Children’s Data Protection Laws Across the States
If your business operates a website or provides online services that collect data about children, you should be aware of expanding legal requirements from U.S. states regulating how private companies interact with minors. Below is a summary of specific provisions in certain state laws passed since 2024, which are aimed at protecting children’s data. These laws impose a range of obligations on businesses, including age estimation requirements, heightened privacy disclosures, limitations on data collection and profiling, and duties to act in the “best interest” of minors.
Please note that below we do not address so-called state comprehensive privacy laws, many of which also restrict the processing of children’s data.
The data privacy team at Morris, Manning & Martin is ready to help current and prospective clients assess exposure and build compliance strategies tailored to this evolving landscape.
Arkansas
HB 1717 (effective July 1, 2026): This law requires online platforms targeting or knowingly collecting data from children under 13 or teens aged 13–16 to obtain consent (consent of parents for under 13, and either the teen or parent for 13-16). The law bans targeted ads to minors, limits data collection to what is necessary, and mandates clear privacy notices and security safeguards.
California
AB 2273 (set to take effect in July 2024 but currently blocked by a federal court ruling[1]): This law requires businesses to configure default privacy settings to offer a high level of protection and to provide privacy notices, terms of service, policies, and community standards in a manner suited to the age of children likely to access the services. The law prohibits collecting, selling, or using children’s personal data in ways that are detrimental to their well-being, mandates age estimation and data protection impact assessments, and prohibits the use of data for secondary purposes.
Colorado
SB 24-041 (effective October 1, 2025): This law prohibits companies from collecting or using data from individuals under 18 for targeted advertising, profiling, or selling without proper consent. The law limits data retention, bans manipulative design features, and requires risk assessments for services likely to be accessed by minors.
Connecticut
SB 3 (effective October 1, 2024): This law prohibits data controllers from selling minors’ personal data, processing such data for targeted advertising, or engaging in profiling without complying with certain consent requirements. The law prohibits the collection of precise geolocation data without notice and consent. Data controllers must implement safeguards to prevent unsolicited messages from adults to minors and are required to take reasonable steps to protect minors from privacy violations, manipulative design, and other online harms. Data controllers are required to conduct data protection assessments when processing minors’ data.
Maryland
HB 603 (effective October 1, 2024): This law requires companies offering online services “reasonably likely to be accessed by children” under 18 to complete data protection impact assessments and set high privacy settings by default. The law requires covered companies to provide privacy information, terms of service, policies, and community standards using language suited to the age of children likely to access the company’s online products. The law prohibits profiling, data collection, or sharing unless strictly necessary for the relevant service and in the child’s best interest. The law prohibits dark patterns, restricts features like autoplay that encourage excessive use, and allows parental monitoring without notifying the child.
Mississippi
HB 1126 (effective July 1, 2024): Under this law, certain digital service providers must require account holders to register their age and must prevent minors from obtaining an account without express parental consent. The law requires certain digital service providers to develop strategies to prevent certain harms related to minors. Such providers must limit the collection and use of the minor’s personal identifying information to what is necessary for providing the service. Such providers are prohibited from collecting precise geolocation data, showing targeted ads with harmful content, or sharing the minor’s personal data, subject to certain exceptions.
Nebraska
LB 504 (effective January 1, 2026): This law mandates privacy-by-design features such as limiting data collection, prohibiting targeted advertising, restricting geolocation tracking, and disabling features that promote excessive use, like infinite scroll or push notifications. The law requires clear notices when utilizing tracking features and tools to restrict adult-to-minor communication. The law prohibits using minors’ data for purposes beyond what is necessary to deliver the service.
New York
S 7695 (effective as of June 20, 2025): For minors under 13, covered businesses may only process personal data in compliance with COPPA. For users 13 to 17, the law restricts processing except if a teenager expressly opts in or if the processing is strictly necessary for certain purposes. The law prohibits the sale of minors’ data and requires certain contract provisions with third parties/service providers. The law prohibits targeted advertising, profiling, and engagement-driven content feeds without opt-in consent from teens and unless COPPA-compliant for users under 13.
Texas
HB 18 (effective September 1, 2024): This law requires digital platforms to develop and implement a strategy (using certain specified controls) to prevent minors’ exposure to harmful or unsuitable material and to verify users’ ages and obtain parental consent before allowing minors under 18 to create accounts. The law prohibits the collection, sale, or use of minors’ personal and geolocation data, and bans targeted advertising to minors. The law mandates that platforms provide parental tools to monitor, limit, or delete a child’s account and data.
Vermont
SB 69 (effective January 1, 2027): This law prohibits the use of privacy-intrusive design features in online services and requires online service providers to set default privacy settings to a high level. The law prohibits companies from collecting, sharing, or retaining any personal data from minors unless it is strictly necessary to provide the relevant services. Covered businesses may not use previously collected data for new purposes and may not use design features that cause emotional distress, compulsive use, or discrimination. The law requires covered businesses to use age-assurance methods specified by the Vermont Attorney General.
____________________________________________________________________________________________________
MMM Contacts:
- Michael Young, Partner, at myoung@mmmlaw.com or 404.495.8481
- Roy Hadley, Special Counsel, at rhadley@mmmlaw.com or 404.364.3179
- Beau Braswell, Senior Associate, at bbraswell@mmmlaw.com or 404.364.4574
This article was last updated on July 30, 2025. Morris, Manning & Martin, LLP notes that the above list may not be exhaustive or complete. The above information is provided for general information purposes only and does not constitute legal advice or establish an attorney-client relationship.
____________________________________________________________________________________________________
[1] See NetChoice, LLC v. Bonta, 770 F. Supp. 3d 1164 (N.D. Cal. 2025) upholding preliminary injunctions on AB 2273, finding that NetChoice had shown a likelihood of success on First Amendment claims. The court also held that the enjoined provisions are not severable from the remainder of the Act and therefore the injunction applies to the entire Act. The California Attorney General has appealed.
