This year has brought significant movement and trends in minors’ privacy legislation on both the state and federal levels. We recap the notable developments below.

Comprehensive Consumer Privacy Legislation

Individual states have continued to enact their own comprehensive consumer privacy legislation this year. All of the state comprehensive consumer privacy laws passed this year incorporate the Children’s Online Privacy Protection Act (“COPPA”) through parental consent and sensitive data processing requirements. Notably, New Hampshire, New Jersey, and Maryland impose additional restrictions on the processing of minors’ personal data for targeted advertising, sales, and profiling. New Hampshire’s legislation prohibits processing of personal data for sales or targeted data “where the controller has actual knowledge or willfully disregards that the consumer is at least 13 and under 16.” Similarly, New Jersey’s comprehensive privacy legislation prohibits processing of personal data for sales, targeted ads, or profiling “where the controller has actual knowledge or willfully disregards that the consumer is at least 13 and under 17.” Maryland contains an outright prohibition on the sale or processing of personal data for targeted advertising “if the controller knew or should have known that the consumer is under 18.”

AADC and COPPA-Style Laws

States have continued to introduce Age Appropriate Design Codes (“AADC”), adding to the sweeping trend that emerged last year. Maryland’s new AADC law is similar to California’s AADC law, but departs notably by not requiring covered entities to implement age-gating and modifying the scope of covered entities to services that are “reasonably likely to be accessed by children.” The DPIA requirement in Maryland’s law focuses on “data management or processing practices” of the online product and specifies the harm that should be evaluated.

Colorado also passed an act amending its privacy legislation, similar to Connecticut’s SB 3 passed last year. Colorado’s legislation requires consent before processing minors’ personal data for targeted ads, sale of data, profiling, addictive features, collecting geolocation data, and other explicit purposes. The Colorado legislation also imposes a duty of care upon covered entities to avoid any heightened risk of harm to minors online, which differs from Maryland’s duty of care requiring covered entities to ensure the “best interests of children” when designing, developing, and providing products reasonably likely to be accessed by minors. 

Two states have also passed COPPA-style laws this year. Virginia’s law requires verifiable parental consent in accordance with COPPA for certain categories of processing, including targeted advertising, sale, profiling, and collection of geolocation data. New York’s law also tracks COPPA in many respects, but has an expanded scope covering minors ages 13 to 17 who must give informed consent prior to collection of their data, subject to certain exceptions.

Social Media

Following the trend beginning in 2023, a number of states have passed laws regulating minors’ access to social media. States have taken a variety of approaches in light of the injunctions on Arkansas’s social media law and California’s age-appropriate design code. Florida, Georgia, Mississippi, and Tennessee have each passed legislation requiring covered platforms to implement restrictions on minors’ social media accounts this year. Florida’s law requires social media platforms to terminate accounts of individuals under the age of 14 and seek parental consent for accounts of individuals 14 or 15 years of age. Florida’s law notably does not contain an explicit age estimation or verification requirement. The other three state laws require age verification and parental consent for minors’ social media accounts.

Utah also updated its social media law, replacing it with two new minors’ privacy acts. Notably, the revised Utah law requires social media companies to implement an “age assurance” system that is 95% accurate and obtain parental consent before certain functions are available to minor users. The Utah law also establishes default settings for minor accounts, which include data collection restrictions and harmful content restrictions.

In addition to the typical age verification and parental consent for social media laws, we have also seen the focus on minors’ social media use in miscellaneous state legislation, like a newly enacted New York law—the SAFE for Kids Act—that requires social media operators to obtain parental consent or age verification before providing an “addictive feed” to a user. Louisiana also passed a law which prohibits social media platforms from targeted advertising to minor account holders or selling minors’ data. Colorado recently enacted a bill requiring social media platforms to display a pop-up warning to users aged 18 and younger when they have spent over an hour on social media within a 24-hour period. This is the first legislation of its kind nationwide.

Harmful Content Age Verification

Another significant trend involves harmful content age verification provisions, which have been included in seven state bills enacted so far this year. These requirements generally impose liability on commercial entities that publish or distribute a website that contains a substantial portion of content that is harmful to minors, if these entities fail to establish reasonable age verification measures before allowing minors access to harmful content. The states that have adopted age verification provisions this year are Arkansas, Idaho, Kentucky, Louisiana, Nebraska, South Carolina, and Tennessee, joining a number of states that have enacted these provisions in recent years. 

Utah’s Children’s Device Protection Act passed this year and takes a different approach to age-filtered content, requiring devices to automatically enable a device to filter upon use by a minor. The act also creates a private right of action for parents and guardians of minors who access obscene content on a device as a result of a manufacturer’s failure to enable the device filter.

Federal Legislation

On July 30, 2024, the U.S. Senate passed the Kids Online Safety and Privacy Act, which combines the Kids Online Safety Act and the Children and Teens’ Online Privacy Protection Act, which we previously anticipated. However, the bill now faces an uncertain future in the House.

Also on the federal level, Congress passed the Revising Existing Procedures on Reporting via Technology Act, which we covered here. The U.S. Senate also passed the Stopping Harmful Image Exploitation and Limiting Distribution Act, again putting the future of the legislation in the hands of the House.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Jenna Zhang Jenna Zhang

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy…

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy notices and terms of use, responding to cyber and data security incidents, and evaluating privacy and cybersecurity risks in corporate transactions. In particular, she advises clients on substantive requirements relating to children’s and student privacy, including COPPA, FERPA, age-appropriate design code laws, and social media laws.

As part of her practice, Jenna regularly represents clients in data privacy investigations and enforcement actions brought by the Federal Trade Commission and state attorneys general. She also supports clients in proactive engagement with regulators and policymakers to ensure their perspectives are heard.

Jenna also maintains an active pro bono practice with a focus on supporting families in adoptions, guardianships, and immigration matters.

Photo of Diana Lee Diana Lee

Diana Lee is an associate in the technology regulatory group. She counsels clients on a range of regulatory and litigation matters involving electronic surveillance, government demands for data, national security, and data privacy and cybersecurity issues, with a particular focus on cross-border and…

Diana Lee is an associate in the technology regulatory group. She counsels clients on a range of regulatory and litigation matters involving electronic surveillance, government demands for data, national security, and data privacy and cybersecurity issues, with a particular focus on cross-border and multi-jurisdictional concerns.

Before rejoining the firm, Diana clerked for the Honorable Victor A. Bolden on the U.S. District Court for the District of Connecticut.

Diana is a member of the Bars of New York and the District of Columbia.