13 Going on 18: Is Your Business Ready for Privacy Laws Impacting Customers Younger than 18?
For years, companies have largely focused on one age group when determining their minor-privacy compliance strategies: children younger than 13 years old. The Children’s Online Privacy Protection Act (COPPA) was the minor-privacy statute, and if a business was not subject to COPPA’s protections for children younger than 13, minor privacy likely wasn’t on their radar. But in 2025, that’s no longer the case.
Regulators are increasingly focused on minors’ privacy and online safety issues. Just last month, Federal Trade Commission Chair Andrew Ferguson called on Congress to pass privacy legislation to cover minors older than 13, and legislative efforts at the state level are actively reshaping the privacy obligations businesses face when interacting with teenagers. These laws go beyond COPPA’s scope, often applying to minors up to 18 years old and regulating platforms’ design features and targeted advertising practices, in addition to governing businesses’ data collection and disclosure practices.
Below are some key updates that businesses with teenaged customers need to be aware of:
NY Child Data Protection Act Already in Effect, AG Shares Initial Guidance. On June 20, 2025, New York’s Child Data Protection Act (NYCDPA) took effect, imposing obligations on operators of websites, apps, and connected devices that knowingly process the personal data of minors younger than 18 or operate services primarily directed to minors. The law permits data processing for users under 13 only if compliant with COPPA, and for users aged 13–17 only with informed consent or where strictly necessary for narrowly defined purposes under the law. Operators must meet data minimization standards, ensure consent mechanisms are clear and revocable, and may not rely on marketing claims to justify broader data use. The NY Attorney General may impose penalties and even require the destruction of unlawfully obtained data. The OAG has issued early guidance in May, and is expected to draft rules in August.
Colorado Amends Consumer Privacy Act, Imposes a Duty of Care Over Minors Younger than 18. Effective October 1, 2025, companies conducting or targeting business to Colorado residents will be prohibited from processing the personal data of minors younger than 18 for purposes of targeted advertising, selling personal data, or profiling minors without a minor’s consent (or, in the case of a child younger than 13, without the consent of their parent or guardian). The Colorado Privacy Act (CPA) will also impose a duty of care on controllers to avoid any “heightened risk of harm” to minors caused by their online services, products, and features, and controllers will be prohibited from using online design features intended to prolong the amount of time minors spend on a platform. In addition to general restrictions on the collection, use, and retention of minors’ personal data, the CPA imposes new restrictions on the collection and use of minors’ geolocation data. Controllers may not collect a minor’s precise geolocation data without consent, and geolocation data may only be used and retained for as long as necessary to provide a service, product, or feature being used by a minor.
Montana Amends Consumer Privacy Law, Imposing Requirements for All Businesses Collecting Data from Minors Younger than 18. Effective October 1, 2025, any company that conducts business in Montana or targets products or services to Montana residents will be subject to new minor privacy obligations, which apply to consumers younger than 18 years old. Similar to Colorado’s amendments, controllers will be subject to a duty of care to avoid online services, products, or features that pose a heightened risk of harm to minors, and controllers will be prohibited from processing a minor’s personal data for targeted advertising, sales of personal data, and profiling without the minor’s consent, or, where a child is younger than 13, without consent from their parent or guardian. Additionally, Montana will also require mandatory privacy impact assessments where an online service, product, or feature presents a “heightened risk of harm to minors,” which is defined broadly to include any “intrusion on the solitude or seclusion or the private affairs or concerns of a minor if the intrusion would be considered offensive to a reasonable person.”
Maryland Enacts Comprehensive Privacy Act, Restricts Use of Data From Minors Younger Than 18. Effective October 1, 2025, businesses subject to the Maryland Online Data Privacy Act will be prohibited from both selling the personal data of minors younger than 18 and processing the personal information of minors younger than 18 years old for the purposes of targeted advertising. These prohibitions will apply where a business knows or “should have known” that the consumer is younger than 18 years old.
Arkansas Enacts COPPA-Like Statute for Teens Younger than 16. Effective July 1, 2026, businesses with actual knowledge that they collect personal information from minors younger than 16, and businesses with online platforms targeting minors younger than 16, will be subject to the Arkansas Children and Teens' Online Privacy Protection Act. The Act prohibits the collection of personal information from children younger than 13 without parental consent, and from teens younger than 16 without the teenager’s consent. Even where consent is obtained, operators may only collect covered personal information where required or authorized by law and for purposes “consistent…with the particular service or the relationships of the child or teen with the operator,” such as to complete a transaction. Notably, operators may not retain personal information for longer than is “reasonably necessary to provide a service requested,” except as specifically allowed by law or necessary to maintain the safety of the service requested by the minor. The Act also requires operators to provide users with notice of their data practices, honor data deletion and data correct requests, and implement reasonable security measures.
Nebraska Enacts Age-Appropriate Online Design Code Act, Applies to Minors Younger than 18. Effective July 1, 2026, “covered online services” will be subject to the Nebraska Age-Appropriate Online Design Code Act’s requirements for users younger than 18. The Act explicitly prohibits secondary uses of minors’ personal data and the delivery of targeted ads to minors. Covered online services are also prohibited from profiling minors, except where it’s necessary to provide a service that’s been requested by a minor. Platforms may only collect, use, and retain the minimum amount of personal data necessary to provide the “specific elements” of an online service that a covered minor has knowingly engaged with. While the Act does not require online services to verify users’ ages, platforms are permitted to collect personal data to enforce an age gate. However, any personal data collected for age verification cannot be used for any other purposes and must be deleted after the users’ age is confirmed. In addition to privacy requirements, covered online services must provide minors with easy-to-use tools to limit the amount of time the minor spends on the platform, as well as the ability to limit other users from communicating with the minor. Businesses must also give minors control over the “operations of all design features” that are not necessary to provide the service, and allow minors to opt-out of “covered” design features that increase the time a minor spends on a platform (including infinite scrolling, appearance-altering filters, notifications or push alerts, and rewards or incentives for the frequency of visits or time spent on an online platform).
Oregon Privacy Act Amended, Prohibits Targeted Ads for Minors Younger than 16. Effective January 1, 2026, the Oregon Consumer Privacy Act will prohibit controllers from processing personal data for targeted advertising to minors younger than 16. Additionally, controllers will be barred from the selling personal data of consumers younger than 16 years old.
Vermont Enacts Age-Appropriate Design Code Act, Applies to Minors Younger Than 18. Effective January 1, 2027, Vermont’s Age-Appropriate Design Code Act applies to covered businesses operating online services “reasonably likely to be accessed” by individuals younger than 18. Covered businesses must configure default privacy settings to the highest level, limit data collection and use, and avoid design features likely to cause emotional distress, compulsive use of their platforms, or identity-based discrimination. Among its requirements, Vermont’s new law also restricts adult interactions with minors on social platforms, restricts push notifications to minors (including a midnight-to-6 a.m. blackout), and limits algorithmic content targeting to minors. Similar to Nebraska’s law, Vermont’s Age-Appropriate Design Code Act also imposes limits on the collection and use of age-assurance data, including a prohibition against using age assurance data for secondary purposes. With more minor privacy laws sure to come, businesses with teenaged customers can start preparing their compliance strategies sooner than later:
Audit Your Audience. Identify whether your online platforms are being used by, or marketed to, children and teenagers. For example, consider where your services or products are being marketed, and whether you’ve engaged celebrities or influencers that appeal to minors in order to market your business.
Talk to Your IT and Marketing Specialists. Work with your internal teams to take stock of the personal data your business is collecting from minors, what it’s being used for, and who your business is disclosing it to. Pay special attention to precise geolocation data.
Review Your Platforms’ Design Choices. Consider whether any features are encouraging minors to stay on your platform for prolonged periods of time. “Dark pattens” such as excessive push notifications, algorithmic feeds, and reward systems are increasingly being scrutinized by regulators.
Engage Counsel Early. The minor privacy landscape is becoming more fragmented and risky. Work with counsel early to determine which laws apply to your business and implement compliance strategies to reduce your legal exposure.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.