Minor Privacy Laws in the U.S. – A Moving Target

For two decades, the Children’s Online Privacy Protection Act (“COPPA”) Rule, which took effect in 2000,(1) served as the primary legal standard regulating children’s online privacy in the U.S., establishing special protections and parental rights for the online privacy of children under the age of 13. The COPPA Rule was adopted by the U.S. Federal Trade Commission (“FTC”) after a detailed public-rulemaking process and has been amended twice since its adoption, each time as part of a public-rulemaking process. However, recently multiple states have enacted laws imposing new and varied obligations and restrictions on the collection, use and disclosure of minor personal information, which go beyond the standard set by the COPPA Rule.

Given these myriad new state minor privacy laws, COPPA is no longer the primary benchmark for children’s online privacy in the U.S. Rather, businesses must contend with a new (and growing) patchwork of state laws, with differing age thresholds and varying restrictions and obligations. Some of these laws address minor privacy in relatively narrow ways within state comprehensive consumer privacy laws— for example, by restricting targeted advertising uses of minor personal information. On the other hand, many states have enacted much broader minor privacy laws (as well as minor online safety laws) that aim to increase online protections for all minors, including teens and children under the age of 13.

Several of these state minor privacy laws are currently under challenge, on the basis that they violate the U.S. Constitution. In some instances, lower courts are proceeding with discovery on the constitutional challenges, without first ruling on whether to grant injunctive relief, while in other instances courts have partially or fully enjoined enforcement of the laws, pending resolution of the underlying claims. Further complicating matters, on appeal, some lower court injunctions have been vacated in part, remanded for further review, or otherwise modified in subsequent legal proceedings. So, the status of many of these laws is a moving target. Amid this ongoing uncertainty, states have also continued to adopt new minor privacy laws. All of these things can make it difficult to evaluate the scope and impact of this patchwork of laws, and to identify, plan and implement appropriate business and operational changes for compliance.

That said, from a practical perspective, most new state minor privacy laws—despite their differences—fit within one of following categories: (a) general restrictions on the processing of minor personal information; (b) minor online privacy protections; and (c) minor online safety laws. The table below provides a high-level overview of some of the common elements of these laws.

  General Restrictions on Minor Personal Information  Minor Online Privacy Protections  Minor Online Safety Laws 
Scope and Applicability  Controllers that are subject to a state’s comprehensive consumer privacy laws.  Generally, websites and online services that are likely to be accessed by minors.   Generally, specific online services, such as app stores, app developers, social media platforms, and chatbots.  
Age Threshold  Varies.  Generally, minors under 18 years old.  Generally, minors under 18 years old (some variances). 
Common 

Components 

 Prohibit or require consent for sales and targeted advertising uses of minor personal information; prohibit profiling/ automated decision-making concerning known minors; Sensitive data defined to include personal data of a known child; DPIA required for processing of children’s personal data.  Privacy by design and default; transparency; age assurance; purpose and use limitations; sales and targeted advertising prohibitions; geolocation collection and use restrictions; mandatory DPIAs; limits on addictive or compulsive features.  Age assurance/verification; parental consent for account creation or app downloads and in-app purchases; prominent warnings and notices; limits on or compulsive features; mandatory parental controls, time limits and privacy protections; content filtering and monitoring; parental rights over accounts and personal information of their children. 

While not covered above, it is also worth noting that a number of states have also enacted new or expanded content liability laws, making certain operators liable for exposing minors to harmful content online (i.e., obscene sexual content); these laws often require covered operators implement reasonable age verification methods to prevent minors from accessing such content and provide a safe harbor for operators that do so.(2)

 

Minor Online Privacy Laws and Age-Appropriate Design Codes

In September 2022, California passed the California Age Appropriate Design Code Act (the “CA-AADC”) to ensure that California minors are “afforded protections not only by online products and services specifically directed at them but by all online products and services they are likely to access.”(3) The CA-AADC was modeled after the United Kingdom’s Age-Appropriate Design Code.(4)

The CA-AADC imposes broader obligations and applies to a far broader range of businesses than COPPA. However, the CA-AADC was enjoined before taking effect and a large portion of it remains enjoined, pending resolution of the constitutional challenges brought by trade association NetChoice, LLC, in NetChoice v. Bonta.(5) Despite the constitutional uncertainty surrounding the CA-AADC, a number of states followed suit, enacting minor online privacy laws —some of which are modeled in large part after the CA-AADC(6) and others which take a more distinct approach.(7) Many of these laws have also been challenged by NetChoice and other trade associations on constitutional grounds similar to those raised in NetChoice v. Bonta.(8)

While these state minor online privacy laws vary, generally, they apply to websites, mobile applications, and other products, features and services accessible online (each an “online service” hereafter) that are likely to be accessed by minors under the age of 18. In determining whether an online service is likely to be accessed by minors, many (but not all) of these laws commonly point to some of the following factors:

  • Whether the online service includes ads or marketing that target minors.
  • Whether the online service uses design elements known to be of interest to minors (e.g., games, cartoons, music, or celebrities that appeal to minors).
  • Whether a “significant amount of the audience” is under 18 years old based on the company’s internal research or other empirical evidence.
  • Whether a significant number of minors under 18 years old routinely access the online service (based on competent and reliable evidence), or whether the online service is substantially similar to another such online service.
  • Whether the online service is directed to minors as defined by COPPA.
  • Evidence regarding the intended audience.

Notably, some of these laws also apply where an operator knows or should know that a particular user is a minor. For example, under the Maryland Age-Appropriate Design Code Act one of the factors for determining if an online service is likely to be accessed by minors is whether the operator “knows or should have known that a user is a child.”(9) The New York Child Data Protection Act applies to personal information about users of online services that (a) that are primarily directed to minors, or (b) that the operator of the online service knows to be under 18 years old.(10)

The South Carolina Age-Appropriate Design Code Act (“SC-AADC”) takes a somewhat distinct approach by defining covered online services as (a) online services where an individual is known to the provider to be a minor, and (b) online services that are “directed to children” as defined by COPPA.(11) Nebraska also takes a nuanced approach by excluding “any online service with actual knowledge that fewer than two percent of its users are minors.”(12)

While the scope of covered services and applicable requirements vary, some common requirements and restrictions include:

  • Notice and informed consent requirements for certain higher-risk processing activities.
  • Restrictions on the collection, use, disclosure, and processing of minor personal information beyond what is necessary to provide a product or service the minor intentionally interacts with or has specifically requested.
  • Prohibitions on sales, targeted advertising, and profiling.
  • Significant restrictions on the collection and processing of geolocation data and prohibitions on the sharing of geolocation data.
  • Requirements to apply most “protective” privacy settings where available.
  • Controls that can be used to block or disable certain features (e.g., personalized recommendations, interactive features, profile visibility, features designed to increase frequency, time, and activity on the covered service).
  • Access, correction, and deletion rights, and related business obligations.
  • Mandatory data protection impact assessment obligations.

Some state laws, including the SC-AADC(13) and the Nebraska Age-Appropriate Design Code(14) also include specific obligations regarding ‘covered design features’ that encourage or increase a minor’s time, frequency, or activities on the service. The CA-AADC and MD-AADC require business to account for the ‘best interests’ of the child and prohibit uses that a business knows are materially detrimental to the physical health, mental health, or well-being of the minor.(15)

Even though a number of these laws are being challenged, several are already in effect. Accordingly, businesses should evaluate their online services to determine which if any are “likely to be accessed by minors” and whether and to what extent they have reason to know that any users are minors. From there, businesses can begin to consider where changes may be needed (e.g., turning tracking and third-party cookies off by default, reviewing vendor and third-party data flows) and identify other actions that may be required for compliance (such as data protection impact assessments).

 

General Restrictions on Collection, Use and Disclosure of Minor Personal Information

Starting with the passage of the California Consumer Privacy Act of 2018 (the “CCPA”), which took effect January 1, 2020, more than twenty states have passed comprehensive consumer privacy laws, which apply to the personal information of consumers who are residents of the respective states. Nearly each of these laws include provisions specific to the personal information of consumers that are known minors.(16) In contrast to the minor online privacy and safety laws discussed above, the prohibitions and restrictions discussed below apply more generally to controllers and businesses; and are not limited to operators of online services, social media platforms or app stores.

While the age threshold for what is in-scope personal information varies, many state comprehensive privacy laws treat personal information concerning children as “sensitive personal information” and further restrict or prohibit certain uses and disclosures of minor personal information.

 

Sensitive Data under U.S. State Comprehensive Privacy Laws

Recently, the definition of sensitive personal information under the CCPA Regulations was amended to include the personal information of consumers that the business knows are less than 16 years of age.(17) However, the CCPA does not impose an affirmative consent obligation on the collection or processing of sensitive personal information. Rather, it gives consumers the right to limit certain uses and disclosures of sensitive personal information.(18) In effect, this right applies to any personal information about a consumer that the business knows is under 16 years of age.

In contrast to the CCPA, most state comprehensive privacy laws define sensitive data to include personal information about consumers who a controller knows are under the age of 13, require parental consent to collect such data, and prohibit controllers from processing such sensitive data except in compliance with COPPA(19) (which requires businesses to obtain separate, specific opt-in consent to disclose children’s personal information for targeted advertising).(20) Many state comprehensive consumer privacy laws also require controllers that process sensitive data (including personal data about children under 13 years old) to document and maintain data protection impact assessments for any such processing activities.(21)

The Maryland Online Privacy Protection Act (the “Maryland OPPA”) defines sensitive data to include “personal data of a consumer that the controller knows or has reason to know” is a child under 13 years old.(22) Unlike the majority of state comprehensive privacy laws, the Maryland ODPPA more broadly prohibits the sale of sensitive data (including children’s personal data) as well as collection and processing of such data that goes beyond what is strictly necessary to provide a product or service requested by the consumer.(23)

 

Restrictions on Sales, Targeted Advertising and Profiling

Many state comprehensive privacy laws also impose heightened restrictions or obligations on certain uses and disclosures of personal information about minors below certain age thresholds. For example, under the CCPA, businesses are prohibited from selling or sharing personal information about any consumer that the business knows is under the age of 16, without affirmative consent. For minors 13 to 15 years old, the affirmative consent of the minor is required, and for minors under the age of 13, verifiable parental consent (in accordance with COPPA) is required. Businesses that willfully disregard the age of consumers are deemed to have actual knowledge of their age. Accordingly, businesses that collect age or date of birth and allow minors to create accounts, for example, will be deemed to have actual knowledge of the age of the account holder in so far as they can identify the consumer (e.g., when the consumer is logged in to their account).

Similar to the CCPA, some state comprehensive privacy laws prohibit sales and targeted advertising uses of minor personal data without consent. For example, under the Delaware Personal Data Privacy Act(24) (the “Delaware PDPA”), controllers are prohibited from (i) processing a consumer’s personal data for purposes of targeted advertising, and (ii) selling a consumer’s personal data without the consumer’s consent, where a controller has actual knowledge or willfully disregards that the consumer is 13 to 17 years old.

The New Jersey Consumer Data Privacy Act (the “New Jersey CDPA”) also prohibits sales and targeted advertising uses of a minor personal information without consent, as well as engaging in automated processing for purposes of profiling in furtherance of decisions that have legal or similarly significant effects on such consumers without consent.(25) However, the New Jersey CDPA restrictions apply to personal information about consumers where a controller knows or willfully disregards that the consumer is 13 to 16 years old.(26)

In contrast, several state comprehensive privacy laws prohibit certain uses and disclosures of personal information about minors (with varying age thresholds), regardless of consent. For example, effective July 1, 2026, the Connecticut Data Privacy Act (the “Connecticut DPA”) prohibits controllers from (i) processing personal information about consumers for purposes of targeted advertising, or (ii) selling personal information about any consumer that the controller knows or willfully disregards to be 13 to 17 years old.(27) Similarly, the Maryland ODPA prohibits sales and targeted advertising where a controller “knows or has reason to know” that the consumer is under 18 years old.(28) While the Minnesota Consumer Data Privacy Act also prohibits sales and targeted advertising use of minor personal data, this prohibition only applies where the controller knows that the consumer is 13 to 16 years old.(29)

Some states also prohibit processing activities that go beyond sales and targeted advertising. For example, under the Oregon Consumer Privacy Law,(30) where controllers know or willfully disregard that a consumer is under the age of 16, they are prohibited from (i) processing the consumer’s personal data for the purposes of targeted advertising, and (iii) selling the consumer’s personal information, as well as (iii) engaging in automated processing of the consumer’s personal data for profiling in furtherance of decisions that have legal or similarly significant effects on the consumer.(31)

 

Looking Ahead

Minor privacy, social media, and online safety continue to be key focus areas for state legislatures, with dozens of minor privacy, social media and digital safety bills introduced in the first quarter of 2026. This trend is likely to continue, in particular as federal efforts to adopt new minor privacy legislation appear stalled for the time being. As pending legal challenges against state minor privacy laws proceed and recently enacted legislation takes effect, ongoing developments are likely for the foreseeable future. Businesses that operate websites and other online services should continue to monitor developments in this area.

 

(1)(The COPPA Rule was adopted by the FTC, pursuant to the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501 – 6509.)
(2)(See e.g., Ind. Code Ann. § 24-4-23; §; and S.C. Code Ann. § 37-1-310.)
(3)(Assem. Bill 2273, 2021-2022 Reg. Sess. (Cal. 2022), 2022 Cal. Stat. ch. 320, codified at Cal. Civ. Code §§ 1798.99.28 – 1798.99.40.)
(4)(See i.d.)
(5)(NetChoice, LLC v. Bonta, 113 F.4th 1101 (9th Cir. 2024).)
(6)(See the Maryland Age-Appropriate Design Code, Md. Code Ann., § 14-4801 – 14-4813.)
(7)(See, e.g., N.Y. Gen. Bus. Law §§ 899-EE. In addition to the minor online privacy laws passed as separate statutes, several states have enacted minor online privacy requirements as a part that states’ respective comprehensive consumer privacy laws. See, e.g., Conn. Gen. Stat. § “Sec. 42-529a; and)
(8)(See, e.g., Net Choice v. Brown, Case 1:25-cv-00322-RDB (Dist. Md.).)
(9)(Md. Code Ann. § 14-4801(s).)
(10)(See N.Y. Gen. Bus. Law §§ 899-EE.)
(11)(S.C. Code § 39-80-10(17)(a).)
(12)(Neb. Rev. Stats. § 87-1302(5)(c))
(13)(S.C. Code Ann. §§ 39-80-10(3) and 39-80-30(a).)
(14)(Neb. Rev. Stat. §§ 87-1302(3) and 87-1304.)
(15)(See Cal Civ Code § 1798.99.31(b)(1) & (7); Md. Code Ann. §§ 14-4801(c) and 14-4806(a)(1).)
(16)(See e.g., FN 21. In addition, some state comprehensive privacy laws have also been enacted with, or amended to include, minor privacy provisions restrictions apply specifically to online services that are targeted to or used by minors. These laws are discussed (along with state minor online privacy and age-appropriate design code laws) under the section “Minor Online Privacy Protections.”)
(17)(See 11 Cal. Code Regs § 7001(bbb).)
(18)(See Cal. Civ. Code § 1798.121.)
(19)(See e.g., Col. Rev. Stat. §§ 6-1-1303(24) and 6-1-1308(7); Conn. Gen. Stat. §§ 42-515 (38) and 42-520(a)(4); Ind. Code §§ 24-15-2-28(3) and 24-15-4-1(5); Iowa Code §§ 715D.1(26)(c) and 715D.4(2); Kt. Rev. Stat. §§ 367.3611(28)(c) and 367.3617(e); Minn. Stat. §§ 325O.02-2(v)(3) and 325O.07-2(a)(d); Neb. Rev. Stat. §§ 87-1102(3) and 87-1112(1)(d); N.H. Rev. Stat. Ann. §§ 507-H:1(XXVIII) and 507-H:6(I)(d); R.I. Gen. Laws §§ 6-48.1-2(26) and 6-48.1-4(c); Tenn. Code Ann. § 47-18-3204(a)(6); Tex. Bus. and Comm. Code §§ 541.001(29) and 541.101(b)(4); Code of Virg. §§ 59.1-575 and 59.1-578(A)(5).)
(20)(See e.g., 16 C.F.R. § 312.5(a)(2).)
(21)(See e.g., Col. Rev. Stat. §§ 6-1-1309(2)(c); Conn. Gen Stat. § 42-522(a)(4); Del. Code. Ann. § 12D-108(a)(4); Ind. Code § 24-15-6-1(b)(4); Kt. Rev. Stat. § 367.3621(e); Md. Code Ann. § 14–4710(a)(3); Minn. Stat § 325O.08(b)(3); Neb. Rev. Stat. § 87-1116(1)(e); N.H. Rev. Stat. Ann. § 507-H:8(I)(d); R.I. Gen. Laws § 6-48.1-7(e); Tenn. Code Ann. § 47-18-3206(a)(4); Tex. Bus. and Comm. Code § 541.105(a)(4); Code of Virg. § 59.1-580(A)(4).)
(22)(Md. Code Ann. § 14–4601(gg).)
(23)(Id. at § 14–4607(a). )
(24)(84 Del. Laws, c. 197, § 1, codified at Del. Code. Ann. §§ 12D-101 to 12D-111 (2026).)
(25)(N.J. Code § 6:8-166.12(7).)
(26)(Id.)
(27)(Id. at Ct. Gen. Stat. § 42-520(a)(4) (effective July 1, 2024). Prior to July 1, 2026, under § 42-520(a)(4), controllers are prohibited from processing personal information for targeted advertising or selling personal information about consumers 13 to 15 years old without their consent, where the controller knows or willfully disregards that a consumer is 13 to 15 years old. See Ct. Public Act No. 25-113 (June 6, 2025) (modifying Ct. Gen. Stat. § 42-520(a)(4), effective July 1, 2026).)
(28)(Md. Code Ann. § 14-4707(a)(4) – (5).)
(29)(Minn. Stat. § 325O.07-2(f).)
(30)(Or. Rev. Stat. §§ 646A.570 to 646A.589)
(31)(Id. at Or. Rev. Stat. § 646A.578(2).)