the Ninth Circuit upheld most of those injunctions, finding that the law's data protection impact assessment requirements likely compel protected speech under the First Amendment. 

The court declined to extend the injunction to the provision prohibiting collection of minors' precise geolocation data, remanding that issue for further consideration.

The CAADC remains unresolved, but the broader compliance landscape for businesses handling children's data is not static. Other state laws are already in force, federal pressure is building, and California has signaled it will pursue minors' data protection regardless of this litigation's outcome.

Who Is Included Under the CAADC?

"Likely to be accessed by children" reaches considerably further than it might appear. A business does not need to market to minors, target them, or even know they are present. Under the CAADC, a service is presumed to be within scope if any of the following apply:

Subject matter that appeals to children

Music, games, or animated content children commonly engage with

Celebrities or influencers with large audiences under 18

Language or reading level consistent with a younger audience

Advertisements directed at children

That definition includes a wide range of general-audience platforms: social media, video streaming, online gaming, music services, connected devices, e-commerce, and more. If minors plausibly could and do access a service, the CAADC applies.

For U.S. businesses accustomed to COPPA's narrower "directed to children" standard, the CAADC's audience-based trigger is a significant expansion. Courts have found that this content-based coverage definition is itself constitutionally problematic. It requires evaluating the nature of a service to determine if it appeals to children, which triggers First Amendment scrutiny.

CAADC Obligations

The CAADC's obligations span product design, data handling, and pre-launch assessment. Most provisions remain enjoined, but understanding them is essential: they define the compliance standard California intends to impose, and several are already reflected in active federal and state requirements.

The CAADC and Privacy by Default

Covered businesses must configure default privacy settings at the highest level available unless they can demonstrate a compelling reason that a different default serves children's best interests. This is more similar to the opt-in consent model in Europe and elsewhere, and inverts how most U.S. platforms are built today. Under current U.S. privacy law, data collection is typically on by default and users must actively opt out.

The CAADC's privacy-by-default requirement is not limited to children's profiles or accounts. It applies to any user on a covered service, because the business cannot confirm user age without additional steps. In practice, that means the default configuration must protect all users as if they could be minors.

The CAADC Requires Data Minimization

Businesses may only collect, sell, share, retain, or use a child's personal information to the extent reasonably necessary to provide the service the child is actively using. Data minimization under the CAADC means data collected for one purpose cannot be repurposed. This is a direct challenge to the behavioral advertising model that drives revenue for most ad-supported platforms.

The CAADC Restricts Profiling and Targeted Content

The CAADC prohibits using a child's personal information to serve content or advertising that is not in the child's best interests. Profiling minors — building behavioral or interest models from their data — is restricted unless the business can affirmatively demonstrate it is necessary for the service and serves the child's interest.

This restriction directly affects ad-tech and marketing automation stacks. Businesses that use third-party pixels, programmatic advertising networks, or behavioral retargeting tools on general-audience properties should understand that those tools would be in scope under the CAADC.

The CAADC Prohibits Dark Patterns

The CAADC prohibits dark patterns, which are design techniques that manipulate users into behaviors that serve the platform's interests rather than their own. Prohibited patterns include:

• Leading or encouraging children to provide more personal information than necessary
• Design choices that steer children away from privacy-protective options
• Engagement-maximizing features designed to extend session time, including infinite scroll, autoplay, streak mechanics, and push notification systems calibrated to create compulsive use

This provision was enjoined only on grounds of vagueness. Courts have not held that restricting manipulative design is unconstitutional in principle. That makes it one of the most legally durable elements of the CAADC, and its prohibition mirrors active CCPA enforcement priorities.

The CAADC Requires Data Protection Impact Assessments

Before launching any new online service, product, or feature likely to be accessed by children, covered businesses must complete a Data Protection Impact Assessment (DPIA). Existing services had to complete assessments by July 1, 2024.

DPIAs must evaluate risks to children across eight categories, including exposure to harmful content, contact risks, behavioral tracking, and data collection and retention practices. The assessment must also describe steps the business has taken and will take to protect children's interests.

The Ninth Circuit found the DPIA requirement likely unconstitutional, holding that it compels businesses to "opine on potential harm to children" and function as de facto content editors for the state, which is a First Amendment violation. It is the provision most likely to require significant redrafting before any version of it can be enforced.

The CAADC Requires Age Estimation

The CAADC requires businesses to implement age estimation for users or to treat all users as minors by default. The Ninth Circuit reversed the district court's finding that this provision is facially unconstitutional, leaving open the possibility that it could take effect in some form as the litigation proceeds.

Penalties for CAADC Violations

Violations carry civil penalties of USD 2,500 per affected child for each negligent violation and USD 7,500 per affected child for each intentional violation. There is no per-incident cap. For a platform with significant minor usage, a single non-compliant feature, such as an opt-out flow that qualifies as a dark pattern, could generate exposure across every affected user.

The State of Litigation

NetChoice, a trade association whose members include Google, Meta, Amazon, and TikTok, filed suit against California Attorney General Rob Bonta in December 2022, challenging the law on constitutional grounds.

Enforcement was blocked in September 2023 when a federal district court found that the CAADC's requirement for businesses to assess and mitigate potential harm to children compelled speech in violation of the First Amendment. California has appealed at every stage.

The Ninth Circuit's most recent ruling, issued March 12, 2026, is the most detailed yet. Of the six challenged provisions, five remain blocked (enjoined) pending further proceedings. The court reversed the lower court on two points — the coverage definition and the age estimation requirement — finding neither unconstitutional on its face.

One provision survived outright: restrictions on collecting, using, selling, and disclosing minors' geolocation data. The data protection and dark patterns provisions remain blocked, but on vagueness grounds rather than First Amendment grounds. This is a meaningful distinction, as it signals that redrafted versions of those provisions could survive constitutional review.

Four states have now enacted age-appropriate design codes that are either already in effect or taking effect in 2026 and 2027: Maryland (effective October 1, 2024), Nebraska (effective January 1, 2026, with civil penalty enforcement beginning July 1, 2026), South Carolina (effective February 2026), and Vermont (effective January 1, 2027). 

NetChoice has already challenged the Maryland and South Carolina laws, and further litigation is anticipated. Businesses operating across multiple states should track these laws individually — effective dates, enforcement timelines, and substantive requirements differ significantly.

What's Currently in Force: Federal and State Obligations That Apply Today

The CAADC's injunction does not freeze the broader children's data compliance landscape. Federal law is actively enforced, California's existing privacy framework applies to minors' data right now, and several state design codes are either already in effect or taking effect this year.

For U.S. businesses, the near-term compliance question is not whether the CAADC will eventually be enforced; it is whether current obligations under COPPA and the CCPA/CPRA are being met. The April 22, 2026, COPPA compliance deadline makes this particularly timely.

COPPA and the 2025 Rule Updates

The federal Children's Online Privacy Protection Act requires operators of websites and online services directed to children under 13, or general-audience services with actual knowledge of users under 13, to obtain verifiable parental consent before collecting personal information.

COPPA was last significantly updated in 2013; however, the Federal Trade Commission finalized substantial amendments that took effect on June 23, 2025, with a compliance deadline of April 22, 2026. These are the first updates to the rule in over a decade and reflect how fundamentally children's online activity has changed.

Key changes include:

• A requirement for separate, specific parental opt-in consent before children's data is disclosed to third parties for targeted advertising (consent cannot be bundled into a general data collection agreement).
• New data retention limits: Operators may not retain children's personal information longer than reasonably necessary for the purpose it was collected.
• Expanded definitions of personal information to include biometric identifiers.
• New written information security and data retention policy requirements.
• Increased transparency obligations for FTC-approved COPPA safe harbor programs.

A separate legislative proposal, the Children and Teens' Online Privacy Protection Act (COPPA 2.0), passed the U.S. Senate by unanimous consent in March 2026. The bill would extend COPPA's protections to teenagers under 17 and ban targeted advertising directed at minors. As of early April 2026, it awaits action in the House.

How Does COPPA Relate to the CAADC?

COPPA and the CAADC address different problems and operate at different levels. COPPA sets the federal floor: parental consent before collecting data from children under 13, for services directed at that age group or with actual knowledge of underage users.

The CAADC was designed to go considerably further, extending protections to all users under 18, applying to general-audience services children are likely to use regardless of operator intent, and imposing design-level obligations (privacy by default, no dark patterns, impact assessments) that COPPA does not address. 

Where COPPA asks whether a business obtained consent, the CAADC asks whether the product was built with children's interests in mind. Businesses that satisfy COPPA are not necessarily in compliance with the CAADC, and the gap between the two frameworks is where most of the CAADC's obligations live.

Provisions Under the CCPA/CPRA for Children's Data

California's existing consumer privacy laws already impose heightened requirements for data about minors. Businesses cannot sell or share the personal information of consumers under 16 without affirmative authorization, requiring opt-in consent from the consumer if they are 13 to 15 years old, and parental consent if under 13.

CalPrivacy has identified children's data as an enforcement priority for 2026 and beyond. The Consortium of Privacy Regulators, which now includes eight state regulators in addition to CalPrivacy and the California AG, lists children's data among its shared enforcement priorities, meaning a violation in California may draw coordinated scrutiny from multiple states.

The PlayOn Sports enforcement action in March 2026, in which CalPrivacy imposed a USD 1.1 million penalty against a youth sports platform for CCPA opt-out failures, illustrates the enforcement posture. 

Notably, CalPrivacy's investigation was opened in 2024 and proceeded to a settlement even after PlayOn had already remediated some of the issues. Subsequent remediation does not extinguish liability for prior violations.

Requirements for Opt-ins and Consent Banners

Consent banner design has direct legal consequences for businesses serving California users who may be minors. Pre-ticked boxes, confusing opt-out flows, missing opt-out mechanisms, and language that obscures user rights are already actionable under the CCPA, and CalPrivacy has made consent interface compliance a stated enforcement focus.

CalPrivacy uses automated scanning to identify non-compliant consent interfaces on public-facing websites. Its Audits Division opens investigations proactively, without requiring a consumer complaint. Businesses that redirect consumers to third-party opt-out tools, rather than providing their own direct mechanism, have been cited for that practice, as PlayOn Sports' settlement made explicit.

What’s Next for U.S. Businesses with the CAADC?

The CAADC's injunction is not an invitation to pause. The regulatory direction across federal law, California enforcement, and state legislatures is consistent and accelerating. Businesses that build defensible children's data practices now are better protected across every layer of the compliance landscape (and as consumer expectations rise).

Proactive investment in consent infrastructure and data hygiene also reduces litigation exposure. California's opt-out right for minors and COPPA's parental consent requirements are already enforceable claims. Documented, consent-grounded data practices are the most direct mitigation against enforcement action and reputational risk.

Map Exposure for to Minor Users

The starting point is understanding whether minors access your services and through what pathways. This is not always obvious: a general-audience platform may have substantial under-18 usage without having marketed to that demographic. Age estimation requirements under the CAADC and potentially under COPPA 2.0 will eventually require businesses to have an answer.

A data audit that identifies where children's data may enter your systems is the foundation. Relevant inputs include registration flows, browsing behavior, purchase history, device signals, and third-party data sources that may carry inferences about user age.

Review Your Default Consent Configuration Setup

Privacy by default is where children's data regulation is heading, and it is already the standard for minor users under the CCPA. Reviewing your consent banner and data collection defaults to confirm that privacy-protective settings are the default, rather than requiring users to opt out, reduces exposure under current California law and positions your business for the CAADC's requirements if enforcement resumes.

CalPrivacy's automated scanning means your public-facing consent interface is subject to ongoing regulatory scrutiny, not just complaint-triggered review. A non-compliant banner is a standing risk, not a conditional one.

Audit to Check for Dark Patterns

Dark pattern restrictions are among the most durable elements of the CAADC. The Ninth Circuit enjoined them only on vagueness grounds; courts have not ruled that prohibiting manipulative design is unconstitutional. When the CAADC is eventually redrafted, tighter definitions of prohibited patterns will almost certainly be retained.

The same restrictions already apply under CCPA enforcement guidance. Reviewing consent interfaces and UX flows against dark pattern criteria is a compliance obligation under existing law, not a prospective one.

Work Toward DPIA Readiness

Even if the CAADC's DPIA requirement is redrafted before it takes effect, Data Protection Impact Assessments are embedded in CPRA's risk assessment framework and are in force for high-risk processing activities. 

Businesses operating at scale, with significant data processing, third-party integrations, or advertising-based business models, should be running these assessments under current California obligations.

Developing internal assessment processes now creates a reusable compliance asset. It positions you for the CAADC's eventual requirements, satisfies existing CPRA obligations, and demonstrates the kind of documented due diligence that regulators and courts weigh in enforcement proceedings.

Monitor Developments at the State Level

The CAADC cannot be enforced while injunctions remain in place, but it is not inactive litigation. California has appealed at every stage and has not withdrawn the law. 

More practically, the Ninth Circuit's March 2026 ruling identified provisions that could survive constitutional redrafting. Design codes with narrower scope have already been enacted in Maryland, Nebraska, Vermont, and South Carolina, with enforcement timelines beginning as early as 2026.

NetChoice has already challenged the Maryland and South Carolina laws, and further litigation is anticipated. Businesses operating across multiple states should track these laws individually as effective dates, enforcement timelines, and substantive requirements differ.

How Cookiebot Supports CAADC Compliance Readiness

The CAADC's core requirements — avoiding dark patterns, limiting data collection to what's necessary, and building privacy-protective defaults — are not unique to California. They reflect the principles that now underpin federal COPPA enforcement, active CCPA requirements for minor users, and design codes advancing in Maryland, Nebraska, Vermont, and South Carolina.

For U.S. businesses, consent management is the operational layer where those requirements become visible. The choices users see when they first arrive on your site, the data flows triggered by those choices, and the consent record created for every interaction — these are where CCPA compliance already lives and where the CAADC's requirements would be centered.

Cookiebot™ provides the consent infrastructure U.S. businesses need to meet those requirements:

• Configurable consent banners built to California and multi-state requirements
• Consent logs that create an audit-ready record for every user interaction
• Signal integration that carries consent decisions consistently across your data stack and advertising platforms

For businesses that serve audiences including minors, demonstrating documented, consent-grounded data practices is no longer optional. It is an active enforcement target.

Children's data rules are enforced. Your consent setup should be ready.

Children's data rules are enforced. Your consent setup should be ready.

Start free trial