March Privacy Forecast: A Weekly Series

Welcome to our new series, the March Privacy Forecast. In this weekly series, during the month of March, we will delve into the evolving landscape of data privacy, explore new laws, proposed legislation and enforcement developments, and discuss key implications for businesses. Join us each week for a discussion of hot topics in privacy. This week, we are discussing developments in children’s privacy.

Focus on Children’s Privacy Laws: Recent Developments

Navigating children’s privacy compliance can be complex, particularly as legislation continues to evolve. Below we answer frequently asked questions about recent developments and their implications.

Q: What are recent developments on COPPA?

A: Earlier this year, the Federal Trade Commission (FTC) approved changes to the Children’s Online Privacy Protection Act (COPPA) Rule, aiming to enhance privacy protections for kids’ online privacy. Notable changes include the addition of three new methods for an operator to obtain verifiable parental consent, parental opt-in requirements for targeted advertising and other disclosures to third parties, an expanded definition of personal information, and a requirement that operators’ online notices identify third-party data recipients. The changes will be effective after publication in the Federal Register. These updates to COPPA are reflective of a broader regulatory landscape that is increasingly focused on children’s privacy issues.

Q: What children’s privacy activity do we see at the state level?

A: We are seeing two approaches to children’s privacy at the state level. First, many states are addressing children’s privacy in their comprehensive state privacy law by classifying children’s data as “sensitive,” which grants it additional protections and affirmatively restricts the processing of children’s personal data for targeted advertising or sale without the parent’s consent. Second, many states are adopting laws that require protections for children by online services, products, or features likely to be accessed by children – frequently referred to as Age-Appropriate Design Code (AADC) laws. California and Maryland have passed AADC laws, while Connecticut amended the Connecticut Data Privacy Act to include AADC-like protections for children under the age of 18. AADC laws adopted to-date apply to children under the age of 18 and impose an obligation to use heightened protections when the business knows or has reason to know the consumer is a minor. AADC laws have faced challenges, specifically alleging that these laws restrict free speech. Despite legal challenges, at least three other states – Illinois, South Carolina, and Vermont – are considering similar laws this legislative session.

Q: What laws specifically regulate teens’ data? What are some examples of states that require consent for the sale and targeted advertising of teens’ data?

A: As noted above, some states are adding protections that go beyond COPPA in state comprehensive privacy laws. Specifically, several states have raised the applicable age of a child from 13 to 17 in those laws. These comprehensive law provisions classify children’s personal information as sensitive data and require consent prior to processing, selling, or profiling the data. For example, the New Jersey Data Privacy Act prohibits processing a consumer’s personal data for purposes of targeted advertising, selling, or profiling, where there is actual knowledge that the consumer is at least 13 years of age but younger than 17 years of age. The Delaware Personal Data Privacy Act and the New Hampshire Data Privacy Act also have similar requirements, with consent required if a business is selling or processing personal data for targeted advertising of a consumer known to be at least 13 years old and younger than 16 years old. These heightened requirements signal a broader state-level trend towards regulating the use of teens’ data.

Q: What other sector-specific legislation can affect children’s privacy?

A: Another trend we are seeing at the state level is passage of laws that would regulate a minor’s use of certain online services, such as app stores or social media platforms. For example, the Utah legislature passed a law on March 5, 2025, that would require app stores to verify a user’s age and require parental consent for certain activities by children under 18. Similarly, the Texas SCOPE Act, which took effect in September 2024, requires digital service providers to implement certain protections for children under 18, including parental tools, as well as limits on data collection and targeted advertising. This law primarily applies to digital services that provide an online platform for social interaction, like social media platforms. Businesses, overall, should be prepared for increased scrutiny and enforcement relating to children’s online privacy.

Please stay tuned for our next article in this series, which will be published on Friday, March 14.