Key point: The law, which went into effect at signing, contains significant design and development requirements, requires independent third-party audits, and can be enforced against officers and employees.
On February 5, 2026, South Carolina Governor Henry McMaster signed the South Carolina Age-Appropriate Design Code Act (H 3431). South Carolina now joins California, Maryland, Nebraska, and Vermont in enacting Age-Appropriate Design Code (AADC) laws although these laws vary widely in both scope and requirements.
South Carolina’s law has several unique requirements, including requiring covered online services to engage in independent third-party audits, which are to be publicly posted by the state attorney general. We review these requirements below.
Of further note, the law went into effect upon the governor’s signature and does not contain a right to cure. The law is generally enforceable by the state attorney general who can seek treble financial damages for violations. The law also specifically provides that officers and employees of covered online services can be held personally liable for willful and wanton violations. In addition, the law’s prohibition against dark patterns is enforceable under the South Carolina Unfair Trade Practices Act, which allows for a private right of action. In the below post, we provide an overview of the new law and provide more general context on its provisions.
Background and Context
H 3431 was introduced in January 2025 as a social media regulation bill. It was amended to add an “Age-Appropriate Code Design [sic]” section and passed the South Carolina House in February 2025. The Senate stripped the social media portion of the bill and passed it in May 2025. The bill then re-passed the House in January 2026 with amendments, and the Senate concurred with the House amendments on January 21, 2026. A companion bill, S 268, passed the Senate but stalled in the House.
South Carolina’s law adds to the chaotic and complex patchwork of teen privacy and online safety laws. As we recently discussed, last year, Nebraska and Vermont passed AADC laws although they are vastly different. In prior years, California and Maryland also passed AADC laws but, again, those laws contain different provisions. Ultimately, the AADC moniker has little to do with the substance of the bill. Adding to the complexity, Arkansas passed its own version of a teen privacy law last year and other states like Texas enacted App Store-specific laws or, in the case of California, a Digital Age Assurance Act.
These laws have been the subject of intense judicial scrutiny. The California AADC and Texas App Store law are currently enjoined as unconstitutional. Maryland’s AADC also is under judicial scrutiny as we discussed here. It would appear the South Carolina law also will be challenged. NetChoice — an internet trade association that has challenged the constitutionality of other laws — asked McMaster to veto the law, saying that it violates the First Amendment.
Applicability
The law’s applicability standard will look somewhat familiar as it draws inspiration from the California Consumer Privacy Act (CCPA). Specifically, the law applies to “covered online services” defined as a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that owns, operates, controls, or provides an online service that conducts business in South Carolina, is reasonably likely to be accessed by minors, determines the purposes and means of the processing of consumer’s personal data alone, or jointly with its affiliates, subsidiaries, or parent company and either (A) has annual gross revenues in excess of $25 million, adjusted every odd-numbered year to reflect changes in the Consumer Price Index; (B) annually buys, receives, sells, or shares the personal data of 50,000 or more consumers, households, or devices alone or in combination with its affiliates, subsidiaries, or parent company; or (C) derives at least 50% of its annual revenue from the sale or sharing of consumers’ personal data.
As emphasized above, the applicability thresholds are alternatives. This is different from Nebraska’s law, which uses “and” instead of “or” thereby being narrower in scope. Further, while this section refers to “consumers” the law does not define that term. In theory, that term could be interpreted to mean South Carolina residents or all individuals regardless of residency.
The law goes on to state that covered online services include entities that control or are controlled by a “business that shares a name, service mark, or trademark that would cause a reasonable consumer to understand that two or more entities are commonly owned [and] a joint venture or partnership composed of businesses in which each business has at least a forty percent interest in the joint venture or partnership.” Later, in Section 39-80-20, the law contains data-level exemptions for GLBA and HIPAA data.
An “online service” is defined as “any service, product, or feature that is accessible to the public on the internet including, but not limited to, a website or application.” It includes any service, product, or feature that is based in part or in whole on artificial intelligence.
“Online service” excludes (a) telecommunications services, as defined in 47 U.S.C. Section 153, (b) broadband internet access services as defined in 47 C.F.R. Section 54.400, and (c) the sale, delivery, or use of a physical product. Notably, earlier versions of the bill contained four more exclusions, including interactive gaming platforms. Those were removed prior to final passage.
Reasonably Likely to Be Accessed by a Minor
The law defines “minor” as a consumer who is under 18 years of age. A covered online service is “reasonably likely to be accessed by a minor or minors” if (1) the individual is “known to the covered online service to be a minor” or (2) the online service is “directed to children” as defined in Children’s Online Privacy Protection Act (COPPA) and its rules.
Where (1) is triggered, the online service must treat the particular individual as a minor. The law defines “known to be a minor” as “the covered online service has actual knowledge that a particular consumer is a minor.” It goes on to state, “actual knowledge includes all information and inferences known to the covered online service relating to the age of the individual including, but not limited to, self-identified age, and including any age the covered online service has attributed or associated with the individual for any purpose including, but not limited to, marketing, advertising, or product development purposes.”
Where (2) is met, the “covered online service must treat all individuals using or visiting the covered online service as minors, except where the covered online service has actual knowledge that the individual is not a minor.” However, one apparent issue with the second requirement is that COPPA’s “directed to children” standard is based on COPPA’s under 13 years of age applicability whereas the South Carolina law is directed at under 18 years of age. The only likely assumption that can be made is that the law is requiring companies to apply the definition of a “website or online service directed to children” under COPPA to broadly apply to minors as well.
Requirements
The law creates numerous requirements for covered online operators.
Duty of Care to Prevent Harm
The law first requires covered online service operators to exercise reasonable care in the use of minors’ personal data and the design and operation of the covered online service including, but not limited to, covered design features, to prevent certain types of harm. A covered design feature includes infinite scrolls, auto-playing videos, gamification, visible likes and comments, notifications and push alerts, in-game purchases, and appearance-altering features.
The law defines harm to include: (1) compulsive usage of the covered online service; (2) severe psychological harm; (3) severe emotional distress; and (4) highly offensive intrusions on the minor’s reasonable privacy expectations, among other categories. In an apparent attempt to insulate the law from challenge, it states that harm is limited to the types of harm for which liability is permitted under section 230.
The law defines compulsive usage to mean “the persistent and repetitive use of a covered online service that substantially limits one or more of a user’s major life activities including, but not limited to, sleeping eating, learning, reading, concentrating, communicating, or working.”
In sum, this requirement seeks to regulate and prohibit design features that lawmakers believe are addictive to children and prolong their use of online platforms.
Easy-to-Use Tools
Covered online services must provide users or visitors with easily accessible and easy-to-use tools to limit the amount of time a user spends on the service, limit financial purchases, disable unnecessary design features, and block messages and likes, among other actions. Notably, this section of the law uses the term “user” instead of minor. The law defines “user” to mean “an individual who uses the covered online service and who is located in South Carolina,” but does not define visitors. The takeaway is that once a service qualifies as a covered online service, it is required to provide these tools to all users — not just minors. If a covered online service knows that the individual is a minor, these must be turned on by default.
The law later states that covered online services must also provideusers with easy-to-use tools to prevent notifications and push alerts to an individual during specific times.
Opt-Out of Personalized Recommendation Systems
Covered services must provide users with the option of opting out of personalized recommendation systems except for optimizations that are based on the user’s expressed preferences. Again, this section of the law uses the term “user” instead of “minor.” However, if the user is a minor, this must be a default setting.
The law defines “personalized recommendation system to mean “a fully or partially automated system used to suggest, promote, or rank content, including other users, hashtags, or material from others based on the personal data of users.”
In a later section, the law also provides that a covered online service that uses personalized recommendation systems is required to “describe in its terms and conditions, in a clear, conspicuous, and easy-to-understand manner, how the systems are used to provide information to minors and information regarding how minors or their parents can opt out of or control the systems.”
Data Minimization and Limitations
The law also creates data minimization provisions including that a covered online service can only collect, use, and share minors’ personal data if necessary to provide the service. Personal data may not be used for reasons outside of those for which the data was collected and personal data can only be retained for as long as necessary to provide the services.
Prohibition on Targeted Advertising
The law states that covered online services cannot “facilitate targeted advertising to minors.” The law does not define what “facilitate” means. Webster’s Dictionary defines facilitate broadly to mean “to make something easier.” The law does define targeted advertising. Subject to certain exemptions, the term means “displaying advertisements to an individual where the advertisement is selected based on personal data obtained or inferred from that individual’s activities over time and across nonaffiliated websites or online applications to predict the individual’s preferences or interest.”
The law also later provides that covered online services are “prohibited from facilitating ads directed to minors for products prohibited for minors including, but not limited to, narcotic drugs, tobacco products, gambling, and alcohol to users the covered online services know are minors.”
Precise Geolocation
Precise geolocation of minors cannot be collected by default unless it is necessary to provide the service and then only if an “obvious notice” is provided to the minor. This requirement matches Maryland’s AADC law.
Prohibition on Profiling
Covered online services cannot profile individuals the service knows are minors, unless profiling is necessary to provide the service that a minor has knowingly requested and the profiling is limited to only the aspects of the service with which a minor is actively and knowingly engaged. South Carolina’s requirement resembles a similar requirement under Maryland and Nebraska’s AADC laws.
Parental Tools
Parents must be provided with easy-to-use tools that allow them to manage the minor’s account settings and restrict a minor’s purchases and other financial transactions. Parents also must be provided with a way to see how long their minor has used the service and to limit their minor’s use of the service, including to specific days and times of day. It is important to note that these provisions apply to a parent’s control over their minor’s personal data, which means individuals under 18.
Reporting Harm
Covered online services must have a mechanism for parents, minors, and schools to report harm to minors.
Dark Patterns
Covered online services cannot use dark patterns, which is defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.” The law states that the use of dark patterns constitutes an unlawful trade practice under Section 39-5-20 of the South Carolina Unfair Trade Practices Act and that covered online services that violate this section are “subject to the provisions, penalties, and damages of the South Carolina Unfair Trade Practices Act.”
Section 29-5-140 of the South Carolina Unfair Trade Practices Act provides that any “person who suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of an unfair or deceptive method, act or practice declared unlawful by Section 39-5-20 may bring an action individually, but not in a representative capacity, to recover actual damages.” Damages can be trebled if the violation was willful or knowing. Litigants also can recover reasonable attorney’s fees and costs.
Prominent Disclosures
Covered online services must provide “comprehensive, clear, conspicuous, and easy-to-understand information in a prominent location describing the design safety for minors, the privacy protections for minors, and the parental tools that the covered online service has adopted pursuant to this chapter. Such disclosure must also include a clear, conspicuous, and easy-to-understand explanation of how minors and parents may utilize those design safety measures, privacy protections, and tools.” It is not clear from the text of the law, whether this information should be provided as a standalone disclosure or whether it could be incorporated into existing privacy notices.
Public Independent Third-Party Audits
The law does not contain any requirement to conduct risk or impact assessments. Perhaps in lieu of that requirement, the law requires that starting July 1 of each year,, covered online services must issue public reports prepared by independent third-party auditors that contain a detailed description of the covered online service as it pertains to minors. The law does not delay this reporting deadline so, presumably, these reports are due July 2026.
The covered online service must submit the report to the attorney general who is required to publicly post it. The report must cover nine items, including a description of the algorithms the covered online service uses, the purpose of the service, how the service collects and processes personal data, and how the service uses covered design features.
Enforceability
The law is enforceable by the state attorney general. Notably, covered online services can be liable for treble damages as a result of violations. The law also states that officers and employees can be held personally liable for willful and wanton violations. These types of penalties significantly diverge from the penalties available under other US children and teen privacy laws.
Effective Date
The law took effect when the governor signed it.