On September 9, 2025, the U.S. Court of Appeals for the Ninth Circuit, in an interlocutory ruling, upheld key provisions of California’s Protecting Our Kids from Social Media Addiction Act (SB 976) (the “Act”), allowing enforcement of the Act’s “addictive” social media feed provisions to proceed.
The Act
The Act was passed in 2024 and was set to take effect on January 1, 2025 (which was extended by district court order to February 1, 2025). In relevant part, the Act prohibits social media platform operators from providing “addictive feeds” to minors (under 18 years of age) unless (1) the operator does not have actual knowledge that the user is a minor or (2) the operator has obtained verifiable parental consent (in compliance with the Act’s requirements) to provide addictive feeds to the minor.
The Act defines “addictive feed” to mean any part of an online service or mobile app in which media “generated or shared by users are, either concurrently or sequentially, recommended, selected, or prioritized for display” based “on information provided by the user, or otherwise associated with the user or the user’s device.” The Act also requires social media operators to implement default privacy-protective settings on minors’ social media accounts. Additionally, the Act requires social media platform operators to enable by default a setting that restricts minor users from seeing the number of “likes,” shares or other feedback that a minor’s social media post has garnered.
The Constitutional Challenge
NetChoice, a trade association representing major technology and e-commerce companies, including social media platforms, sued California to block the Act before it took effect. NetChoice argued that the Act violates the First Amendment’s free speech protections by limiting how social media platforms present content and communicate with users.
The district court granted in part and denied in part NetChoice's motion for a preliminary injunction. See NetChoice v. Bonta, 761 F.Supp.3d 1202, 1232 (N.D. Cal. 2024). NetChoice appealed.
The Ninth Circuit’s Ruling
In the Ninth Circuit’s September 9, 2025 ruling, the Court sided with NetChoice on certain issues and decided against it on others. The Court ruled on the following key provisions of the Act:
- Upheld “addictive feed” restrictions. The Court upheld the provisions of the Act that require parental consent before minors can receive “addictive feeds.” The Court rejected NetChoice's arguments that the statutory term “addictive feed” is pejorative and vague. The Court agreed with the district court that NetChoice lacked standing to challenge these provisions, noting that the analysis of algorithmic curation is fact-intensive and varies by platform. Therefore, NetChoice did not have standing to litigate the issue on behalf of its members without more specific evidence.
- Upheld “private mode” default settings. The Court agreed with the district court that requiring minors’ accounts to default to private mode, so that only users connected to the minors’ accounts can view or interact with their posts, is a permissible content-neutral safety measure. Applying intermediate scrutiny under the First Amendment, the panel found this restriction substantially related to California’s interest in protecting children online and upheld this provision in the Act.
- Declined to uphold engagement metrics restrictions. The Court determined that banning the display of “like” counts and similar engagement metrics to minors was an unconstitutional content-based restriction on speech. Applying strict scrutiny under the First Amendment, it concluded that California did not prove this was the least restrictive way to address mental health issues, considering the availability of other options like voluntary filters.
The case now returns to the district court for a trial on the merits, with some of the most significant provisions of the Act—namely, the addictive feed and default privacy setting provisions—remaining in effect, at least until a final decision is reached.
The interlocutory rulings indicate that state laws restricting personalized social media feeds for minors and similar protective measures may withstand First Amendment challenges. The Ninth Circuit noted the district court’s conclusion that “addictive feeds” are not necessarily a form of social media platforms’ speech, meaning that restricting “addictive feeds” does not restrict access to the platforms' speech. The Court, however, declined to address that issue, describing it as a novel question that could not be decided in an interlocutory proceeding with a thin record.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- Age Appropriate Design Code
- Age Verification
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Audit
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Consumer Rights
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cross-Border Data Transfer
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Breach
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Protection Officer
- Data Security
- Data Transfer
- David Dumont
- David Vladeck
- Deceptive Trade Practices
- Delaware
- Denmark
- Department of Commerce
- Department of Defense
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- Design
- Digital Markets Act
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DORA
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Electronic Protected Health Information
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- Financial Data
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Geolocation Data
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- HIPAA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Large Language Model
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Louisiana
- Madrid Resolution
- Maine
- Malaysia
- Maryland
- Massachusetts
- Meta
- Mexico
- Michigan
- Microsoft
- Minnesota
- Missouri
- Mobile
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- North Dakota
- North Korea
- Norway
- Obama Administration
- OCPA
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Online Behavioral Advertising
- Online Privacy
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Poland
- PRISM
- Privacy By Design
- Privacy Notice
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Profiling
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk Assessment
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Salesforce
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Sensitive Data
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- States Attorney General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code