Skip to main content
Featured Topics
Featured Insights
View All Services
View All Industries
About Us Overview

      Age-Appropriate Design Code

      State Legislative Process Status Effective Date Statute Name Statute/Bill Penalties Challenged in Court Court Ruling Reasonable Age Verification Method Age Estimation Age-Ranged Design Data Protection (Impact) Assessment Risk Mitigation Plan Default High Level Privacy Protection Data Minimization Restrict Geolocation Tracking Restrict Dark Patterns Restrict Automated Profiling Clear Accessible Age Suited Privacy Policy Privacy Rights Managing/Reporting Tools Parental Control/Monitoring Mechanism Monitoring or Tracking Signal Attorney General Private right of action State Regulator
      California Enacted 01-Jul-24 The California Age-Appropriate Design Code Act Stats 2022 ch 320 (AB2273) Ca. Civ. Code § 1798.99.28 to § 1798.99.40 Civil penalty of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation Yes PRELIMINARY INJUNCTION (BEING APPEALED BY STATE)
      Connecticut Enacted 01-Jul-26 Amendments to Connecticut Data Privacy Act Conn. Gen. Stat. §45-529(a) Civil penalty of up to $10,000 per violation. No
      Maryland Enacted 01-Oct-24 Maryland Age Appropriate Design Code Act ("Kids Code") 2024 Md. Laws, Ch. 460 and 461 (SB0571/HB0603) Md. Code, CL § 14-4801 to § 14-4813 Civil penalty of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation Yes Filed
      Nebraska Enacted 01-Jan-26 Age-Appropriate Online Design Code Act LB504 Neb. Rev. Stat. § 87-1301 to § 87-1309 Civil penalty not to exceed fifty thousand dollars for each violation No
      Vermont Enacted 01-Jan-27 Vermont Age-Appropriate Design Code Act Act 63 (S69) Violation is an “unfair and deceptive act in commerce” under 9 V.S.A. § 2453. No
      Term Definition
      Reasonable Age Verification Method A method to determine whether the user is a minor by collecting age-verifying personal information
      Age Estimation Estimate the age of child users with a reasonable level of certainty
      Age-Ranged Design Grouping minor ages into ranges and taking into account these ranges when designing
      Data Protection (Impact) Assessment Survey to assess and mitigate risks that arise from data management practices
      Risk Mitigation Plan A plan to mitigate or eliminate the risks identified
      Default High Level Privacy Protection Configure all default privacy settings to settings that offer a high level of privacy
      Data Minimization Collect, process, retain only the absolutely necessary amount of personal data required for a specific legitimate purpose
      Restrict Geolocation Tracking Not collect, sell, or share any precise geolocation information of minor by default
      Restrict Dark Patterns Not use of dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected
      Restrict Automated Profiling Not perform automated processing of personal information to create a profile by evaluating, analyzing or predicting aspects concerning a natural person’s economic situation, health, personal preferences, interests, behavior, location, or movements
      Clear Accessible Age Suited Privacy Policy Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of minors likely to access
      Privacy Rights Managing/Reporting Tools Provide prominent, accessible, and responsive tools to help children, or if applicable their parents or guardians, exercise their privacy rights and report concerns
      Parental Control/Monitoring Tools Tool that allows parents or guardians to monitor a minor's online activity or track a minor's location
      Monitoring or Tracking Signal Provide an obvious signal to the minor when the minor is being monitored or tracked by parent or guardian or that precise geolocation information is being collected
         

      Internet-Enabled Device-Based Filter for Harmful Content

      State Legislative Process Status Effective Date Statute Name Statute/Bill Penalties Require Age During Device Setup Automatically Enable Filter Password to Manage Filter Activation/Deactivation Notification When Filter Blocks Attorney General Private right of action State Regulator Comments
      Alabama Enacted Oct. 1, 2025 SB186 Act 2025-406 (SB186) Ala. Code § 8–19H–1 to § 8–19H–5 Civil penalty up to $5,000 per violation and not exceed $50,000 in aggregate Applies to video game consoles as well
      Utah Enacted Jan. 1, 2025 Children's Device Protection Act Laws 2024, Ch. 166 (SB104) Utah Code § 78B-6-2601 to § 78B-6-2606 Attorney General may recover civil penalty up to $5,000 per violation and not exceed $50,000 in aggregate; ALSO Private right action civil penalty award of $50,000 for each violation
      Idaho Introduced Children's Device Protection S.B. 1158
      South Carolina Introduced Children's Device Protection S. B. 4689
      Term Definition
      Filter Software on a device to prevent access or display of harmful materials through browsers or search engines
      Require Age During Device Setup User to provide age during device activation and account set-up
      Automatically Enable Filter Filter is automatically enabled when the user is a minor based on the age provided
      Password to Manage Filter Activation/Deactivation A non-minor user with a password can activate/deactivate filter
      Notification When Filter Blocks Notify device user when filter blocks device from accessing a website

      App Store Accountability (Platform and Developer Obligations)

      State Legislative Process Status Effective Date Statute Name Statute/Bill Penalties Reasonable Age Verification Method Digital Age Signal Age Category Data Verifiable Parental Consent before Download/Purchase Linked Parental Account to Minor's Account Display Age Ratings Parental Control Mechanism Data Minimization Protect User Data through Encryption Attorney General Private right of action State/Federal Regulator
      Federal Introduced App Store Accountability Act S1586/HR3149 Federal Trade Commission (FTC) Federal Trade Commission (FTC) Federal Trade Commission (FTC)
      Alaska Introduced HB46 Civil penalty of not more than $10,000 for each violation
      California Enacted 01-Jan-27 Digital Age Assurance Act AB1043 Civil penalty of up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation
      Hawaii Introduced Age Verification for App developers and App stores act SB1542
      Illinois Introduced Digital Age Assurance Act HB3304 Civil penalty for up to $10,000 per violation
      Louisiana Enacted 01-Jul-26 Act 481 (HB570) La. Stat. Ann. § 51:1761 to § 51:1763 Civil penalty for up to $10,000 per violation
      South Carolina Introduced App Store Accountability Act H3405 Civil penalty for up to $10,000 per violation
      South Dakota Dead SB180
      Texas Enacted 01-Jan-26 App Store Accountability Act SB2420/HB4901
      Utah Enacted 07-May-25 App Store Accountability Act Laws 2025, Ch. 446 (SB0142) Utah Code § 13-75-101 to § 13-75-40 Award a parent/guardian the greater of actual damages or $1,000 for each violation
         
      Term Definition
      Reasonable Age Verification Method A method to determine whether the user is a minor by collecting age-verifying personal information
      Digital Age Signal User to provide age during device activation and account set-up
      Age Category Data Information that identifies the age category of a user and is collected by a covered app store provider and shared with an app developer
      Verifiable Parental Consent before Download/Purchase Authorization provided by a parent whom has been verified is an adult
      Linked Parental Account to Minor's Account Ensure a minor's account is linked to an established verified parental account
      Display Age Ratings Publicly display the assessment of an app’s appropriateness for the different age categories
      Parental Control Mechanism Provide a parent/guardian a clear and easy mechanism to set filters that prevent a minor from accessing harmful content or usage limits, including daily limits and limitations during school and evening hours
      Data Minimization Limiting the collection and processing of personal data to the minimum amount necessary
      Protect User Data through Encryption Transmitting personal data using industry-standard encryption protocols that ensure data integrity and confidentiality

      Children Data Protection Laws

      Note: The scope of this "Children Data Protection Laws" is children-specific legislation and bills. This chart does not include states' comprehensive privacy laws.


      State Legislative Process Status Effective Date Statute Name Statute Penalties Reasonable Age Verification Method Consent Required to Collect or Process Personal Information Data Minimization Data Protection (Impact) Assessment Restriction Data Retention Clear and Accessible Privacy Notice Right to Delete, Refuse, Access, or Correct Personal Information Restrict Targeted Advertising Restrict Sales of Personal Information Restrict Geolocation Tracking Geolocation Tracking Signal Restrict Dark Patterns Restrict Automated Profiling Attorney General Private right of action Department/ Division Comments
      Arkansas Enacted Jul. 1, 2026 The Arkansas Children And Teens' Online Privacy Protection Act Act 952 (HB1717) Ark. Code § 4-88-1501 to § 4-88-1505 *Obtain Parent Consent for Child (Under 13) or from teen (13-16) or their parent before collecting, using, or disclosing
      Colorado Enacted Oct. 1, 2025 Privacy Protections for Children's Online Data Ch. 296 (SB041) Colo. Rev. Stat. § 6-1-1301 to § 6-1-1313 *Obtain Parent Consent for Child (Under 13) or from minor (13-17) or their parent before collecting, using, or disclosing
      Louisiana Enacted Jul. 1, 2025 Protection of Children's Internet Data Act 456 (HB577) La. Stat. Ann. § 51:1761 TO § 51:1763 Civil penalty of $10,000 per violation *Application is limited to social media companies
      New York Enacted Jun. 20, 2025 New York Child Data Protection Act Ch. 121 (S7695/A8149) N.Y. Gen. Bus. Law. § 899-ee to § 899-mm Civil penalty of $5,000 per violation *Obtain Parent Consent for Child (Under 13) or from minor (13-17) or their parent before collecting, using, or disclosing
      New York Introduced New York Child Data Privacy and Protection Act S4600 Civil penalty of $10,000 per violation *Proactively alert when personal data is being collected
      North Carolina Introduced Children's Online Safety Act S722 Civil penalty of $500,000 per violation *Transparency about data use *Default High Level Privacy Protection
      South Carolina Introduced Child Data Privacy and Protection Act H3400 Civil penalty of $10,000 per violation *Prominently display a privacy policy and terms of service
      Term Definition
      Reasonable Age Verification Method A method to determine whether the user is a minor by collecting age-verifying personal information.
      Prohibited Personal Information Data Retention After Verification Prohibits retaining age-verifying personal information after verification use
      Data Minimization Collect, process, retain only the absolutely necessary amount of personal data required for a specific legitimate purpose
      Data Protection (Impact) Assessment Survey to assess and mitigate risks that arise from data management practices
      Restrict Data Retention Prohibit retaining personal information for longer that is reasonably necessary to fulfill a transaction or provide a service
      Clear and Accessible Privacy Notice Provide clear and conspicuous notice of privacy rights and settings
      Right to Delete, Refuse, Access or Correct Personal Information Provide the opportunity at any time to access, delete, challenge accuracy, refuse to disclose personal information
      Restrict Targeted Advertising Prohibit display of any advertising in the minor account holder's account based on the minor's personal information
      Restrict Sales of Personal Information Prohibit sales of personal information
      Restrict Geolocation Tracking Not collect, sell, or share any precise geolocation information of minor by default
      Restrict Dark Patterns Not use of dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected
      Restrict Automated Profiling Not perform automated processing of personal information to create a profile by evaluating, analyzing or predicting aspects concerning a natural person’s economic situation, health, personal preferences, interests, behavior, location, or movements

      Current as of January 28, 2026.

      Follow us

      © 2026 Mayer Brown. All Rights Reserved

       

       

      Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.