Children’s Data Protection Laws Across the States
If your business operates a website or provides online services that collect data about children, you should be aware of expanding legal requirements from U.S. states regulating how private companies interact with minors. Below is a summary of certain provisions in certain state laws passed since 2024, which are aimed at protecting children’s data. These laws impose a range of obligations on businesses, including age estimation requirements, heightened privacy disclosures, limitations on data collection and profiling, and duties to act in the best interests of minors.
Please note that below we do not address so-called state comprehensive privacy laws, many of which also restrict processing of children’s data.
The data privacy team at Morris, Manning & Martin is ready to help current and prospective clients assess exposure and build compliance strategies tailored to this evolving landscape.
Arkansas
HB 1717 (effective July 1, 2026): This law requires online platforms targeting or knowingly collecting data from children under 13 or teens ages 13–16 to obtain consent (consent of parents for under 13, and either the teen or parent for 13-16). The law bans targeted ads to minors, limits data collection to what is necessary, and mandates clear privacy notices and security safeguards.
California
AB 1043 (effective January 1, 2027): Requires operating system providers to provide an interface at account setup that requires account holders over 18 years old or parents/guardians of minors to provide the birth date or age of the user of the device. Requires application developers to request a “signal” from the operating system provider (which the provider must thereafter send) regarding the age bracket of each user when the application is downloaded and launched. After obtaining “actual knowledge” of the user’s age bracket via the signal, the application developer shall be required to “comply with applicable law,” which we note could include COPPA and state laws.
AB 2273 (set to take effect in July 2024 but currently blocked by a federal court ruling[1]): This law requires businesses to configure default privacy settings to offer a high level of protection and to provide privacy notices, terms of service, policies, and community standards in a manner suited to the age of children likely to access the services. The law prohibits collecting, selling, or using children’s personal data in ways that are detrimental to their well-being, mandates age estimation and data protection impact assessments, and prohibits uses of data for secondary purposes.
Colorado
SB 24-041 (effective October 1, 2025): This law (amending Colorado’s comprehensive consumer privacy law) prohibits companies from collecting or using data from individuals under 18 for targeted advertising, profiling, or selling without proper consent. The law limits data retention, bans manipulative design features, and requires risk assessments for services likely to be accessed by minors.
Connecticut
SB 3 (effective as of October 1, 2024): This law (amending Connecticut’s comprehensive consumer privacy law) prohibits data controllers from selling minors’ personal data, processing such data for targeted advertising, or engaging in profiling without complying with certain consent requirements. The law prohibits collection of precise geolocation data without notice and consent. Data controllers must implement safeguards to prevent unsolicited messages from adults to minors and are required to take reasonable steps to protect minors from privacy violations, manipulative design, and other online harms. Data controllers are required to conduct data protection assessments when processing minors’ data.
Louisiana
HB 37 (effective June 1, 2026): Establishes that owners and operators of a covered platform that contracts with a minor, including the creation of an online account, owes a duty of care to the minor, which requires the platform to prioritize the privacy of the minor’s account and establish certain default privacy settings. These settings include: prohibiting adults from connecting to a minor without express consent from the minor’s legal representative; restricting adults’ messaging of minors; prohibiting the platform from disclosing a minor’s precise geolocation; restricting visibility of minors’ accounts; and facilitating certain parental/guardian notifications regarding the minor’s activities and other controls. The law includes civil penalties of $10,000 per violation.
HB 570 (effective July 1, 2026): Requires that application stores implement and utilize age verification procedures to identify when users are minors and to obtain parental consent before applications can be downloaded by minors. Requires accurate age ratings and prevents application stores and developers from enforcing exploitative terms of service without parental approval.
Maryland
HB 603 (effective as of October 1, 2024): This law requires companies offering online services “reasonably likely to be accessed by children” under 18 to complete data protection impact assessments and set high privacy settings by default. The law requires covered companies to provide privacy information, terms of service, policies, and community standards using language suited to the age of children likely to access the company’s online products. The law prohibits profiling, data collection, or sharing unless strictly necessary for the relevant service and in the child’s best interest. The law prohibits dark patterns, restricts features like autoplay that encourage excessive use, and allows parental monitoring without notifying the child.
Mississippi
HB 1126 (effective as of July 1, 2024): Under this law, certain digital service providers must require account holders to register their age and must prevent minors from obtaining an account without express parental consent. The law requires certain digital service providers to develop strategies to prevent certain harms related to minors. Such providers must limit the collection and use of the minor’s personal identifying information to what is necessary for providing the service. Such providers are prohibited from collecting precise geolocation data, showing targeted ads with harmful content, or sharing the minor’s personal data, subject to certain exceptions.
Montana
SB 297 (effective October 1, 2025): This law (amending Montana’s comprehensive consumer privacy law), requires controllers to exercise a duty of reasonable care to avoid a “heightened risk of harm” concerning minors. Requires consent of a minor (or parental consent for minors under 13) before the controller may: sell the minor’s data or share the data for targeted advertising or profiling; use the data for secondary purposes; use design features to extend use; or collect precise geolocation data. Limits the ability of adults to send unsolicited messages to minors. Requires a privacy impact assessment and a mitigation plan for processing that represents a heightened risk of harm to minors.
Nebraska
LB 504 (effective January 1, 2026): This law mandates privacy-by-design features such as limiting data collection, prohibiting targeted advertising, restricting geolocation tracking, and disabling features that promote excessive use, like infinite scroll or push notifications. The law requires clear notices when utilizing tracking features and tools to restrict adult-to-minor communication. The law prohibits using minors’ data for purposes beyond what is necessary to deliver the service.
New York
S 7695 (effective as of June 20, 2025): For minors under 13, covered businesses may only process personal data in compliance with COPPA. For users 13 to 17, the law restricts processing except if a teenager expressly opts in or if the processing is strictly necessary for certain purposes. The law prohibits the sale of minors’ data and requires certain contract provisions with third parties/service providers. The law prohibits targeted advertising, profiling, and engagement-driven content feeds without opt-in consent from teens and unless COPPA-compliant for users under 13.
Texas
HB 18 (effective September 1, 2024): This law requires digital platforms to develop and implement a strategy (using certain specified controls) to prevent minors’ exposure to harmful or unsuitable material and to verify users’ ages and obtain parental consent before allowing minors under 18 to create accounts. The law prohibits the collection, sale, or use of minors’ personal and geolocation data, and bans targeted advertising to minors. The law mandates that platforms provide parental tools to monitor, limit, or delete a child’s account and data.
Utah
SB 142 (effective May 7, 2025): Requires certain age verification and account management practices for application store providers and application developers. Application stores must verify user ages when users create accounts and obtain parental consent for minors before allowing users to download an app or make in-app purchases. Developers must: verify user age categories and verify that parental consent has been obtained for minors; notify app store providers of significant changes to the app; use age category data to comply with applicable law; and request personal age verification or parental consent before its app is purchased or downloaded.
Vermont
SB 69 (effective January 1, 2027): This law prohibits the use of privacy-intrusive design features in online services and requires online services providers to set default privacy settings to a high level. The law prohibits companies from collecting, sharing, or retaining any personal data from minors unless it is strictly necessary to provide the relevant services. Covered businesses may not use previously collected data for new purposes and may not use design features that cause emotional distress, compulsive use, or discrimination. The law requires covered businesses to use age-assurance methods to be specified by the Vermont Attorney General.
____________________________________________________________________________________________________
MMM Contacts:
- Michael Young, Partner, at myoung@mmmlaw.com or 404.495.8481
- Roy Hadley, Special Counsel, at rhadley@mmmlaw.com or 404.364.3179
- Beau Braswell, Senior Associate, at bbraswell@mmmlaw.com or 404.364.4574
This article was last updated on October 21, 2025. Morris, Manning & Martin, LLP notes that the above list may not be exhaustive or complete. The above information is provided for general information purposes only and does not constitute legal advice or establish an attorney-client relationship.
____________________________________________________________________________________________________
[1] See NetChoice, LLC v. Bonta, 770 F. Supp. 3d 1164 (N.D. Cal. 2025) upholding preliminary injunctions on AB 2273, finding that NetChoice had shown a likelihood of success on First Amendment claims. The court also held that the enjoined provisions are not severable from the remainder of the Act and therefore the injunction applies to the entire Act. The California Attorney General has appealed.
