Key point: Children’s privacy remained a hot topic during the 2025 state legislative session, with multiple states passing laws, adding to the growing patchwork of children’s privacy laws.

Over the past three years, state lawmakers have passed numerous bills directed at regulating the processing of children’s and teen’s personal data. The trend began in 2022, when the California legislature passed the California Age-Appropriate Design Code Act, although that law has since been enjoined as unconstitutional. The following year, Connecticut Senator James Maroney passed an amendment to Connecticut’s consumer data privacy law that, among other things, created a duty of reasonable care for controllers processing children’s personal data. The next year, Colorado, Maryland, New York, and Virginia all passed children’s privacy-directed bills. In addition to children’s data privacy-related bills, several states also passed laws directed at regulating social media companies.

The trend continued during the 2025 legislative session, with lawmakers in Arkansas, Connecticut, Louisiana, Montana, Nebraska, Oregon, Texas, Utah, and Vermont passing laws or amendments to their existing laws, and the Colorado Attorney General’s (AG) office engaging in rulemaking to operationalize its 2024 law related to children’s data privacy. California regulators also added additional kids’ privacy-related protections to the new California Consumer Privacy Act (CCPA) regulations.

This article provides an overview of these new 2025 laws and regulations. Please note that this article does not cover laws specific to social media companies.

1. Amendments to Consumer Privacy Laws and Implementing Regulations

 California

Over the summer, the California Privacy Protection Agency Board approved amendments to the CCPA regulations. One of those amendments revised the regulation’s definition of sensitive personal information to include “[p]ersonal information of consumers that the business has actual knowledge are less than 16 years of age.” Accordingly, the personal information of children under 16 years of age is now subject to the CCPA’s protections for sensitive personal information.

Colorado

Amendments to the Colorado Privacy Act (CPA) adding enhanced protections to the personal data of minors will go into effect October 1, 2025. The amendments apply to any controller that conducts business in Colorado or targets Colorado residents, regardless of any revenue or personal data processing threshold — meaning these obligations have the potential to apply to more companies. Any controller that offers “an online service, product or feature” to a consumer who the controller knows or willfully disregards is a minor must: (a) use reasonable care to avoid heightened risk of harm to minors; and (b) conduct a data protection assessment if there is a heightened risk of harm. Without the minor’s consent, or if a minor is under 13, the minor’s parent or legal guardian’s consent, a controller cannot:

• Sell the minor’s data or use it for profiling;
• Process personal data for any purpose other than the original disclosed purpose;
• Process personal data for longer than reasonably necessary;
• Use a feature to significantly increase, sustain, or extend a minor’s use of the service, product, or feature; or
• Collect precise geolocation data

The Colorado AG’s office published limited rules integrating the provisions of the amendment into the existing CPA rules. In July 2025, the office circulated additional draft rules focusing on the law’s definition of “willful disregard” and system design features. We wrote more about the proposed rules here.

Connecticut

Connecticut passed a bill that amends the Connecticut Data Protection Act and the changes will go into effect on July 1, 2026. Under the pre-amended law, a controller needed to obtain a minor’s consent to sell personal data, engage in targeted advertising, and engage in profiling if it offered an online service, product, or feature to consumers the controller knows or willfully disregards are 13 to 17 years old. For minors under 13, the controller had to obtain parental consent for those processing purposes. The amended law now prohibits controllers from selling personal data or engaging in targeted advertising regardless of whether consent is obtained from the minor or the minor’s parent. This change more closely aligns Connecticut with Maryland’s data protection law.

The amendments also both limit and expand the definition of “heightened risk of harm to minors.” It limits the current definition by adding the word “material” to “financial, physical, or reputational” injuries and “physical or other intrusion upon the solitude or seclusion, or private affairs or concerns of minors.” Whereas it expands the current definition by adding any physical violence against minors, any material harassment of minors on any online service, product, or feature, which harassment is severe, pervasive, or objectively offensive to a reasonable person, and any sexual abuse or sexual exploitation of minors.

Montana

Amendments to the Montana Consumer Data Privacy Act will go into effect October 1, 2025. The amendments are nearly identical to the amendments to the CPA and include new obligations for controllers that offer an online service, product, or feature to a consumer that the controller actually knows or willfully disregards is a minor (under 18). The requirements for controllers align with Colorado’s requirements, including requiring consent from the minor (or the minor’s parent or legal guardian where the minor is under 13) for the following purposes:

• Processing personal data for targeted advertising, the sale of personal data, or profiling;
• Processing personal data for a purpose other than the original disclosed purpose;
• Processing personal data for longer than reasonably necessary;
• Using a feature to significantly increase, sustain, or extend a minor’s use of the online service, product, or feature; and
• Collecting a minor’s precise geolocation

Controllers also have the obligation to conduct a data protection assessment where there is a heightened risk of harm to minors.

Oregon

Oregon lawmakers amended Oregon’s privacy law to prohibit targeted advertising, profiling, and the sale of personal data if a controller has actual knowledge or willfully disregards that a consumer is 13 to 15 years old. This change aligns Oregon with Connecticut and Maryland’s restrictions. Controllers also cannot sell precise geolocation data. The changes are effective January 1, 2026.

2. Nebraska and Vermont Age-Appropriate Design Code Acts

During the 2025 session, Nebraska and Vermont passed Age-Appropriate Design Code (AADC) Acts, although they are vastly different.

Nebraska

Effective January 1, 2026, Nebraska’s AADC (LB 504) focuses on (a) creating tools for minors (i.e., individuals under 18 years of age) to regulate their use of covered online services; (b) regulating how covered online services collect and process the personal data of minors; and (c) providing parents of children (i.e., individuals under 13 years of age) with tools to help them “protect and support” their child’s (and sometimes minor’s) use of the covered online service.

With respect to the first category, the law requires covered online services, among other things, to provide minors with accessible and easy-to-use tools that limit the ability of other users or visitors to communicate with the minor and prevent other individuals from viewing the covered minor’s personal data. Covered online services also must provide tools that allow minors to control the operation of all design features, personalized recommendation systems, and the use of in-game purchases or other transactions.

With respect to the regulation of the collection and processing of personal data, covered online services must, for example, restrict their collection, use and retention of minor’s personal data to only what is necessary to provide the service and not “facilitate targeted advertising.”

Further, parents must, among other things, be provided with tools that allow them to manage their child’s privacy and account settings, view their child’s account settings, and restrict purchases and financial transactions of minors.

Subject to numerous exceptions, the law defines covered online service narrowly to mean a company that provides an online service and (i) conducts business in Nebraska; (ii) alone, or jointly with its affiliates, subsidiaries, or parent companies, determines the purposes and means of the processing of consumer’s personal data; (iii) has annual gross revenue in excess of $25 million; (iv) annually processes the personal data of 50,000 or more consumers, households, or devices; and (v) derives at least 50% of its annual revenue from the sale or sharing of consumer’s personal data.

Violations of the law are enforceable by the state AG, with penalties of $50,000 per violation.

Vermont

Effective January 1, 2027, Vermont’s AADC (S. 69), creates a duty of care, mandates the use of default privacy settings and tools, mandates certain disclosures, and prohibits certain data and design practices related to minors’ personal data.

Subject to numerous exceptions, covered businesses are legal entities that (a) conduct business in Vermont; (b) generate a majority of their annual revenue from online services; (c) offer products, services, or features reasonably likely to be accessed by a minor; (d) collect the personal data of consumers; and (e) alone or jointly with others, determine the purposes and means of processing consumer personal data. A covered minor is defined as a consumer “who a covered business actually knows is a minor or labels as a minor pursuant to age assurance methods in rules adopted by the Attorney General.” A minor is an individual under 18 years of age.

With respect to the duty of care, covered businesses must ensure that the use of covered minor’s personal data will not result in reasonably foreseeable emotional distress, compulsive use of the online service, product, or feature, and discrimination based on certain protected classifications.

With respect to default privacy settings, covered business must configure all “default privacy settings provided to a covered minor through the online service, product or feature to the highest level of privacy.” The law identifies what those settings must be, including but not limited to, not displaying the existence of the covered minor’s account on a social media platform to any known adult unless the covered minor has consented. Covered businesses also must disable search engine indexing of the covered minor’s account profile and not send push notifications to covered minors.

The law’s transparency obligations require a covered business to “prominently and clearly provide on their website or” app, the covered business’s privacy information, terms of service, policies, and community standards, the purpose of each algorithmic recommendation system the covered business uses, inputs used by the recommendation system, descriptions for every feature of the service that uses covered minors’ personal data, and any personal data transferred to or shared with a processor or third party and the purposes of the transfer.

For prohibited practices, covered businesses cannot, for example, process any personal data of a covered minor that is unnecessary to provide the service, product, or feature; use previously collected personal data for any new purpose; and send push notifications between midnight and 6 a.m.

The law requires the AG to adopt rules on or before January 1, 2027, that prohibit “data processing or design practices of a covered business that, in the opinion of the Attorney General, lead to compulsive use or subvert or impair user autonomy, decision making, or choice during the use of an online service, product, or feature of the covered business.”

Finally, the law creates a structure for covered businesses to conduct age assurance and requires the AG to promulgate interpretive rules on the issue.

3. Arkansas

Arkansas passed the Arkansas Children and Teens’ Online Privacy Protection Act (HB 1717), which will go into effect July 1, 2026. The law applies to “operators” of websites, online services, online applications or mobile applications that are either (a) directed at children or teens; or (b) where the operator has actual knowledge that it is collecting personal information from children or teens. The law defines children as Arkansas residents 12 and under, and teens as Arkansas residents ages 13 to 16. 

Subject to certain exemptions, operator is defined as a “person who, for commercial purpose, operates or provides a website on the internet, an online service, an online application, or a mobile application and who” either (i) collects or maintains personal information of users of the website, service, or application, or (ii) allows another person to collect information of users.

Among other things, the bill prohibits covered operators from:

• Collecting the personal information of children or teens except when the collection is either (A) “consistent with the context of a particular service or the relationship of the child or teen with the operator, including without limitation collection that is necessary to fulfill a transaction or provide a product or service requested by the child or teen or parent of the teen”; or (B) required or specifically authorized by law.
• Retaining personal information of children/teens for longer than is “reasonably necessary to fulfill a transaction or provide a service requested by the child or teen except as required for the safety or integrity of the service or specifically authorized by law.”
• Collecting personal information from children/teens for purposes of targeted advertising or allowing other entities to do so unless it is consistent with the above collection and retention requirements.

Further, although the data minimization requirements do not have any exceptions for consent, the law requires covered operators that have “actual knowledge” that they are collecting personal information from teens to “obtain consent for the collection, use, or disclosure of personal information from a teen from a parent of a teen or a teen [sic?], except when the processing is for” one of eight specific processing activities. For example, consent is not required to provide or maintain a product or service requested by the teen, conduct internal business operations, protect against fraud, or comply with law.

Finally, the law requires covered operators to provide a privacy notice and creates rights to deletion and correction. The law is enforceable by the state AG.

4. App Store Accountability Laws

Three states — Louisiana (HB 570), Texas (SB 2420), and Utah (SB 142) — passed app store accountability laws in 2025. Texas’ law will go into effect January 1, 2026, Utah’s law will go into effect May 6, 2026, and Louisiana’s law will go into effect July 1, 2026. *Update. The Texas law was enjoined as unconstitutional on December 23, 2026.

California legislature just closed for the year and also passed an app store accountability law. The bill has been passed but still needs to be signed into law by the governor. If signed into law, it will go into effect January 1, 2027.

Overview

The three app store accountability laws require both the application store providers/owners and developers of the applications to meet certain obligations related to the personal data of minors. The obligations related to application store providers/owners (“owners”) apply to the company that owns, operates, or controls the application store. Whereas, the developer is the person who owns or controls the application that is made available through the application store.

Owner Obligations

The three laws largely align when it comes to the broader obligations of the owners. When an individual creates an account on the app store, the owner must request age information and verify the individual’s age category. If the verification determines that the individual is a minor (under 18), then the owner must require the account to be affiliated with a parent or legal guardian account. For any minor account, the owner must obtain verifiable parental consent before the minor can download any application, purchase any application, or make a purchase within an application.

If a developer notifies the owner of any significant change to the application, then the owner has the obligation to notify the holder of the parent account of the change and obtain renewed verifiable parental consent.

Owners must provide developers with information relating to the user’s age category and the status of parental consent (only if by request under Louisiana and Utah’s laws).

Owners have an ongoing obligation to protect the minor’s age verification data by limiting the collection and processing of personal data to what is necessary to verify a user’s age and using industry-standard encryption protocols.

Developer Obligations

Louisiana and Utah

Louisiana and Utah’s requirements for developers mirror each other. Developers must verify, through the owner’s data sharing methods, the age category of users. If the individual is a minor, the developer must require the account to be affiliated with a parent account and obtain verifiable parental consent before the minor can download any application, purchase any application, or make a purchase within an application.

Developers must also: (a) notify owners of a significant change to the application; (b) enforce all age-related restrictions; (c) implement safety-related features and defaults; and (d) request personal age verification data or parental consent at the time a user downloads an application or purchases an application and when implementing a significant change to the application. When implementing developer-created safety features, the developer must use the lowest age category indicated by age verification data.

Developers may only request age verification data or parental consent: once during a 12-month period to verify the accuracy of verification data or continued account use; when there is a reasonable suspicion of account transfer or misuse; or at the time a user creates a new account. 

Louisiana and Utah’s laws prohibit developers from: (i) enforcing contractual terms against a minor unless the developer has verified through the owner that verifiable parent consent has been obtained; (ii) knowingly misrepresenting any information in the parental consent disclosure; or (iii) sharing age category with any person.

Texas

Texas’ law slightly diverges from Louisiana and Utah’s laws relating to developer obligations. Under Texas’ law, developers must assign to each application and to each purchase an age rating and must make that age rating available to the owner, with the elements that led to each rating. The developer must notify the owner of any significant change to the terms of service or privacy policy of the application. The law specifically lists what is considered a significant change to the terms or privacy policy.

Developers must have a system for verifying the age category of each user and whether consent has been obtained as required under the law.

Matching Louisiana and Utah’s laws, Texas prohibits developers from: (A) enforcing contractual terms against a minor unless the developer has verified through the owner that verifiable parent consent has been obtained; (B) knowingly misrepresenting any information in the parental consent disclosure; or (C) sharing age category with any person.

Enforcement

Louisiana

The AG has the right to bring a civil action to enforce any violation, which may be subject to up to $10,000 per violation. However, Louisiana’s law provides covered entities with a 45-day right to cure period.

Texas

Under Texas’ law, a violation is considered a deceptive trade practice and is actionable by the consumer protection division under the Deceptive Trade Practices – Consumer Protection Act.

Utah

Utah’s App Store Accountability Act provides the Division of Consumer Protection with rulemaking authority. Under Utah’s law, a minor or a parent of the minor can bring a civil action against an owner or a developer. A court may award a prevailing parent with the greater of actual damages or $1,000 for each violation, reasonable attorneys’ fees, and litigation costs. Developers have a safe harbor if they can demonstrate that they relied in good faith on age verification data and consent notification by an owner, use widely adopted industry standards to determine the app’s age category and the content description disclosures, and apply those standards consistently and in good faith.