2025 has been another active year for children’s and teens’ privacy legislation.  This post recaps notable developments and trends thus far in 2025.  Our summaries from 2023 and 2024 can be found here and here.

App Store Laws

A new trend in 2025 has been legislation targeting app store providers and app developers.  Utah enacted the country’s first state law requiring app store providers to verify all users’ age.  The Utah App Store Accountability Act also requires providers to obtain verifiable parental consent before minors can download or purchase apps, or make in-app purchases.  App developers are also subject to requirements under the Act and must notify providers of a “significant change” to their app, which app store providers must pass through to users, triggering a renewed parental consent requirement for minor users.  The Act goes into effect on May 6, 2026, and the Utah Division of Consumer Protection must promulgate rules establishing processes and means for an app store provider to age verify users. 

Texas and Louisiana also enacted app store laws, which are set to go into effect on January 1, 2026 and July 1, 2026, respectively.  Though all three of these laws differ in some respects, all impose some similar obligations on app store providers and app developers.

Minor Social Media Laws

Following on the trend from 2024, states have enacted laws that regulate children and teens’ access to social media in Arkansas, Louisiana, Nebraska, Oregon, and Virginia.  As we detailed in this post, other laws regulating minors’ social media use will come into effect in July 2025 in Georgia and Louisiana, though the Georgia law is currently enjoined.

  • Parental Controls: The trend of mandatory parental oversight has continued.  Nebraska’s Parental Rights in Social Media Act bars minors from being social media account holders without parental consent and requires platforms to provide methods for parents to supervise minors’ accounts, including the ability to view posts and messages and control settings and screen time.  Meanwhile, new laws in Arkansas, Louisiana, and Virginia prohibit certain actions by social media platforms without the consent of the minor’s legal representative or parent.  For example, Virginia’s Consumer Data Protection Act provides that social media platforms must, by default, limit minors’ use of their platform to one hour a day per service or app, with changes allowed with verifiable parental consent.  This time limit takes Colorado’s first-of-its kind pop-up warning a step further.  Under the Virginia Consumer Data Protection Act, parents do not otherwise get special access to a minor user’s account.
  • Age Verification: Of this new crop of laws, only Nebraska and Virginia require the use of reasonable age verification methods, while Arkansas requires social media platforms to prevent circumvention of age verification protocols.  This represents a departure from prior legislative efforts, many of which have been enjoined, including age verification requirements in Arkansas and Louisiana.
  • Targeted Advertising and Sale of Data: Oregon and Louisiana prohibit the sale of minors’ personal data in general, with particular bans on the sale of data that identifies minors’ precise geolocations.  Oregon also explicitly bars the use of minors’ personal data for targeted advertising purposes.  
  • Other Trends: “Addictive feed” regulation has continued to feature in recent legislation, with Arkansas’ SB 611 restricting social media platforms from engaging in practices that evoke addictive or compulsive behaviors in minor users.  Relatedly, Arkansas SB 612 prohibits social media platforms from using designs, algorithms, or features that the platform knows, or should know through the exercise of reasonable care, causes a user to purchase a controlled substance, develop an eating disorder, commit or attempt suicide, or develop or sustain a social media addiction.  SB 612 also creates a private right of action for certain violations.  Arkansas’ new laws are covered in greater detail in this post.

Age-Appropriate Design Code Style Laws

Several states have enacted age-appropriate design code style laws following in the footsteps of Maryland and California, whose first-in-the nation law was enjoined.  New laws were signed this year in Arkansas, Connecticut (amending Connecticut’s previous AADC-style law, SB 3), Montana, Nebraska, and Vermont. 

  • Default Settings: Similar to earlier state legislation, Vermont and Nebraska require covered platforms to establish default privacy settings for minor users at the highest protection available.  The Vermont Age-Appropriate Design Code Act also requires covered businesses to disable the search engine indexing of minors’ account profiles and prohibits sending push notifications to minors during specified times.  Numerous acts specifically place restrictions on minors’ ability to communicate with other users, with provisions in Connecticut, Montana, Nebraska, and Vermont.  We covered Connecticut and Montana’s amendments of their state comprehensive privacy statutes in greater detail here and here.
  • Geolocation Data: Nebraska, Connecticut, and Montana place some restrictions on the geolocation information controllers can collect or use from minor users and require controllers to signal to minors that data is being collected.  Montana allows minors over 13 and verified parents to consent to collection when it is not reasonably necessary, while Nebraska requires that platforms permit minors to restrict sharing of their precise geolocation information.   
  • Restrictions on Features for Minors: Connecticut and Montana prohibit social media platforms from using design features that significantly increase or extend minors’ use of such platforms, though Montana allows minors 13 and older, or the parents of children under 13, to consent to the use of these features.  Nebraska instead requires covered platforms to provide minors with more control to opt-out of specific features like infinite scroll, algorithmic feeds, and in-game purchases.  In Connecticut, social media platforms must also incorporate an online safety center and establish a cyberbullying policy.    
  • Impact Assessments: Similar to Connecticut’s new “impact assessments” requirement, addressed here, Montana now requires data protection assessments where there is a heightened risk of harm to minors, which must describe the types of data processed and the purpose of processing, along with a description of heightened harms.  Both laws require covered entities to create a plan to mitigate or eliminate heightened risk of harm to minors.
  • Targeted Advertising and Sale of Data: Now common across age-appropriate design code acts are prohibitions on the sale of minors’ data and the use of minors’ personal data for targeted advertising purposes, with some state-by-state variations.  For example, Connecticut now bans processing a teen’s personal data for purposes of targeted advertising.    
  • So-Called “Dark Patterns”: Connecticut, Montana, and Nebraska bar the use of “dark patterns” to obtain consent, while Vermont requires that regulations on “dark patterns” must be adopted by January 1, 2027. 

Federal Developments

Key federal bills aimed at strengthening children’s online privacy and safety—the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”), Kids Online Safety Act (“KOSA”), Kids Off Social Media Act (“KOSMA”), and the Stop the Scroll Act—are currently pending in Congress.  COPPA 2.0 and KOSA have been under consideration in the Senate and House of Representatives for years. 

The federal App Store Accountability Act was introduced and referred to the House Committee on Energy and Commerce in December 2024.  The bill would require app stores to use age verification methods and obtain verifiable parental consent before allowing minors to use the app store, download or purchase any app, or make any in-app purchases. 

On May 19, 2025, the TAKE IT DOWN Act was enacted.  More information on this law is available here

Tags: Children's Privacy, Congress, State Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less
Photo of Jenna Zhang Jenna Zhang

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy…

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy notices and terms of use, responding to cyber and data security incidents, and evaluating privacy and cybersecurity risks in corporate transactions. In particular, she advises clients on substantive requirements relating to children’s and student privacy, including COPPA, FERPA, age-appropriate design code laws, and social media laws.

As part of her practice, Jenna regularly represents clients in data privacy investigations and enforcement actions brought by the Federal Trade Commission and state attorneys general. She also supports clients in proactive engagement with regulators and policymakers to ensure their perspectives are heard.

Jenna also maintains an active pro bono practice with a focus on supporting families in adoptions, guardianships, and immigration matters.

Read more about Jenna ZhangEmail
Show more Show less
Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.

Read more about Natalie MaasEmail
Show more Show less
Photo of Bryan Ramirez Bryan Ramirez

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains…

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains an active pro bono practice.

Read more about Bryan RamirezEmail
Show more Show less