During the Biden administration, children’s privacy was clearly a federal government priority. President Biden included privacy—and children’s privacy, in particular—in his agenda in both the 2022 and 2023 State of the Union addresses; Congress introduced numerous children’s privacy bills; and the Federal Trade Commission (FTC) issued its most aggressive children’s privacy settlement yet by using its Section 5 powers to broaden its children’s privacy mandate to include not only children under the age of 13 but all minors.
It is still unclear whether the Trump administration will have the same amount of focus on the protection of children’s privacy. After a significant delay, the FTC, which enforces the Children’s Online Privacy Protection Act (COPPA), did finally published its proposed amendments to the COPPA Rule in the Federal Register. The agency currently has only three out of the five required commissioners, however. Previous dissents by these commissioners could suggest that the FTC might take a narrower view of its enforcement powers.
State Privacy Laws
With the federal government potentially taking a step back, children’s privacy protection will fall to the states through a patchwork of general and child-specific privacy laws. Currently, 19 states have adopted comprehensive state privacy laws. Even though they are not specifically focused on children’s privacy, all of these laws address the use or collection of information from minors. While the specific requirements related to children differ from state to state, the following themes are consistent across most of these laws:
- Thresholds. Companies must meet specific thresholds before they are required to comply with these state laws. Typically, these thresholds require a certain number of users or amount in profits.
- Opt-in to collect sensitive personal information. Many state laws require opt-in consent to collect sensitive personal information, which can include information collected either from a child or about a child. The definition for children is typically the same as COPPA’s—under age 13.
- Opt-in consent for sale of teen personal information. Some of these laws require opt-in consent for the use, sale, sharing or use of personal information for targeted advertising purposes for teens. The age of teens can range from 13 to under 18.
These laws increase the difficulty of navigating the comprehensive state privacy law landscape with respect to minors’ data, because the requirements vary from state to state.
Child-Specific Privacy Laws
Other states also have child-specific privacy laws. These laws can be grouped into four different categories:
1. Age-Appropriate Design Codes
Five states (California, Colorado, Connecticut, Florida and Maryland) have age-appropriate design code laws. In addition, several states, including Vermont, Illinois and South Carolina, are attempting to pass similar laws this year. Generally, AADC laws require:
- Thresholds. Like the comprehensive privacy laws, California and Maryland both have minimum business thresholds, but not all the states do. For instance, Florida, Colorado and Connecticut do not have minimum business thresholds.
- Age limits. While some of these laws define children as under the age of 13 and some of them define children as under the age of 18, all of these laws have clauses that apply to minors under the age of 18.
- No harm to a child. All of these laws prohibit the use of a child’s information in a manner that either harms the child or is not in the best interests of the child.
- Prohibitions against profiling a child (with some possible exceptions in certain states).
- Prohibitions against the collection, sharing or selling of a child’s personal information (with some possible exceptions in certain states).
- Prohibitions against the collection of precise geolocation information (with some possible exceptions in certain states).
- Prohibitions against the use of dark patterns.
- Data privacy impact assessments.
It’s also worth noting that these laws are being challenged. A California federal district court recently enjoined the enforcement of the entirety of the state’s AADC on March 13, and the Maryland AADC may face a similar fate as a lawsuit challenging it was filed on Feb. 3. Meanwhile, states like Vermont continue to pass amended AADC bills in hopes of addressing First Amendment concerns that have been raised in other states and litigation filings.
2. Laws Restricting Minors’ Social Media Access
Multiple states have passed laws to limit children’s access to social media accounts. These states include Arkansas, California, Florida, Georgia, Louisiana, Mississippi, New York, Ohio, Tennessee, Texas and Utah, and have been joined by Puerto Rico. How these laws attempt to protect children from social media varies greatly—from the definitions of “social media” to how these laws are applied to the age of the protected children to how the laws actually protect children.
For instance, the Utah App Store Accountability Act (effective May 7) requires app store providers to verify users’ ages and obtain parental consent to download apps. The Texas Securing Children Online Through Parental Empowerment Act limits the access of children under 18 to certain functionalities on the social media platform. For instance, the law prohibits targeted advertising, precise geolocation and sharing or selling of minor’s personal information. It also attempts to prevent a child’s exposure to harmful materials. Florida’s Online Protections for Minors Law (effective Jan. 1), requires termination of accounts for children under 14 and parental consent for accounts for minors between 14 and 15. While these state laws vary greatly, there is one constant. Nearly all of them are being challenged by NetChoice, an advocacy group backed by Big Tech including Google, Meta, Amazon and Yahoo. NetChoice has consistently opposed these laws on First Amendment grounds, and has scored several wins, including a permanent injunction against Arkansas’ Social Media Safety Act, which a federal court declared unconstitutional and, most recently, a similar ruling blocking Ohio’s Parental Notification by Social Media Operators Act, in which the federal judge found the law “breathtakingly blunt” and “constitutionally infirm.”
NetChoice appears to have spared only one children’s social media law—Louisiana’s Protection of Children’s Internet Data Act. Unlike the challenged laws, Louisiana’s legislation does not prohibit a child’s use of social media. Instead, it prohibits social media platforms from displaying targeted advertising to minors under 19 or selling sensitive personal data of a minor. The law will take effect on July 1.
3. Laws Restricting Children’s Access to Harmful Content
Nearly 20 states have passed laws restricting children’s access to pornographic material. While most of these laws have not been challenged, the Free Speech Coalition, a trade group representing the adult entertainment industry, filed a lawsuit over the Texas law requiring age verification for pornographic websites. The case was argued in the U.S. Supreme Court on Jan. 15. However, since the appeal only addresses whether the correct First Amendment test was applied at the preliminary injunction stage, we may not have a final decision on the merits for some time.
In addition to the laws restricting children’s access to pornography, two states have passed general “harmful content” laws. California passed the Protecting Our Kids from Social Media Addiction Act in September 2024. It prohibits social media companies from providing an addictive feed to minors under 18 without verifiable parental consent and requires a default setting that limits a minors access to one hour per day. NetChoice sued to stop the state from enforcing the law and a federal judge refused to bar key provisions of the legislation. An appeal is pending before the Ninth Circuit. Texas also passed the Securing Children Online Through Parental Empowerment Act, which requires companies to develop strategies to prevent minors’ exposure to material that glorifies suicide, substance abuse, stalking, harassment and grooming/trafficking. NetChoice filed suit in July 2024 to block the enactment of certain provisions and a federal judge in Texas granted the advocacy group a preliminary injunction.
4. State Children’s Privacy Laws
To address the unique privacy needs of children, New York passed the Child Data Protection Act (effective June 20), which prohibits operators of online services from processing the personal data of minors ages 13 to 17 without their informed consent, unless doing so is strictly necessary for the service. Additionally, New Hampshire and New Jersey also are attempting to pass COPPA-style laws to protect minors online.
Predictions for the Rest of 2025 and Beyond
With the federal government’s failure to move forward on enacting children’s privacy legislation, states are creating a patchwork of children’s privacy laws with varying provisions across the United States. We will undoubtedly see more state children’s privacy bills introduced this year.
Given the fact that many of these state children’s privacy laws are being challenged, we expect state attorneys general to bring actions to protect children under general privacy laws. For instance, in early March, New York Attorney General Letitia James announced a settlement with Saturn Technologies, the developer of an application used by high school students to create personal calendars, message and locate other users, and share social media accounts. James claimed Saturn Technologies violated its own privacy policy. The company claimed the app users could only interact with students from their own high school, but the app failed to verify users’ school email and age to ensure they were high school students and/or from the same high school. Saturn Technologies ended up paying $650,000 in penalties and agreed to significantly change its privacy practices.
In addition, Massachusetts Attorney General Andrea Joy Campbell sued Meta under the state’s consumer protection statute, claiming that Meta and Instagram purposely designed their applications to addict young users. The suit alleges Meta repeatedly deceived the public about the danger posed to young people who overuse their products. Meta maintains its actions are protected under Section 230 of the Communications Decency Act and the First Amendment of the U.S. Constitution. A superior court rejected Meta’s arguments, and the Massachusetts Supreme Judicial Court recently agreed to review the ruling. Given that a similar suit is pending in California, the courts’ upcoming decisions may have a ripple effect across the nation and could require Meta to change its business practices.
Based on the legal activity that occurred during the first few months of 2025, we anticipate that throughout the rest of the year, we will continue to see activity in children’s privacy regulation at the state level. This includes already passed laws taking effect, state legislatures enacting new laws, advocacy groups challenging these laws, and state attorneys general using various enforcement powers to protect children.