{"id":18378,"date":"2026-05-14T12:08:13","date_gmt":"2026-05-14T10:08:13","guid":{"rendered":"https:\/\/www.cookiebot.com\/us\/?p=18378"},"modified":"2026-05-15T10:33:15","modified_gmt":"2026-05-15T08:33:15","slug":"california-age-appropriate-design-code-caadc","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/us\/california-age-appropriate-design-code-caadc\/","title":{"rendered":"California Age-Appropriate Design Code (CAADC): What U.S. Businesses Need to Know"},"content":{"rendered":"\n<p>California's Age-Appropriate Design Code Act imposes privacy-by-default, data minimization, and dark pattern restrictions on businesses serving minors online. Courts have blocked enforcement, but parallel federal and state obligations are active now, and the regulatory direction is clear. Here\u2019s what businesses need to know.<\/p>\n\n\n<div class=\"cb-key-takeaways\">\n    <div class=\"cb-key-takeaways__container\">\n        <h2            class=\"cb-key-takeaways__title cb-key-takeaways__heading-variation like-h3\"\n        >At a Glance<\/h2>\n        <div class=\"cb-key-takeaways__content\">\n            <div class=\"cb-key-takeaways__content__inner\">\n                                <div id=\"cb-key-takeaways-accordion-1\" class=\"cb-accordion-item cb-accordion-item--opened\">\n                    <span class=\"cb-accordion-item__title no-default-margin\">\n                        <button\n                            class=\"cb-accordion-item__button\"\n                            type=\"button\"\n                            id=\"cb-key-takeaways-accordion-1-button\"\n                            aria-expanded=\"true\"\n                            aria-controls=\"cb-key-takeaways-accordion-1-content\"\n                        >Key Takeaways<\/button>\n                    <\/span>\n                    <div\n                        class=\"cb-accordion-item__content\"\n                        id=\"cb-key-takeaways-accordion-1-content\"\n                        aria-labelledby=\"cb-key-takeaways-accordion-1-button\"\n                    >\n                        <div class=\"cb-accordion-item__content__inner\">\n                            \n\n<ul class=\"wp-block-list\">\n<li>The CAADC (AB 2273) was signed into law in September 2022 and was set to take effect July 1, 2024. Court injunctions have continuously blocked enforcement since September 2023.<\/li>\n\n\n\n<li>The Ninth Circuit's March 2026 ruling upheld injunctions against five of six challenged provisions. One \u2014 a restriction on collecting and sharing minors' geolocation data \u2014 was allowed to stand.<\/li>\n\n\n\n<li>The law applies to any business that meets the CCPA's definition of a \"business\" and offers an online service \"likely to be accessed by children\", not just platforms that target minors.<\/li>\n\n\n\n<li>Core requirements include privacy-by-default settings, data minimization, restrictions on profiling minors, a prohibition on dark patterns, and pre-launch Data Protection Impact Assessments (DPIAs).<\/li>\n\n\n\n<li>Civil penalties reach USD 2,500 per affected child per negligent violation and USD 7,500 per affected child per intentional violation, with no cap per incident.<\/li>\n\n\n\n<li>Even with the CAADC blocked, COPPA and CCPA\/CPRA obligations governing children's data are actively enforced. The April 22, 2026, deadline for COPPA rule compliance is the most immediate pressure point.<\/li>\n<\/ul>\n\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<p>California's Age-Appropriate Design Code Act is one of the most ambitious children's data privacy laws ever passed in the U.S. Signed in 2022 and modeled on the UK's Children's Code, it sets design-level requirements \u2014 not just consent checkboxes \u2014 for any online service that minors are likely to use.<\/p>\n\n\n\n<p>Courts have blocked enforcement since before its July 2024 effective date, and the <a href=\"https:\/\/iapp.org\/news\/a\/a-view-from-dc-youth-privacy-in-california-rises-again-kind-of\">Ninth Circuit's March 2026 ruling<\/a> upheld most of those injunctions. But for U.S. businesses, the CAADC is not an abstract risk. The compliance obligations it mirrors are already embedded in federal law and active California enforcement \u2014 and the states are moving fast.<\/p>\n\n\n\n<p>This guide explains what the CAADC requires, where litigation stands, what obligations apply right now, and how to build a defensible data practices posture before the legal landscape settles.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-caadc-what-is-the-california-age-appropriate-design-code-act\">CAADC: What Is the California Age-Appropriate Design Code Act?<\/h2>\n\n\n\n<p>The California Age-Appropriate Design Code Act (<a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/billTextClient.xhtml?bill_id=202120220AB2273\">AB 2273<\/a>) was signed into law in September 2022. Modeled on the <a href=\"https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/childrens-information\/childrens-code-guidance-and-resources\/age-appropriate-design-a-code-of-practice-for-online-services\/\">UK's Age Appropriate Design Code<\/a>, which itself was issued under the <a href=\"https:\/\/www.legislation.gov.uk\/eur\/2016\/679\/article\/25\">UK GDPR's Article 25<\/a> data protection by design framework, it was intended as the first GDPR-influenced children's privacy statute in U.S. state law.<\/p>\n\n\n\n<p>The law applies to any business meeting the <a href=\"https:\/\/www.cookiebot.com\/us\/what-is-ccpa\/\">CCPA<\/a> definition of \"business\" that develops or provides an online service, product, or feature \"likely to be accessed by children\" (defined as any user under 18).&nbsp;<\/p>\n\n\n\n<p>Enforcement authority rests with the California Attorney General rather than CalPrivacy. The AG must offer businesses in substantial compliance a 90-day cure window before initiating formal action, though accrued penalties are not capped by that period. There is no private right of action.<\/p>\n\n\n\n<p>The law has not yet taken effect. Courts blocked enforcement before its July 2024 effective date, and in March 2026 the Ninth Circuit upheld most of those injunctions, finding that the law's data protection impact assessment requirements likely compel protected speech under the First Amendment.&nbsp;<\/p>\n\n\n\n<p>The court declined to extend the injunction to the provision prohibiting collection of minors' precise geolocation data, remanding that issue for further consideration.<\/p>\n\n\n\n<p>The CAADC remains unresolved, but the broader compliance landscape for businesses handling children's data is not static. Other state laws are already in force, federal pressure is building, and California has signaled it will pursue minors' data protection regardless of this litigation's outcome.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-is-included-under-the-caadc\">Who Is Included Under the CAADC?<\/h2>\n\n\n\n<p>\"Likely to be accessed by children\" reaches considerably further than it might appear. A business does not need to market to minors, target them, or even know they are present. Under the CAADC, a service is presumed to be within scope if any of the following apply:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline   cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 5\">\n            <div class=\"cb-article-list-timeline__header\">\n                                        <figure class=\"cb-article-list-timeline__header-image\">\n                    <img decoding=\"async\" class=\"cb-article-list-timeline__header-image-element\"\n                         src=\"https:\/\/www.cookiebot.com\/us\/wp-content\/uploads\/sites\/8\/2026\/05\/childrens-personal-data.svg?v=d66741e4ece14c66\"\n                         alt=\"\">\n                <\/figure>\n                    <\/div>\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Subject matter that appeals to children<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Music, games, or animated content children commonly engage with<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Celebrities or influencers with large audiences under 18<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Language or reading level consistent with a younger audience<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Advertisements directed at children<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n\n<p>That definition includes a wide range of general-audience platforms: social media, video streaming, online gaming, music services, connected devices, e-commerce, and more. If minors plausibly could and do access a service, the CAADC applies.<\/p>\n\n\n\n<p>For U.S. businesses accustomed to <a href=\"https:\/\/www.cookiebot.com\/us\/coppa-compliance-requirements-checklist\/\">COPPA<\/a>'s narrower \"directed to children\" standard, the CAADC's audience-based trigger is a significant expansion. Courts have found that this content-based coverage definition is itself constitutionally problematic. It requires evaluating the nature of a service to determine if it appeals to children, which triggers First Amendment scrutiny.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-caadc-obligations\">CAADC Obligations<\/h2>\n\n\n\n<p>The CAADC's obligations span product design, data handling, and pre-launch assessment. Most provisions remain enjoined, but understanding them is essential: they define the compliance standard California intends to impose, and several are already reflected in active federal and state requirements.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-caadc-and-privacy-by-default\">The CAADC and Privacy by Default<\/h3>\n\n\n\n<p>Covered businesses must configure default privacy settings at the highest level available unless they can demonstrate a compelling reason that a different default serves children's best interests. This is more similar to the opt-in consent model in Europe and elsewhere, and inverts how most U.S. platforms are built today. Under current U.S. privacy law, data collection is typically on by default and users must actively opt out.<\/p>\n\n\n\n<p>The CAADC's privacy-by-default requirement is not limited to children's profiles or accounts. It applies to any user on a covered service, because the business cannot confirm user age without additional steps. In practice, that means the default configuration must protect all users as if they could be minors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-caadc-requires-data-minimization\">The CAADC Requires Data Minimization<\/h3>\n\n\n\n<p>Businesses may only collect, sell, share, retain, or use a child's personal information to the extent reasonably necessary to provide the service the child is actively using. <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/data-minimization\/\">Data minimization<\/a> under the CAADC means data collected for one purpose cannot be repurposed. This is a direct challenge to the behavioral advertising model that drives revenue for most ad-supported platforms.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-caadc-restricts-profiling-and-targeted-content\">The CAADC Restricts Profiling and Targeted Content<\/h3>\n\n\n\n<p>The CAADC prohibits using a child's personal information to serve content or advertising that is not in the child's best interests. Profiling minors \u2014 building behavioral or interest models from their data \u2014 is restricted unless the business can affirmatively demonstrate it is necessary for the service and serves the child's interest.<\/p>\n\n\n\n<p>This restriction directly affects ad-tech and marketing automation stacks. Businesses that use third-party pixels, programmatic advertising networks, or behavioral retargeting tools on general-audience properties should understand that those tools would be in scope under the CAADC.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-caadc-prohibits-dark-patterns\">The CAADC Prohibits Dark Patterns<\/h3>\n\n\n\n<p>The CAADC prohibits <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/dark-patterns-and-how-they-affect-consent\/\">dark patterns<\/a>, which are design techniques that manipulate users into behaviors that serve the platform's interests rather than their own. Prohibited patterns include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Leading or encouraging children to provide more personal information than necessary<\/li>\n\n\n\n<li>Design choices that steer children away from privacy-protective options<\/li>\n\n\n\n<li>Engagement-maximizing features designed to extend session time, including infinite scroll, autoplay, streak mechanics, and push notification systems calibrated to create compulsive use<\/li>\n<\/ul>\n\n\n\n<p>This provision was enjoined only on grounds of vagueness. Courts have not held that restricting manipulative design is unconstitutional in principle. That makes it one of the most legally durable elements of the CAADC, and its prohibition mirrors active CCPA enforcement priorities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-caadc-requires-data-protection-impact-assessments\">The CAADC Requires Data Protection Impact Assessments<\/h3>\n\n\n\n<p>Before launching any new online service, product, or feature likely to be accessed by children, covered businesses must complete a <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/data-protection-impact-assessment-dpia\/\">Data Protection Impact Assessment (DPIA)<\/a>. Existing services had to complete assessments by July 1, 2024.<\/p>\n\n\n\n<p>DPIAs must evaluate risks to children across eight categories, including exposure to harmful content, contact risks, behavioral tracking, and data collection and retention practices. The assessment must also describe steps the business has taken and will take to protect children's interests.<\/p>\n\n\n\n<p>The Ninth Circuit found the DPIA requirement likely unconstitutional, holding that it compels businesses to \"opine on potential harm to children\" and function as de facto content editors for the state, which is a First Amendment violation. It is the provision most likely to require significant redrafting before any version of it can be enforced.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-caadc-requires-age-estimation\">The CAADC Requires Age Estimation<\/h3>\n\n\n\n<p>The CAADC requires businesses to implement age estimation for users or to treat all users as minors by default. The Ninth Circuit reversed the district court's finding that this provision is facially unconstitutional, leaving open the possibility that it could take effect in some form as the litigation proceeds.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-penalties-for-caadc-violations\">Penalties for CAADC Violations<\/h3>\n\n\n\n<p>Violations carry civil penalties of USD 2,500 per affected child for each negligent violation and USD 7,500 per affected child for each intentional violation. There is no per-incident cap. For a platform with significant minor usage, a single non-compliant feature, such as an opt-out flow that qualifies as a dark pattern, could generate exposure across every affected user.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-state-of-litigation\">The State of Litigation<\/h2>\n\n\n\n<p>NetChoice, a trade association whose members include Google, Meta, Amazon, and TikTok, <a href=\"https:\/\/netchoice.org\/netchoice-v-bonta-california-2024\/\">filed suit against California Attorney General Rob Bonta<\/a> in December 2022, challenging the law on constitutional grounds.<\/p>\n\n\n\n<p>Enforcement was blocked in September 2023 when a federal district court found that the CAADC's requirement for businesses to assess and mitigate potential harm to children compelled speech in violation of the First Amendment. California has appealed at every stage.<\/p>\n\n\n\n<p>The Ninth Circuit's most recent ruling, issued March 12, 2026, is the most detailed yet. Of the six challenged provisions, five remain blocked (enjoined) pending further proceedings. The court reversed the lower court on two points \u2014 the coverage definition and the age estimation requirement \u2014 finding neither unconstitutional on its face.<\/p>\n\n\n\n<p>One provision survived outright: restrictions on collecting, using, selling, and disclosing minors' geolocation data. The data protection and dark patterns provisions remain blocked, but on vagueness grounds rather than First Amendment grounds. This is a meaningful distinction, as it signals that redrafted versions of those provisions could survive constitutional review.<\/p>\n\n\n\n<p>Four states have now enacted age-appropriate design codes that are either already in effect or taking effect in 2026 and 2027: Maryland (effective October 1, 2024), Nebraska (effective January 1, 2026, with civil penalty enforcement beginning July 1, 2026), South Carolina (effective February 2026), and Vermont (effective January 1, 2027).&nbsp;<\/p>\n\n\n\n<p>NetChoice has already challenged the Maryland and South Carolina laws, and further litigation is anticipated. Businesses operating across multiple states should track these laws individually \u2014 effective dates, enforcement timelines, and substantive requirements differ significantly.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-s-currently-in-force-federal-and-state-obligations-that-apply-today\">What's Currently in Force: Federal and State Obligations That Apply Today<\/h2>\n\n\n\n<p>The CAADC's injunction does not freeze the broader children's data compliance landscape. Federal law is actively enforced, California's existing privacy framework applies to minors' data right now, and several state design codes are either already in effect or taking effect this year.<\/p>\n\n\n\n<p>For U.S. businesses, the near-term compliance question is not whether the CAADC will eventually be enforced; it is whether current obligations under COPPA and the CCPA\/CPRA are being met. The April 22, 2026, COPPA compliance deadline makes this particularly timely.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-coppa-and-the-2025-rule-updates\">COPPA and the 2025 Rule Updates<\/h3>\n\n\n\n<p>The federal Children's Online Privacy Protection Act requires operators of websites and online services directed to children under 13, or general-audience services with actual knowledge of users under 13, to obtain verifiable parental consent before collecting personal information.<\/p>\n\n\n\n<p>COPPA was last significantly updated in 2013; however, the Federal Trade Commission <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2025\/01\/ftc-finalizes-changes-childrens-privacy-rule-limiting-companies-ability-monetize-kids-data\">finalized substantial amendments<\/a> that took effect on June 23, 2025, with a compliance deadline of April 22, 2026. These are the first updates to the rule in over a decade and reflect how fundamentally children's online activity has changed.<\/p>\n\n\n\n<p>Key changes include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A requirement for separate, specific parental opt-in consent before children's data is disclosed to third parties for targeted advertising (consent cannot be bundled into a general data collection agreement).<\/li>\n\n\n\n<li>New data retention limits: Operators may not retain children's personal information longer than reasonably necessary for the purpose it was collected.<\/li>\n\n\n\n<li>Expanded definitions of personal information to include biometric identifiers.<\/li>\n\n\n\n<li>New written information security and data retention policy requirements.<\/li>\n\n\n\n<li>Increased transparency obligations for FTC-approved COPPA safe harbor programs.<\/li>\n<\/ul>\n\n\n\n<p>A separate legislative proposal, the <a href=\"https:\/\/www.congress.gov\/bill\/119th-congress\/senate-bill\/836\">Children and Teens' Online Privacy Protection Act (COPPA 2.0)<\/a>, passed the U.S. Senate by unanimous consent in March 2026. The bill would extend COPPA's protections to teenagers under 17 and ban targeted advertising directed at minors. As of early April 2026, it awaits action in the House.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-does-coppa-relate-to-the-caadc\">How Does COPPA Relate to the CAADC?<\/h3>\n\n\n\n<p>COPPA and the CAADC address different problems and operate at different levels. COPPA sets the federal floor: parental consent before collecting data from children under 13, for services directed at that age group or with actual knowledge of underage users.<\/p>\n\n\n\n<p>The CAADC was designed to go considerably further, extending protections to all users under 18, applying to general-audience services children are likely to use regardless of operator intent, and imposing design-level obligations (privacy by default, no dark patterns, impact assessments) that COPPA does not address.&nbsp;<\/p>\n\n\n\n<p>Where COPPA asks whether a business obtained consent, the CAADC asks whether the product was built with children's interests in mind. Businesses that satisfy COPPA are not necessarily in compliance with the CAADC, and the gap between the two frameworks is where most of the CAADC's obligations live.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-provisions-under-the-ccpa-cpra-for-children-s-data\">Provisions Under the CCPA\/CPRA for Children's Data<\/h3>\n\n\n\n<p>California's existing consumer privacy laws already impose heightened requirements for data about minors. Businesses cannot sell or share the personal information of consumers under 16 without affirmative authorization, requiring opt-in consent from the consumer if they are 13 to 15 years old, and parental consent if under 13.<\/p>\n\n\n\n<p>CalPrivacy has identified children's data as an enforcement priority for 2026 and beyond. The <a href=\"https:\/\/cppa.ca.gov\/announcements\/2025\/20250416.html\">Consortium of Privacy Regulators<\/a>, which now includes eight state regulators in addition to CalPrivacy and the California AG, lists children's data among its shared enforcement priorities, meaning a violation in California may draw coordinated scrutiny from multiple states.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/privacy.ca.gov\/2026\/03\/youth-sports-media-company-to-pay-1-1-million-fine-change-practices-over-privacy-violations\/\">PlayOn Sports enforcement action in March 2026<\/a>, in which CalPrivacy imposed a USD 1.1 million penalty against a youth sports platform for CCPA opt-out failures, illustrates the enforcement posture.&nbsp;<\/p>\n\n\n\n<p>Notably, CalPrivacy's investigation was opened in 2024 and proceeded to a settlement even after PlayOn had already remediated some of the issues. Subsequent remediation does not extinguish liability for prior violations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-requirements-for-opt-ins-and-consent-banners\">Requirements for Opt-ins and Consent Banners<\/h3>\n\n\n\n<p>Consent banner design has direct legal consequences for businesses serving California users who may be minors. Pre-ticked boxes, confusing opt-out flows, missing opt-out mechanisms, and language that obscures user rights are already actionable under the CCPA, and CalPrivacy has made consent interface compliance a stated enforcement focus.<\/p>\n\n\n\n<p>CalPrivacy uses automated scanning to identify non-compliant consent interfaces on public-facing websites. Its Audits Division opens investigations proactively, without requiring a consumer complaint. Businesses that redirect consumers to third-party opt-out tools, rather than providing their own direct mechanism, have been cited for that practice, as PlayOn Sports' settlement made explicit.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-s-next-for-u-s-businesses-with-the-caadc\">What\u2019s Next for U.S. Businesses with the CAADC?<\/h2>\n\n\n\n<p>The CAADC's injunction is not an invitation to pause. The regulatory direction across federal law, California enforcement, and state legislatures is consistent and accelerating. Businesses that build defensible children's data practices now are better protected across every layer of the compliance landscape (and as consumer expectations rise).<\/p>\n\n\n\n<p>Proactive investment in consent infrastructure and data hygiene also reduces litigation exposure. California's opt-out right for minors and COPPA's parental consent requirements are already enforceable claims. Documented, consent-grounded data practices are the most direct mitigation against enforcement action and reputational risk.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-map-exposure-for-to-minor-users\">Map Exposure for to Minor Users<\/h3>\n\n\n\n<p>The starting point is understanding whether minors access your services and through what pathways. This is not always obvious: a general-audience platform may have substantial under-18 usage without having marketed to that demographic. Age estimation requirements under the CAADC and potentially under COPPA 2.0 will eventually require businesses to have an answer.<\/p>\n\n\n\n<p>A data audit that identifies where children's data may enter your systems is the foundation. Relevant inputs include registration flows, browsing behavior, purchase history, device signals, and third-party data sources that may carry inferences about user age.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-review-your-default-consent-configuration-setup\">Review Your Default Consent Configuration Setup<\/h3>\n\n\n\n<p>Privacy by default is where children's data regulation is heading, and it is already the standard for minor users under the CCPA. Reviewing your consent banner and data collection defaults to confirm that privacy-protective settings are the default, rather than requiring users to opt out, reduces exposure under current California law and positions your business for the CAADC's requirements if enforcement resumes.<\/p>\n\n\n\n<p>CalPrivacy's automated scanning means your public-facing consent interface is subject to ongoing regulatory scrutiny, not just complaint-triggered review. A non-compliant banner is a standing risk, not a conditional one.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-audit-to-check-for-dark-patterns\">Audit to Check for Dark Patterns<\/h3>\n\n\n\n<p>Dark pattern restrictions are among the most durable elements of the CAADC. The Ninth Circuit enjoined them only on vagueness grounds; courts have not ruled that prohibiting manipulative design is unconstitutional. When the CAADC is eventually redrafted, tighter definitions of prohibited patterns will almost certainly be retained.<\/p>\n\n\n\n<p>The same restrictions already apply under CCPA enforcement guidance. Reviewing consent interfaces and UX flows against dark pattern criteria is a compliance obligation under existing law, not a prospective one.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-work-toward-dpia-readiness\">Work Toward DPIA Readiness<\/h3>\n\n\n\n<p>Even if the CAADC's DPIA requirement is redrafted before it takes effect, Data Protection Impact Assessments are embedded in CPRA's risk assessment framework and are in force for high-risk processing activities.&nbsp;<\/p>\n\n\n\n<p>Businesses operating at scale, with significant data processing, third-party integrations, or advertising-based business models, should be running these assessments under current California obligations.<\/p>\n\n\n\n<p>Developing internal assessment processes now creates a reusable compliance asset. It positions you for the CAADC's eventual requirements, satisfies existing CPRA obligations, and demonstrates the kind of documented due diligence that regulators and courts weigh in enforcement proceedings.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-monitor-developments-at-the-state-level\">Monitor Developments at the State Level<\/h3>\n\n\n\n<p>The CAADC cannot be enforced while injunctions remain in place, but it is not inactive litigation. California has appealed at every stage and has not withdrawn the law.&nbsp;<\/p>\n\n\n\n<p>More practically, the Ninth Circuit's March 2026 ruling identified provisions that could survive constitutional redrafting. Design codes with narrower scope have already been enacted in Maryland, Nebraska, Vermont, and South Carolina, with enforcement timelines beginning as early as 2026.<\/p>\n\n\n\n<p>NetChoice has already challenged the Maryland and South Carolina laws, and further litigation is anticipated. Businesses operating across multiple states should track these laws individually as effective dates, enforcement timelines, and substantive requirements differ.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-cookiebot-supports-caadc-compliance-readiness\">How Cookiebot Supports CAADC Compliance Readiness<\/h2>\n\n\n\n<p>The CAADC's core requirements \u2014 avoiding dark patterns, limiting data collection to what's necessary, and building privacy-protective defaults \u2014 are not unique to California. They reflect the principles that now underpin federal COPPA enforcement, active CCPA requirements for minor users, and design codes advancing in Maryland, Nebraska, Vermont, and South Carolina.<\/p>\n\n\n\n<p>For U.S. businesses, consent management is the operational layer where those requirements become visible. The choices users see when they first arrive on your site, the data flows triggered by those choices, and the consent record created for every interaction \u2014 these are where CCPA compliance already lives and where the CAADC's requirements would be centered.<\/p>\n\n\n\n<p>Cookiebot\u2122 provides the consent infrastructure U.S. businesses need to meet those requirements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configurable consent banners built to California and multi-state requirements<\/li>\n\n\n\n<li>Consent logs that create an audit-ready record for every user interaction<\/li>\n\n\n\n<li>Signal integration that carries consent decisions consistently across your data stack and advertising platforms<\/li>\n<\/ul>\n\n\n\n<p>For businesses that serve audiences including minors, demonstrating documented, consent-grounded data practices is no longer optional. It is an active enforcement target.<\/p>\n\n\n<div class=\"cta-block cta-block--size-m cta-block--has-shield cb-ctx--blue\">\n            <img decoding=\"async\"\n            class=\"cta-block__shield\"\n            src=\"\/wp-content\/themes\/cookiebot\/img\/backgrounds\/cta-shield.svg\"\n            alt=\"Cookiebot bg shield\"\n            width=\"930\"\n            height=\"929\"\n            loading=\"lazy\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h2\">\n                        Children's data rules are enforced. Your consent setup should be ready.                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p><span style=\"font-weight: 400;\">Children's data rules are enforced. Your consent setup should be ready.<\/span><\/p>\n                    <\/div>\n                                                                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"bc0f02f1-3954-4196-85cc-eba888a9d667\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/admin.cookiebot.com\/signup\" target=\"\">\n<span>Start free trial<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                                                <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>California's Age-Appropriate Design Code Act imposes privacy-by-default, data minimization, and dark pattern restrictions on businesses serving minors online. Courts have blocked enforcement, but parallel federal and state obligations are active now, and the regulatory direction is clear. Here\u2019s what businesses need to know. California's Age-Appropriate Design Code Act is one of the most ambitious children's [&hellip;]<\/p>\n","protected":false},"author":35,"featured_media":18379,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"inline_featured_image":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-18378","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/us\/wp-content\/uploads\/sites\/8\/2026\/05\/CB-SoMe-CAADC-Business-Guide-1000x630px.jpg","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/posts\/18378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/comments?post=18378"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/posts\/18378\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/media\/18379"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/media?parent=18378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/categories?post=18378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/us\/wp-json\/wp\/v2\/tags?post=18378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}