Children's Privacy

On March 25, 2026, the UK’s Office of Communications (“Ofcom”) and the Information Commissioner’s Office (“ICO”) published a joint statement setting out their common expectations for age assurance on online services (“Joint Statement”). The Joint Statement is aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 (“OSA”) and UK data protection legislation, and is designed to help providers comply with both their online safety and data protection obligations when deploying age assurance.

The Joint Statement arrives alongside a broader push from both regulators—including Ofcom’s recent call to action directed at major tech firms, an open letter from the ICO urging platforms to strengthen their age checks, and several enforcement actions by both regulators. Continue Reading Ofcom and ICO Issue Joint Statement on Age Assurance

On March 2, 2026, the UK Department for Science, Innovation and Technology (“DSIT”) launched its consultation, titled “Growing up in the online world: a national conversation”. The consultation is open until 26 May 2026, after which the government will publish a summary of responses and its proposed approach. DSIT has indicated that it intends to move quickly on the consultation’s findings, drawing on newly granted powers that allow for accelerated implementation of online safety measures.

The consultation seeks views on a wide range of potential measures to strengthen children’s safety and wellbeing online, including more robust age‑assurance mechanisms, a statutory minimum age for social media, raising the UK’s age of digital consent, restrictions on certain features (such as livestreaming and disappearing messages), and new obligations for AI chatbots and generative‑AI services.

DSIT’s proposals could significantly expand regulatory expectations beyond the Online Safety Act 2023 (“OSA”)—including potential age‑based access limits (including differing safeguards as between teens and younger children), feature‑level restrictions, and enhanced duties for AI‑enabled services. Early engagement will be important to ensure that the government takes account of the views of affected service providers and understands the operational and technical implications of the measures proposed.Continue Reading UK Government Launches Consultation on Children’s Online Experiences, Including New Obligations for AI

Last week, the Global Privacy Enforcement Network (“GPEN”)—a global network of over 30 national data protection authorities—announced the launch of its annual privacy sweep. The purpose of the sweep is to examine how websites and mobile applications commonly used by children handle minors’ personal information. Members of GPEN include regulators who have long prioritized protections for children and teens, such as the Federal Trade Commission (“FTC”), the California Attorney General, the California Privacy Protection Agency, the UK Information Commissioner’s Office, the French Commission Nationale de l’Informatique et des Libertés (“CNIL”), and the Irish Data Protection Commission.Continue Reading Global Privacy Regulators Launch Enforcement Sweep Focused on Children’s Data Protection

Recently, California Governor Gavin Newsom signed into law several privacy and related proposals, including new laws governing browser opt-out preference signals, social media account deletion, data brokers, reproductive and health services, age signals for app stores, social media “black box warning” labels for minors, and companion chatbots. This blog summarizes

Continue Reading California Enacts New Privacy Laws

On September 17, 2025, Brazil enacted the Digital Statute of the Child and Adolescent (“Digital ECA”), establishing a pioneering regulatory framework for protecting children (under 12 years of age) and adolescents (between the ages of 12 and 18) online. Brazil’s Congress approved the new law in a matter of just a few days in response to parents’ pressure, after a well-known Brazilian digital influencer published a series of online videos on the “adultization” of children on the internet.Continue Reading Brazil Adopts Law Protecting Minors Online

2025 has been another active year for children’s and teens’ privacy legislation.  This post recaps notable developments and trends thus far in 2025.  Our summaries from 2023 and 2024 can be found here and here.

App Store Laws

A new trend in 2025 has been legislation targeting app store

Continue Reading State and Federal Developments in Minors’ Privacy in 2025

On May 20, 2025, Nebraska Governor Pillen approved LB 383, which imposes a broad range of restrictions on minors’ access online.  In addition to a ban on artificial intelligence-generated child pornography, the law also requires parental controls over minor social media accounts.  Nebraska joins at least two other states that have passed bans on social media for minors without parental consent this year.Continue Reading Nebraska Bans Minor Social Media Accounts Without Parental Consent

On May 19, 2025, New York’s Office of the Attorney General (“OAG”) published new guidance on the New York Child Data Protection Act (the “Act”), which becomes effective on June 20, 2025.  As we reported last summer, the OAG released an Advanced Notice of Proposed Rulemaking addressing the Act on August 1, 2024.  The OAG has yet to release a full Notice of Proposed Rulemaking, which would be the next step in the process of developing a final rule implementing the Act’s rulemaking provisions.  Until the rules are finalized, the guidance suggests that the OAG will exercise discretion in its enforcement of the Act and consider good-faith efforts to comply with the statute.  Informal guidance is not legally binding, but provides some additional context on how the OAG might prioritize enforcement of the Act.  For a broader description of the Act’s provisions, see our previous reporting linked above. Some key elements from the guidance are listed below. Continue Reading New York Attorney General Issues Guidance on New York Child Data Protection Act