Key point: The court held that NetChoice’s complaint adequately states constitutional claims against Maryland’s Age-Appropriate Design Code Act and allowed NetChoice’s lawsuit to continue, but did not rule on the merits of the claims or enjoin the law.

On November 24, 2025, Maryland District Court Judge Richard Bennett denied Maryland’s motion to dismiss a complaint filed by NetChoice challenging Maryland’s Age-Appropriate Design Code Act, commonly referred to as the Maryland Kids Code. NetChoice’s complaint alleges that the Kids Code violates the First Amendment and is preempted by federal law. The decision finds only that NetChoice’s complaint states plausible claims. The court did not rule on the merits of the claims and did not enjoin the law. In the below article, we provide a brief overview of the Kids Code and the decision.

Background

Following a multiyear, highly contentious legislative process, in April 2024, the Maryland legislature passed — and the governor signed — the Maryland Age-Appropriate Design Code Act, or Maryland Kids Code (SB 571 / HB 603). The Kids Code is based on California’s Age-Appropriate Design Code Act; however, by April 2024, the California law had been enjoined as unconstitutional, leading Maryland lawmakers to change their bill in the hopes of it withstanding First Amendment scrutiny. Nonetheless, during the legislative process, NetChoice (which had successfully challenged the California law) adamantly argued the Maryland bill violates the First Amendment.

The Kids Code applies to covered entities that provide an online product reasonably likely to be accessed by children (i.e., under the age of 18). Subject to certain exemptions, “covered entity” is defined as a legal for-profit entity that collects the personal data of Maryland residents, determines the purpose and means of processing such data, does business in Maryland, and (1) has annual gross revenues in excess of $25 million, (2) annually buys, receives, sells, or shares the personal data of 50,000 or more Maryland residents, households, or devices, or (3) derives 50% or more of its profit from selling the personal data of Maryland residents.

The law provides a set of six criteria that covered entities must consider when determining whether an online product is reasonably likely to be accessed by children. This includes whether the online product is directed to children, there is evidence the online product is routinely accessed by children, the online product is marketed to children, and the covered entity knew or should have known that a user is a child.

Covered entities subject to the law are required to prepare data protection impact assessments for online products reasonably likely to be accessed by children. Among other things, impact assessments must consider “whether the online product is designed in a manner consistent with the best interests of children reasonably likely to access the online product.”

The law defines best interests of children as “a covered entity’s use of the personal data of children or the design of an online product in a way that does not: (1) benefit the covered entity to the detriment of children; and (2) result in (I) reasonably foreseeable and material physical or financial harm to children; (II) severe and reasonably foreseeable psychological or emotional harm to children; (III) a highly offensive intrusion on children’s reasonable expectations of privacy; or (IV) discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation.”

Covered entities also cannot (1) process the personal data of a child in a way that is inconsistent with the best interests of children reasonably likely to access the online product; (2) profile a child unless certain conditions are met; (3) process the personal data of a child that is not reasonably necessary to provide an online product that the child is actively engaged with; (4) process children’s personal data for any purpose other than the purpose for which it was collected; (5) process children’s geolocation data absent certain conditions; (6) use dark patterns for certain purposes; (7) process personal data for the purpose of estimating the age of children actively engaged with the online product; and (8) allow a person other than the child’s parent or legal guardian to monitor the child’s online activity without first notifying the child and the child’s parent or guardian.

The Kids Code went into effect on October 1, 2024. NetChoice filed its complaint on February 3, 2025, and an amended complaint on April 28, 2025. The amended complaint alleges four First Amendment challenges, two due process challenges based on the First Amendment vagueness doctrine, and two preemption challenges. The defendants filed a motion to dismiss, alleging that all claims should be dismissed for failure to state a claim and that NetChoice lacked standing to bring certain claims.

Court Ruling

The court denied the motion to dismiss, concluding that all claims stated in the complaint were adequately alleged and that NetChoice had standing to bring those claims.

The court found that NetChoice alleged sufficient facts to state facial and as-applied First Amendment claims. The court observed “this Court generally holds First Amendment challenges adequately alleged where the plaintiff has sufficiently alleged that the challenged statute applies to protected speech such that it triggers First Amendment scrutiny.” The court also stated that it did not need to decide which level of First Amendment scrutiny (strict or intermediate) was appropriate on a motion to dismiss.

Turing to the merits, the court rule that NetChoice adequately alleged that the Kids Code regulates constitutionally protected speech. Specifically, the court stated that “NetChoice has sufficiently alleged that the Kids Code requires members to evaluate whether their data collection practices serve the ‘best interests of children’ or apply to products that are ‘reasonably likely to be accessed by children,’ which in turn requires members to evaluate and potentially alter moderated content.” The court similarly found that the complaint adequately alleged that the Kids Code’s restrictions on dark patterns and monitoring “at minimum burden protected speech” based on NetChoice’s allegation that “data collection, ‘dark patterns,’ and monitoring are essential to its members ability to engage in protected speech in the form of curated or editorialized content provided to users.” The court also held that NetChoice had sufficiently alleged that the law’s impact assessment requirement was unconstitutional as compelled speech that requires NetChoice’s members to determine what is in the “best interests of children.”

The court next upheld NetChoice’s due process claims on the basis that NetChoice had sufficiently alleged that the “bests interest of children” and “reasonably likely to be accessed by children” standards are unconstitutionally vague. In short, the court credited NetChoice’s allegations that the law does not provide enough information to determine how to apply those standards.

Further, the court ruled that NetChoice had sufficiently alleged that the Kids Code is both expressly and implicitly preempted by COPPA and preempted by Section 230 of the federal Communications Decency Act.

Finally, the court considered — and denied — the defendants’ motion to dismiss for lack of standing.

As noted, the ruling only allows NetChoice’s lawsuit to proceed. The court did not consider the merits of the claims at this time or enjoin the law.