{"id":140786,"date":"2026-04-24T14:10:22","date_gmt":"2026-04-24T14:10:22","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=hot_topics&p=140786"},"modified":"2026-04-24T14:10:22","modified_gmt":"2026-04-24T14:10:22","slug":"minor-privacy-laws-in-the-u-s-a-moving-target","status":"publish","type":"hot_topics","link":"https:\/\/my.legal500.com\/guides\/hot-topic\/minor-privacy-laws-in-the-u-s-a-moving-target\/","title":{"rendered":"Minor Privacy Laws in the U.S. \u2013 A Moving Target"},"content":{"rendered":"

For two decades, the Children\u2019s Online Privacy Protection Act (\u201cCOPPA\u201d) Rule, which took effect in 2000,(1)<\/sup> served as the primary legal standard regulating children\u2019s online privacy in the U.S., establishing special protections and parental rights for the online privacy of children under the age of 13. The COPPA Rule was adopted by the U.S. Federal Trade Commission (\u201cFTC\u201d) after a detailed public-rulemaking process and has been amended twice since its adoption, each time as part of a public-rulemaking process. However, recently multiple states have enacted laws imposing new and varied obligations and restrictions on the collection, use and disclosure of minor personal information, which go beyond the standard set by the COPPA Rule.<\/p>\n

Given these myriad new state minor privacy laws, COPPA is no longer the primary benchmark for children\u2019s online privacy in the U.S. Rather, businesses must contend with a new (and growing) patchwork of state laws, with differing age thresholds and varying restrictions and obligations. Some of these laws address minor privacy in relatively narrow ways within state comprehensive consumer privacy laws\u2014 for example, by restricting targeted advertising uses of minor personal information. On the other hand, many states have enacted much broader minor privacy laws (as well as minor online safety laws) that aim to increase online protections for all minors, including teens and children under the age of 13.<\/p>\n

Several of these state minor privacy laws are currently under challenge, on the basis that they violate the U.S. Constitution. In some instances, lower courts are proceeding with discovery on the constitutional challenges, without first ruling on whether to grant injunctive relief, while in other instances courts have partially or fully enjoined enforcement of the laws, pending resolution of the underlying claims. Further complicating matters, on appeal, some lower court injunctions have been vacated in part, remanded for further review, or otherwise modified in subsequent legal proceedings. So, the status of many of these laws is a moving target. Amid this ongoing uncertainty, states have also continued to adopt new minor privacy laws. All of these things can make it difficult to evaluate the scope and impact of this patchwork of laws, and to identify, plan and implement appropriate business and operational changes for compliance.<\/p>\n

That said, from a practical perspective, most new state minor privacy laws\u2014despite their differences\u2014fit within one of following categories: (a) general restrictions on the processing of minor personal information; (b) minor online privacy protections; and (c) minor online safety laws. The table below provides a high-level overview of some of the common elements of these laws.<\/p>\n\n\n\n\n\n\n
\u00a0<\/span><\/td>\nGeneral\u00a0Restrictions on Minor Personal Information<\/span><\/b>\u00a0<\/span><\/td>\nMinor Online Privacy Protections<\/span><\/b>\u00a0<\/span><\/td>\nMinor Online Safety Laws<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
Scope and Applicability<\/span><\/i>\u00a0<\/span><\/td>\nControllers\u00a0that are\u00a0subject to\u00a0a\u00a0state\u2019s\u00a0comprehensive consumer privacy laws.<\/span>\u00a0<\/span><\/td>\nGenerally, websites\u00a0and online\u00a0services\u00a0that are likely to be accessed by minors.\u00a0<\/span>\u00a0<\/span><\/td>\nGenerally,\u00a0specific\u00a0online services, such as app stores, app developers,\u00a0social media platforms, and chatbots.\u00a0<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Age Threshold<\/span><\/i>\u00a0<\/span><\/td>\nVaries.<\/span>\u00a0<\/span><\/td>\nGenerally, minors\u00a0under 18 years old.<\/span>\u00a0<\/span><\/td>\nGenerally, minors\u00a0under 18 years old\u00a0(some variances).<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Common<\/span><\/i>\u00a0<\/span><\/p>\n

Components<\/span><\/i>\u00a0<\/span><\/td>\n

Prohibit or require consent for sales and targeted advertising uses of minor personal information; prohibit profiling\/ automated decision-making concerning known minors; Sensitive data defined to include personal data of a known child; DPIA\u00a0required\u00a0for processing of children\u2019s personal data.<\/span>\u00a0<\/span><\/td>\nPrivacy by design and default;\u00a0transparency;\u00a0age assurance; purpose and\u00a0use\u00a0limitations;\u00a0sales and\u00a0targeted advertising\u00a0prohibitions; geolocation collection and use restrictions;\u00a0mandatory DPIAs;\u00a0limits on\u00a0addictive or compulsive features.<\/span>\u00a0<\/span><\/td>\nAge\u00a0assurance\/verification; parental consent for account creation or app downloads and in-app purchases; prominent warnings and notices;\u00a0limits\u00a0on\u00a0or compulsive\u00a0features;\u00a0mandatory\u00a0parental controls, time\u00a0limits\u00a0and privacy protections; content filtering and monitoring; parental rights over accounts and personal information of their children.<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

While not covered above, it is also worth noting that a number of states have also enacted new or expanded content liability laws, making certain operators liable for exposing minors to harmful content online (i.e., obscene sexual content); these laws often require covered operators implement reasonable age verification methods to prevent minors from accessing such content and provide a safe harbor for operators that do so.(2)<\/sup><\/p>\n

 <\/p>\n

Minor Online Privacy Laws and Age-Appropriate Design Codes<\/h4>\n

In September 2022, California passed the California Age Appropriate Design Code Act (the \u201cCA-AADC\u201d) to ensure that California minors are \u201cafforded protections not only by online products and services specifically directed at them but by all online products and services they are likely to access.\u201d(3)<\/sup> The CA-AADC was modeled after the United Kingdom\u2019s Age-Appropriate Design Code.(4)<\/sup><\/p>\n

The CA-AADC imposes broader obligations and applies to a far broader range of businesses than COPPA. However, the CA-AADC was enjoined before taking effect and a large portion of it remains enjoined, pending resolution of the constitutional challenges brought by trade association NetChoice, LLC, in NetChoice v. Bonta.(5)<\/sup> Despite the constitutional uncertainty surrounding the CA-AADC, a number of states followed suit, enacting minor online privacy laws \u2014some of which are modeled in large part after the CA-AADC(6)<\/sup> and others which take a more distinct approach.(7)<\/sup> Many of these laws have also been challenged by NetChoice and other trade associations on constitutional grounds similar to those raised in NetChoice v. Bonta.(8)<\/sup><\/p>\n

While these state minor online privacy laws vary, generally, they apply to websites, mobile applications, and other products, features and services accessible online (each an \u201conline service\u201d hereafter) that are likely to be accessed by minors under the age of 18. In determining whether an online service is likely to be accessed by minors, many (but not all) of these laws commonly point to some of the following factors:<\/p>\n

    \n
  • Whether the online service includes ads or marketing that target minors.<\/li>\n
  • Whether the online service uses design elements known to be of interest to minors (e.g., games, cartoons, music, or celebrities that appeal to minors).<\/li>\n
  • Whether a \u201csignificant amount of the audience\u201d is under 18 years old based on the company\u2019s internal research or other empirical evidence.<\/li>\n
  • Whether a significant number of minors under 18 years old routinely access the online service (based on competent and reliable evidence), or whether the online service is substantially similar to another such online service.<\/li>\n
  • Whether the online service is directed to minors as defined by COPPA.<\/li>\n
  • Evidence regarding the intended audience.<\/li>\n<\/ul>\n

    Notably, some of these laws also apply where an operator knows or should know that a particular user is a minor. For example, under the Maryland Age-Appropriate Design Code Act one of the factors for determining if an online service is likely to be accessed by minors is whether the operator \u201cknows or should have known that a user is a child.\u201d(9)<\/sup> The New York Child Data Protection Act applies to personal information about users of online services that (a) that are primarily directed to minors, or (b) that the operator of the online service knows to be under 18 years old.(10)<\/sup><\/p>\n

    The South Carolina Age-Appropriate Design Code Act (\u201cSC-AADC\u201d) takes a somewhat distinct approach by defining covered online services as (a) online services where an individual is known to the provider to be a minor, and (b) online services that are \u201cdirected to children\u201d as defined by COPPA.(11)<\/sup> Nebraska also takes a nuanced approach by excluding \u201cany online service with actual knowledge that fewer than two percent of its users are minors.\u201d(12)<\/sup><\/p>\n

    While the scope of covered services and applicable requirements vary, some common requirements and restrictions include:<\/p>\n

      \n
    • Notice and informed consent requirements for certain higher-risk processing activities.<\/li>\n
    • Restrictions on the collection, use, disclosure, and processing of minor personal information beyond what is necessary to provide a product or service the minor intentionally interacts with or has specifically requested.<\/li>\n
    • Prohibitions on sales, targeted advertising, and profiling.<\/li>\n
    • Significant restrictions on the collection and processing of geolocation data and prohibitions on the sharing of geolocation data.<\/li>\n
    • Requirements to apply most \u201cprotective\u201d privacy settings where available.<\/li>\n
    • Controls that can be used to block or disable certain features (e.g., personalized recommendations, interactive features, profile visibility, features designed to increase frequency, time, and activity on the covered service).<\/li>\n
    • Access, correction, and deletion rights, and related business obligations.<\/li>\n
    • Mandatory data protection impact assessment obligations.<\/li>\n<\/ul>\n

      Some state laws, including the SC-AADC(13)<\/sup> and the Nebraska Age-Appropriate Design Code(14)<\/sup> also include specific obligations regarding \u2018covered design features\u2019 that encourage or increase a minor\u2019s time, frequency, or activities on the service. The CA-AADC and MD-AADC require business to account for the \u2018best interests\u2019 of the child and prohibit uses that a business knows are materially detrimental to the physical health, mental health, or well-being of the minor.(15)<\/sup><\/p>\n

      Even though a number of these laws are being challenged, several are already in effect. Accordingly, businesses should evaluate their online services to determine which if any are \u201clikely to be accessed by minors\u201d and whether and to what extent they have reason to know that any users are minors. From there, businesses can begin to consider where changes may be needed (e.g., turning tracking and third-party cookies off by default, reviewing vendor and third-party data flows) and identify other actions that may be required for compliance (such as data protection impact assessments).<\/p>\n

       <\/p>\n

      General Restrictions on Collection, Use and Disclosure of Minor Personal Information<\/h4>\n

      Starting with the passage of the California Consumer Privacy Act of 2018 (the \u201cCCPA\u201d), which took effect January 1, 2020, more than twenty states have passed comprehensive consumer privacy laws, which apply to the personal information of consumers who are residents of the respective states. Nearly each of these laws include provisions specific to the personal information of consumers that are known minors.(16)<\/sup> In contrast to the minor online privacy and safety laws discussed above, the prohibitions and restrictions discussed below apply more generally to controllers and businesses; and are not limited to operators of online services, social media platforms or app stores.<\/p>\n

      While the age threshold for what is in-scope personal information varies, many state comprehensive privacy laws treat personal information concerning children as \u201csensitive personal information\u201d and further restrict or prohibit certain uses and disclosures of minor personal information.<\/p>\n

       <\/p>\n

      Sensitive Data under U.S. State Comprehensive Privacy Laws<\/span><\/p>\n

      Recently, the definition of sensitive personal information under the CCPA Regulations was amended to include the personal information of consumers that the business knows are less than 16 years of age.(17)<\/sup> However, the CCPA does not impose an affirmative consent obligation on the collection or processing of sensitive personal information. Rather, it gives consumers the right to limit certain uses and disclosures of sensitive personal information.(18)<\/sup> In effect, this right applies to any personal information about a consumer that the business knows is under 16 years of age.<\/p>\n

      In contrast to the CCPA, most state comprehensive privacy laws define sensitive data to include personal information about consumers who a controller knows are under the age of 13, require parental consent to collect such data, and prohibit controllers from processing such sensitive data except in compliance with COPPA(19)<\/sup> (which requires businesses to obtain separate, specific opt-in consent to disclose children\u2019s personal information for targeted advertising).(20)<\/sup> Many state comprehensive consumer privacy laws also require controllers that process sensitive data (including personal data about children under 13 years old) to document and maintain data protection impact assessments for any such processing activities.(21)<\/sup><\/p>\n

      The Maryland Online Privacy Protection Act (the \u201cMaryland OPPA\u201d) defines sensitive data to include \u201cpersonal data of a consumer that the controller knows or has reason to know\u201d is a child under 13 years old.(22)<\/sup> Unlike the majority of state comprehensive privacy laws, the Maryland ODPPA more broadly prohibits the sale of sensitive data (including children\u2019s personal data) as well as collection and processing of such data that goes beyond what is strictly necessary to provide a product or service requested by the consumer.(23)<\/sup><\/p>\n

       <\/p>\n

      Restrictions on Sales, Targeted Advertising and Profiling<\/span><\/p>\n

      Many state comprehensive privacy laws also impose heightened restrictions or obligations on certain uses and disclosures of personal information about minors below certain age thresholds. For example, under the CCPA, businesses are prohibited from selling or sharing personal information about any consumer that the business knows is under the age of 16, without affirmative consent. For minors 13 to 15 years old, the affirmative consent of the minor is required, and for minors under the age of 13, verifiable parental consent (in accordance with COPPA) is required. Businesses that willfully disregard the age of consumers are deemed to have actual knowledge of their age. Accordingly, businesses that collect age or date of birth and allow minors to create accounts, for example, will be deemed to have actual knowledge of the age of the account holder in so far as they can identify the consumer (e.g., when the consumer is logged in to their account).<\/p>\n

      Similar to the CCPA, some state comprehensive privacy laws prohibit sales and targeted advertising uses of minor personal data without consent. For example, under the Delaware Personal Data Privacy Act(24)<\/sup> (the \u201cDelaware PDPA\u201d), controllers are prohibited from (i) processing a consumer\u2019s personal data for purposes of targeted advertising, and (ii) selling a consumer\u2019s personal data without the consumer\u2019s consent, where a controller has actual knowledge or willfully disregards that the consumer is 13 to 17 years old.<\/p>\n

      The New Jersey Consumer\u202fData\u202fPrivacy\u202fAct (the \u201cNew Jersey CDPA\u201d) also prohibits sales and targeted advertising uses of a minor personal information without consent, as well as engaging in automated processing for purposes of profiling in furtherance of decisions that have legal or similarly significant effects on such consumers without consent.(25)<\/sup> However, the New Jersey CDPA restrictions apply to personal information about consumers where a controller knows or willfully disregards that the consumer is 13 to 16 years old.(26)<\/sup><\/p>\n

      In contrast, several state comprehensive privacy laws prohibit certain uses and disclosures of personal information about minors (with varying age thresholds), regardless of consent. For example, effective July 1, 2026, the Connecticut Data Privacy Act (the \u201cConnecticut DPA\u201d) prohibits controllers from (i) processing personal information about consumers for purposes of targeted advertising, or (ii) selling personal information about any consumer that the controller knows or willfully disregards to be 13 to 17 years old.(27)<\/sup> Similarly, the Maryland ODPA prohibits sales and targeted advertising where a controller \u201cknows or has reason to know\u201d that the consumer is under 18 years old.(28)<\/sup> While the Minnesota Consumer Data Privacy Act also prohibits sales and targeted advertising use of minor personal data, this prohibition only applies where the controller knows that the consumer is 13 to 16 years old.(29)<\/sup><\/p>\n

      Some states also prohibit processing activities that go beyond sales and targeted advertising. For example, under the Oregon Consumer Privacy Law,(30)<\/sup> where controllers know or willfully disregard that a consumer is under the age of 16, they are prohibited from (i) processing the consumer\u2019s\u202fpersonal data for the purposes of targeted advertising, and (iii) selling the consumer\u2019s personal information, as well as (iii) engaging in automated processing of the consumer\u2019s personal data for profiling in furtherance of decisions that have legal or similarly significant effects on the consumer.(31)<\/sup><\/p>\n

       <\/p>\n

      Looking Ahead<\/h4>\n

      Minor privacy, social media, and online safety continue to be key focus areas for state legislatures, with dozens of minor privacy, social media and digital safety bills introduced in the first quarter of 2026. This trend is likely to continue, in particular as federal efforts to adopt new minor privacy legislation appear stalled for the time being. As pending legal challenges against state minor privacy laws proceed and recently enacted legislation takes effect, ongoing developments are likely for the foreseeable future. Businesses that operate websites and other online services should continue to monitor developments in this area.<\/p>\n

       <\/p>\n

      (1)<\/sup>(The COPPA Rule was adopted by the FTC, pursuant to the Children\u2019s Online Privacy Protection Act of 1998, 15 U.S.C. \u00a7\u00a7 6501 – 6509.)<\/span>
      \n(2)<\/sup>(See e.g., Ind. Code Ann. \u00a7 24-4-23; \u00a7; and S.C. Code Ann. \u00a7 37-1-310.)<\/span>
      \n(3)<\/sup>(Assem. Bill 2273, 2021-2022 Reg. Sess. (Cal. 2022), 2022 Cal. Stat. ch. 320, codified at Cal. Civ. Code \u00a7\u00a7 1798.99.28 – 1798.99.40.)<\/span>
      \n(4)<\/sup>(See i.d.)<\/span>
      \n(5)<\/sup>(NetChoice, LLC v. Bonta, 113 F.4th 1101 (9th Cir. 2024).)<\/span>
      \n(6)<\/sup>(See the Maryland Age-Appropriate Design Code, Md. Code Ann., \u00a7 14-4801 \u2013 14-4813.)<\/span>
      \n(7)<\/sup>(See, e.g., N.Y. Gen. Bus. Law \u00a7\u00a7 899-EE. In addition to the minor online privacy laws passed as separate statutes, several states have enacted minor online privacy requirements as a part that states\u2019 respective comprehensive consumer privacy laws. See, e.g., Conn. Gen. Stat. \u00a7 \u201cSec. 42-529a; and)<\/span>
      \n(8)<\/sup>(See, e.g., Net Choice v. Brown, Case 1:25-cv-00322-RDB (Dist. Md.).)<\/span>
      \n(9)<\/sup>(Md. Code Ann. \u00a7 14-4801(s).)<\/span>
      \n(10)<\/sup>(See N.Y. Gen. Bus. Law \u00a7\u00a7 899-EE.)<\/span>
      \n(11)<\/sup>(S.C. Code \u00a7 39-80-10(17)(a).)<\/span>
      \n(12)<\/sup>(Neb. Rev. Stats. \u00a7 87-1302(5)(c))<\/span>
      \n(13)<\/sup>(S.C. Code Ann. \u00a7\u00a7 39-80-10(3) and 39-80-30(a).)<\/span>
      \n(14)<\/sup>(Neb. Rev. Stat. \u00a7\u00a7 87-1302(3) and 87-1304.)<\/span>
      \n(15)<\/sup>(See Cal Civ Code \u00a7 1798.99.31(b)(1) & (7); Md. Code Ann. \u00a7\u00a7 14-4801(c) and 14-4806(a)(1).)<\/span>
      \n(16)<\/sup>(See e.g., FN 21. In addition, some state comprehensive privacy laws have also been enacted with, or amended to include, minor privacy provisions restrictions apply specifically to online services that are targeted to or used by minors. These laws are discussed (along with state minor online privacy and age-appropriate design code laws) under the section \u201cMinor Online Privacy Protections.\u201d)<\/span>
      \n(17)<\/sup>(See 11 Cal. Code Regs \u00a7 7001(bbb).)<\/span>
      \n(18)<\/sup>(See Cal. Civ. Code \u00a7 1798.121.)<\/span>
      \n(19)<\/sup>(See e.g., Col. Rev. Stat. \u00a7\u00a7 6-1-1303(24) and 6-1-1308(7); Conn. Gen. Stat. \u00a7\u00a7 42-515 (38) and 42-520(a)(4); Ind. Code \u00a7\u00a7 24-15-2-28(3) and 24-15-4-1(5); Iowa Code \u00a7\u00a7 715D.1(26)(c) and 715D.4(2); Kt. Rev. Stat. \u00a7\u00a7 367.3611(28)(c) and 367.3617(e); Minn. Stat. \u00a7\u00a7 325O.02-2(v)(3) and 325O.07-2(a)(d); Neb. Rev. Stat. \u00a7\u00a7 87-1102(3) and 87-1112(1)(d); N.H. Rev. Stat. Ann. \u00a7\u00a7 507-H:1(XXVIII) and 507-H:6(I)(d); R.I. Gen. Laws \u00a7\u00a7 6-48.1-2(26) and 6-48.1-4(c); Tenn. Code Ann. \u00a7 47-18-3204(a)(6); Tex. Bus. and Comm. Code \u00a7\u00a7 541.001(29) and 541.101(b)(4); Code of Virg. \u00a7\u00a7 59.1-575 and 59.1-578(A)(5).)<\/span>
      \n(20)<\/sup>(See e.g., 16 C.F.R. \u00a7 312.5(a)(2).)<\/span>
      \n(21)<\/sup>(See e.g., Col. Rev. Stat. \u00a7\u00a7 6-1-1309(2)(c); Conn. Gen Stat. \u00a7 42-522(a)(4); Del. Code. Ann. \u00a7 12D-108(a)(4); Ind. Code \u00a7 24-15-6-1(b)(4); Kt. Rev. Stat. \u00a7 367.3621(e); Md. Code Ann. \u00a7 14\u20134710(a)(3); Minn. Stat \u00a7\u202f325O.08(b)(3); Neb. Rev. Stat. \u00a7 87-1116(1)(e); N.H. Rev. Stat. Ann. \u00a7 507-H:8(I)(d); R.I. Gen. Laws \u00a7 6-48.1-7(e); Tenn. Code Ann. \u00a7\u202f47-18-3206(a)(4); Tex. Bus. and Comm. Code \u00a7 541.105(a)(4); Code of Virg. \u00a7 59.1-580(A)(4).)<\/span>
      \n(22)<\/sup>(Md. Code Ann. \u00a7 14\u20134601(gg).)<\/span>
      \n(23)<\/sup>(Id. at \u00a7 14\u20134607(a). )<\/span>
      \n(24)<\/sup>(84 Del. Laws, c. 197, \u00a7 1, codified at Del. Code. Ann. \u00a7\u00a7 12D-101 to 12D-111 (2026).)<\/span>
      \n(25)<\/sup>(N.J. Code \u00a7 6:8-166.12(7).)<\/span>
      \n(26)<\/sup>(Id.)<\/span>
      \n(27)<\/sup>(Id. at Ct. Gen. Stat. \u00a7 42-520(a)(4) (effective July 1, 2024). Prior to July 1, 2026, under \u00a7 42-520(a)(4), controllers are prohibited from processing personal information for targeted advertising or selling personal information about consumers 13 to 15 years old without their consent, where the controller knows or willfully disregards that a consumer is 13 to 15 years old. See Ct. Public Act No. 25-113 (June\u202f6,\u202f2025) (modifying Ct. Gen. Stat. \u00a7 42-520(a)(4), effective July 1, 2026).)<\/span>
      \n(28)<\/sup>(Md. Code Ann. \u00a7 14-4707(a)(4) – (5).)<\/span>
      \n(29)<\/sup>(Minn. Stat. \u00a7 325O.07-2(f).)<\/span>
      \n(30)<\/sup>(Or. Rev. Stat. \u00a7\u00a7 646A.570 to 646A.589)<\/span>
      \n(31)<\/sup>(Id. at Or. Rev. Stat. \u00a7 646A.578(2).)<\/span><\/p>\n","protected":false},"featured_media":0,"template":"","class_list":["post-140786","hot_topics","type-hot_topics","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/hot_topics\/140786","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/hot_topics"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/hot_topics"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=140786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}