Ninth Circuit vacated, in part, the injunction against the California AADC, which could be enforced imminently; South Carolina enacts an expansive AADC.
California
The Ninth Circuit issued a split opinion on the California “Age-Appropriate Design Code” (“CA AADC”), vacating portions of the preliminary injunction that was delaying implementation of the law. The Court found:
- NetChoice is not likely to succeed in its challenge to the CA AADC’s coverage definition or the age estimation requirement.
- NetChoice is likely to succeed with respect to the challenge to the dark patterns restrictions and data use limitations (e.g., restrictions on profiling children, using children’s information in materially detrimental or unnecessary ways).
The CA AADC DPIA requirement remains enjoined (it was not under review on this appeal).
Once the mandate issues, the Attorney General likely will have the authority to enforce provisions that are no longer enjoined. The AG has not announced whether he will do so, or enforcement priorities, but the focus may be on core AADC provisions including: (i) default privacy settings, (ii) tools for parents and minors to exercise privacy rights, (iii) policies in language suitable for children, (iv) signals to advise minors if they are being monitored by a guardian or other user, and (v) precise geolocation limitations.
South Carolina
On February 5, 2026, South Carolina’s governor signed the “Age-Appropriate Design Code” into law (House Bill 3431) (“SC AADC”). The law took effect immediately, and while it has some similarities to the four other state AADC laws, South Carolina’s law requires several new compliance measures, including for users who are not minors. The SC AADC has been challenged and briefing is scheduled for March and early April.
Scope
Like other AADCs, South Carolina’s provisions apply to entities “reasonably likely to be accessed” by minors. However, instead of offering six factors for companies to weigh, South Carolina defines “reasonably likely to be accessed” by minors as (i) individuals known to the covered online service to be minors; or (ii) covered online services that are directed to children as defined by COPPA.
Publicly Posted Third-Party Audit
The SC AADC requires a business to undergo an annual third-party audit of the service, which must be submitted to and publicly posted on the Attorney General’s website. The audit must cover how the service functions regarding minors, the purpose of the service, data collection and processing practices, design features, safety features, algorithms used, and harm reporting statistics. The first public report must be issued on or before July 1, 2026.
Treble Damages and Personal Liability
Enforcement appears to be limited to the Attorney General, but the damages and liability are unlike other state AADCs. Notably:
- Damages can include treble the financial damages resulting from a violation.
- Officers and employees may be held personally liable for willful and wanton violations.
Tools for All Users
Unlike the other AADCs that focus on minors and their parents, SC AADC requires certain tools for all users, including tools that:
- Disable design features that are not necessary to provide the service
- Limit the financial value of purchases and transactions on the service
- Block or disable quantification of engagement
- Prohibit any other individual from viewing the user’s connections to other users, regardless of the nature of the connection
Personalization must be off by default for minors, and all other users must be able to turn off personalization.
Specific Parental Controls
The SC AADC requires businesses to provide parents with tools, including to
- Manage the minor’s account and privacy settings and
- Restrict a minor’s purchases and other financial transactions.
- View the time spent and limit the times when the minor can use the service.
Takeaway
Companies that have paused their AADC compliance efforts will have to pick the pen back up. In addition, unless the law or enforcement is stayed pending legal challenges, compliance programs will need to evolve to account for South Carolina to cover offering tools to all users, coordinating and completing annual reports, and considering business and personal exposure stand out.