Beyond COPPA: The Surprising Legal Maze of U.S. Children's Data Privacy

Compliance Hub

Compliance Hub

5 min read
Beyond COPPA: The Surprising Legal Maze of U.S. Children's Data Privacy
Photo by Thomas Park / Unsplash

1.0 Introduction: The Privacy Maze Beyond COPPA

For years, the conversation around children's online privacy in the United States began and ended with one federal law: the Children's Online Privacy Protection Act (COPPA), which protects the data of children under 13. While COPPA remains the national baseline, a new reality has taken shape. A complex, overlapping, and often contradictory patchwork of state laws has emerged, creating a bewildering landscape for parents, tech companies, and any online service that interacts with young people.

This new legal framework is anything but simple. States are now regulating the data of teenagers, imposing design requirements on platforms, and targeting social media with rules that vary dramatically from one border to the next. The purpose of this article is to distill this complexity into a few of the most surprising and critical takeaways about the new state of children's privacy law.

Children’s Privacy Laws Tracker - 95+ US & International Laws
Track 95+ children’s privacy laws from US states and international jurisdictions. Includes Australia’s social media ban, UK Online Safety Act, EU DSA, COPPA, AADC, and all US state regulations.
Children's Privacy Laws TrackerCISO Marketplace

2.0 Takeaway 1: It's Not Just About How Big You Are, It's About Who You're For

A common misconception is that data privacy laws only apply to massive corporations with high revenue or millions of users. While that model exists, many new children's privacy laws are triggered by a service's audience, not its operator's size. This creates a distinction between how broad consumer privacy laws and specific children's design codes determine applicability:

  • Thresholds in General Consumer Laws: This traditional model applies to businesses that meet specific quantitative thresholds related to revenue or data volume. For example, Virginia's law applies to entities controlling the data of at least 100,000 consumers, while California's general law applies to businesses meeting one of several thresholds, including a prominent one of $26.625 million in annual gross revenue.
  • Thresholds in Specific Children's Codes: In contrast, many new laws trigger based on the nature of the service and who it's for, regardless of the company's overall revenue or scale. New York's law applies to services that are "primarily directed to minors," and Arkansas's law covers services with "actual knowledge" that they are collecting data from teens. These laws focus on intent and audience rather than size.

This dual-trigger system creates a significant compliance challenge, forcing companies to assess not only their scale but also the specific intent and audience of every single product or feature.

A small, niche app designed for teenagers could fall under stricter privacy rules in certain states than a large, general-audience corporation that doesn't specifically target minors.

3.0 Takeaway 2: The Definition of a "Minor" Is a Moving Target

While federal law sets the baseline for protection at "under 13," states have created a confusing patchwork of different age ranges for older children and teens. Depending on the state and the specific law, the age of a protected "minor" can vary significantly. This lack of uniformity means that an online service's legal obligations to a 16-year-old can change completely depending on the user's location.

The different age brackets protected by various state laws include:

  • 13-15: California, Minnesota, Oregon
  • 13-16: New Jersey, Arkansas
  • 13-17: Colorado, Delaware, Maryland (under its general Online Data Privacy Act)
  • Under 18: Maryland (under its more stringent Kid's Code), New York, Vermont

For any national online service, this inconsistency requires implementing dynamic, location-aware compliance frameworks, a significant technical and legal undertaking.

One way to visualize this concept is through concentric circles. An inner circle of universal protection exists for children under 13, mandated by COPPA. Beyond that, varying outer circles of state-specific protections exist for teens up to age 15, 16, or 17, creating an inconsistent map of rights and obligations across the country.

4.0 Takeaway 3: There Are Different Kinds of "Kid's Privacy Laws"

The term "kid's privacy law" has become an umbrella for several distinct types of legislation, each with different goals, scopes, and targets. Understanding these categories is crucial, as they each have different strategic aims—from establishing broad consumer rights to dictating specific product design features.

  • General Consumer Laws: These are broad privacy laws that apply to all consumers but contain specific sections or amendments for minors. Their scope is often limited; for instance, Virginia's consumer law was amended to add children's provisions, but they only apply to those under 13.
  • Age-Appropriate Design Codes (AADC): Inspired by the UK's model, these laws focus on the design of online services that are "reasonably likely to be accessed by children." They impose duties related to the best interests of the child and often cover all minors up to age 18, as seen in Maryland's Kid's Code.
  • Social Media Regulations: These laws target social media platforms directly, often with strict age verification requirements or outright prohibitions on accounts for certain age groups. A prominent example is Florida's law, which prohibits social media accounts for children under 14.
  • App Store Laws: A newer category of law places requirements on operating systems and digital storefronts to help manage minors' access to content and applications. States like California, Louisiana, Texas, and Utah have all passed laws covering users under 18 that apply to app store providers and developers.

5.0 Takeaway 4: A Law on the Books Isn't Always a Law in Effect

Perhaps the most critical takeaway is that this legal landscape is highly volatile. Many of these new state laws faced immediate and significant legal challenges, primarily on the grounds that they infringe on First Amendment rights. As a result, a law's passage does not guarantee its enforcement.

Numerous states have seen their new children's privacy and social media laws challenged, blocked, or temporarily enjoined by courts, including:

  • Arkansas
  • California (Age-Appropriate Design Code Act)
  • Florida
  • Georgia
  • Maryland (Kid's Code)
  • Utah
  • Ohio

The legal pushback has been forceful. In one striking example, a federal court blocked Ohio's Parental Notification by Social Media Operators Act, describing its approach as "breathtakingly blunt" and finding it to be "constitutionally infirm."

For businesses, the current legal environment means that achieving compliance is not a static, one-time project. It is a dynamic process of continuous monitoring, as a law's status can shift from enacted to enjoined—and potentially back again—in a matter of months.

6.0 Conclusion: Navigating the New Digital Age of Childhood

The simple era when compliance with children's privacy law meant following a single federal rule is definitively over. We have entered a new phase defined by complexity, fragmentation, and legal uncertainty. The patchwork of state laws, with their varying age thresholds, applicability triggers, and core objectives, presents a formidable challenge for creating a consistent and safe digital environment for young people.

As states continue to legislate and courts continue to weigh in, the landscape will keep shifting. This leaves a critical question for developers, policymakers, and parents alike: In the absence of a clear federal standard, how can we build a digital world that is coherent, equitable, and truly safe for children of all ages?

Read more

Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates