Hashed & Salted | A Privacy and Data Security Update
Over the past few months, the news has been overrun with stories about children’s privacy—in particular, decisions and settlements involving children’s safety on social media platforms. In phase one of a social media case brought by New Mexico’s attorney general, the jury found advertising misled consumers about platform safety and the scope of potential exposure of children and teens to mental health harms in violation of the state’s Unfair Practices Act, awarding $375 million in damages. Phase two involved a bench trial, just concluded in May, on additional claims and seeking court-ordered changes to the platforms. The day after the jury verdict in New Mexico, a jury in Los Angeles County ruled in favor of the plaintiff in a “social media addiction” case, awarding $6 million in damages in the first of what are thousands of similar cases pending throughout the country. Most recently, a social media gaming platform popular with children settled allegations by three states—Alabama, West Virginia and Nevada—that the platform failed to protect children from online predators. While not admitting wrongdoing or liability, the platform agreed to pay a total of $35 million and to implement safety changes including age verification requirements and stronger parental controls.At the moment, these cases appear to be focused on a few high-profile companies, but their consequences will be far-reaching and probably will eventually affect most online companies—whether or not their services are directed to children.
Section 230 may not offer protection
Since it was passed in February 1996, Section 230 of the Communications Decency Act has been dubbed the “Magna Carta of the Internet” by the Brookings Institute and “The Law that Created the Internet” by Stanford Law School. Section 230 protects online platforms, like social media companies, from being held legally responsible for content created and posted by their users. It allows these platforms to remove or moderate content in good faith without becoming liable for what they host or take down. Social media companies have relied on Section 230 to avoid liability for user-generated content on their sites. For instance, through their Section 230 immunity, social media companies have been protected against claims that they have failed to protect their users when a minor was assaulted by someone she met through a social media platform, claims by victims of terrorist attacks that a social media company provided material support to terrorists by allowing them to use its platform, a mother’s claim that her son died of a fentanyl overdose after the social media platform facilitated drug sales, and a man’s claim that his ex-boyfriend harassed him by creating fake dating profiles of him.
The New Mexico and California cases are examples of the first chink in the Section 230 armor. Not only were the social media companies unsuccessful in having these cases dismissed based upon Section 230 immunity, but the juries found the social media companies’ actions were not protected by Section 230. This may not be a result of a failure of Section 230 but instead a result of the specific claims brought against the social media companies. Unlike previous third-party claims that argued that the user-generated content on the sites harmed the users, the New Mexico and California claims argued that the social media platforms’ designs and their advertising harmed children. By focusing on the social media platforms’ design and operational decisions, not the posts of their users, these cases may have found the magic bullet that can pierce the Section 230 immunity shield. If this distinction stands on appeal, this limitation of Section 230’s immunity power may open up online companies to additional risks.
Design features are the target
While there were distinct differences in the claims brought by the New Mexico attorney general and the individual plaintiff in the California case, both cases attacked the design and operation of the social media sites. The New Mexico case alleged violations of New Mexico’s Unfair Practices Act based on advertising practices around the safety of the platforms’ products and that the platforms’ designs failed to remove and instead amplified harmful material. In California, the plaintiff argued that negligent design and operations features, including infinite scroll and algorithmic recommendations, contributed to her addiction to social media.
Since the juries found the social media companies liable under both theories, companies should start to review their design features and their own operations to ensure that they are protecting their users—whether children, teens or adults.
Age verification mechanisms may be required
Both the New Mexico and California cases alleged that the social media companies knew that children under the age of 13 were using the services, and in both cases, substantial evidence presented arguably supports the assertion that children under the age of 13 do use social media. For instance, in the California case, the plaintiff alleged that she started to use social media well before she was 10 years old.
Under the Federal Trade Commission’s (FTC) 2025 amendment to the Children’s Online Privacy Protection Act (COPPA) rule, which became enforceable on April 22, one of the factors in determining whether a website is “directed to children” is “the age of users on similar websites or services.” It is therefore possible that the FTC would use the evidence presented in these high-profile cases to argue that not only these specific companies but all social media companies are “directed to children” under COPPA.
One way to avoid being swept into COPPA compliance is to implement age verification mechanisms, which may minimize not only COPPA risks but also design and operational risks. Knowing a child’s age allows online services to grant adults both access to all the features of a website and the ability to limit a child’s access to potentially harmful features. The social media gaming settlements with Alabama, West Virginia and Nevada included agreements for the continued use of facial age verification procedures (one of the voluntary agreements to age verification procedures). The age-related provisions also included an agreement to block all chat access until after a user’s age is verified. Using these age verification procedures—which the FTC has recently blessed in its Policy Statement—will act as a design feature that will protect not only children but also online services.
What now?
Recently, the FTC announced that it intends to use its Section 5 powers to address one of its top priorities—children’s privacy. Specifically, the FTC stated that it wants to use its powers to protect consumers from unfair competition to attack the design of online services. If the FTC follows through with this, the New Mexico attorney general has laid out a road map on how to attack website design features and advertising as unfair competition—online services should take note now and start to protect themselves from these types of actions in the future.