Reprinted with permission from the March 2025 issue of Cybersecurity Law & Strategy. © 2025 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
For decades, the Children’s Online Privacy Protection Act (COPPA), a federal law that regulates data collected from children under 13, has been the only law to expressly address privacy for minors’ information other than student data. Bipartisan efforts to expand COPPA and other attempts at federal legislation to address online and data privacy for users under the age of 18 have repeatedly stalled in the past few years.
In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children. This follows a common pattern in which states filled the gaps left by an absence of federal privacy law – seen with the proliferation of state legislation on data breach notification, health, artificial intelligence, and now, children under 18. Without preemptive federal legislation, these state laws create a dizzying and challenging compliance patchwork for businesses, with laws that are interpreted and enforced by regulators with varying priorities.
These new children’s “privacy” laws seek to address a spectrum of concerns including service design, potential harm, parental oversight, age verification, consent, and data processing. While most of the concepts are not novel – kids under 13 have been afforded additional protections and been given limited access to certain platforms in the past – the breadth of these new laws, the covered platforms, the design mandates, and the application to teens are new. Outright bans on accessing social media platforms and potential bans related to use of apps stores without parental consent for all minors are ushering in a new era of restrictions for minors online.
As more states continue to introduce and refine these laws, and regulators seek to enforce them, companies, including those that have historically not focused on children’s privacy because they were not subject to COPPA, should carefully evaluate their current and future offerings and the ages of their customers to determine the applicability of these laws.
State Age-Appropriate Design Codes
California and Maryland’s recently passed age-appropriate design codes (AADCs) are aimed at enhancing protections for minors online by regulating how platforms are designed and process information about minors. They are modeled after the United Kingdom’s Children’s Code, which sets forth 15 standards tied to ensuring the best interests of minors that must be followed by online service providers. Meanwhile, Connecticut, Colorado, and Virginia have updated their comprehensive privacy laws to incorporate impact assessment provisions and processing limitations similar to these design codes.
These AADCs primarily target online platforms “likely to be accessed” by children and teens. In California and Maryland, in particular, this standard is broad and does not require a company “know” that a user is a child. State regulators have yet to provide guidance on when services may be in or out of scope. AADC rules require companies to assess and mitigate risks specifically associated with offering services to minors, ensuring that their services do not expose children to undue harm. The provisions typically call for platforms to conduct data impact assessments on their products and scrutinize design elements for transparency and age-appropriateness and impose limits on targeting ads to minors, “profiling” them, and encouraging minors to provide unnecessary personal information or spend too much time online. Significantly, these codes also require default privacy settings to protect minors, policies and terms to be in language accessible to the users of the platform, and tools that enable minors and parents to exercise their privacy rights and submit complaints.
While California and Maryland’s codes are currently being challenged on First Amendment grounds, we expect that some design and privacy requirements from these AADC laws will survive and will impact a large variety of businesses. Since changing design elements for online services is often time-consuming and resource intensive, businesses should be evaluating their current potential exposure and, if applicable, make plans for updates to their websites, mobile applications, and other services used by minors.
State Expansion of Consent Requirements
Historically, to process data collected online from children under the age of 13, companies needed to obtain verifiable parental consent under COPPA. The analysis on what consent to obtain, from whom, and when, has been greatly expanded by several comprehensive state privacy laws and further complicated by laws focused on social media platforms.
STATE PRIVACY LAW CONSENT REQUIREMENTS TO PROCESS MINORS’ DATA
While the COPPA consent model has been in place for many years for data collected from children under 13, a variety of recently enacted state privacy laws have created new consent obligations to process personal data from teens. These laws restrict businesses from selling teens’ personal information or processing teens’ personal information for targeted advertising or “profiling” without their express consent. While seeking consent directly from teens could be operationally easier than obtaining parental consent, these state laws vary on which teens are in scope – some are 13-15 and some are 13-17 – creating operational challenges for businesses.
STATE LAWS REQUIRING PARENTAL CONSENT FOR ACCESS TO SERVICES
Laws regulating social media-like services have added an additional layer of complexity to consent frameworks for children. These laws apply to traditional social networking platforms, as well as other platforms that allow for public posting of content among users or sharing of videos and photos, and regulate when minors can use such services, how their data is handled, and how content is delivered to them. Many social media laws require the platforms to verify the age of all users and obtain parental consent for users under 18 before they can use the service. Some also restrict platforms from personalizing content for minors or using an algorithm to deliver content and require parental access to their minor child’s activity.
The laws vary on whether they specify appropriate age verification and parental consent methods. Determining how to “verify” age and parental relationship and which consent requirement applies and operationalizing those requirements will be very challenging for companies. While some social media laws have been successfully enjoined on constitutional grounds, others are already effective.
Certain state legislatures are also considering social media platforms and app stores as potential gatekeepers to online access for minors. In Florida, a contested law bans access to social media platforms for users under 14 and requires parental consent for those aged 14 and 15. Utah and South Carolina have proposed bills to require: (i) app stores to verify the age of all users; (ii) parental consent before permitting minors to download apps; and (iii) developers to provide certain information to the operators of app store platforms, including their age rating and changes to their app’s practices. Laws like these will continue to be challenged, and courts are likely to scrutinize laws that ban minors’ ability to view content or that require all users, including adults, to face obstacles to access content.
Revisions to COPPA and Federal Legislative Proposals
At the federal level, changes in the space have been more limited. The Federal Trade Commission (FTC) has adopted modest changes to the COPPA Rule, while Congress has tried, but failed, to enact new privacy laws for minors. Early this year, the FTC finalized changes to the COPPA Rule for the first time in over a decade, that, among other things, expand the parental consent methods and set forth more rigorous consent requirements for disclosures to third parties. Specifically, businesses can now collect mobile phone numbers from parents and send text messages to parents to obtain consent. But operators must now obtain separate verifiable parental consent when a child’s personal information is used for targeted advertising and/or otherwise disclosed to third parties.
Meanwhile, Congress has indicated that it is ready to pass broader protection for all minors, but interested parties have not yet been able to put forth a bill that has sufficient support. Last year, both the Children and Teen Online Privacy Protection Act (COPPA 2.0) and the Kids Online Safety Act (KOSA) passed the Senate but did not gain enough support in the House, which cited various concerns about both pieces of legislation. Versions of both COPPA 2.0 and KOSA are expected to be introduced this session. In addition, the Kids Off Social Media Act (KOSMA), a bill that prohibits social media platforms from targeting teens with personalized recommendations and bans children under 13 from using such platforms altogether, was recently voted out of the Senate Commerce Committee. It remains to be seen if these bills will garner enough votes in this session to add new federal children’s privacy obligations on top of the numerous state ones. If Congress is finally successful, businesses will have even more children’s privacy obligations to contend with.
Conclusion
Concern from both regulators and parents about minors’ online activities will continue to further the demand for legislative action in the area. Even if some of these laws face judicial challenges, companies should be prepared to respond to a more restrictive regulatory framework when it comes to users who are minors. Weaving obligations with respect to minors into already complex regulatory frameworks may present operational challenges and create regulatory risks. But keeping abreast of changes to the laws and leveraging the programs and tools adopted for general privacy law compliance will help companies address new requirements for minors.
