Under 18 Is The New Under 13: The Expanding Scope Of Children’s Privacy Laws

COPPA Privacy Law Harry Richt August 11, 2025

Contents show

Regulators at both the federal and state levels are rapidly expanding their focus on children’s and teens’ privacy, moving beyond the long-standing under-13 threshold established by the federal Children’s Online Privacy Protection Act (COPPA). This new direction reflects growing recognition that teens, not just younger children, are vulnerable to data misuse, manipulation, and targeted marketing online. The evolving legal landscape creates a patchwork of compliance obligations for businesses, with the potential for significant penalties if they fail to adapt.

From COPPA to State-Level Expansion

Since its enactment, COPPA has required verifiable parental consent before collecting, using, or disclosing the personal information of children under 13. It was updated in 2025 to modernize definitions, tighten data minimization requirements, and enhance security obligations. However, the law did not raise the age threshold.

States are now taking the lead in doing just that, with several new and proposed laws reaching up to age 18:

New York’s Child Data Protection Act (CDPA) (effective June 20, 2025)
- Requires informed consent for any collection, use, or disclosure of personal data for users under 18, unless within a specific, defined set of use cases.
- Prohibits targeted advertising and “addictive feeds” for minors without consent.
- Increased protections and parental involvement for users under 13.
California Age-Appropriate Design Code Act (CAADCA) (effective July 1, 2024)
- Mandates privacy-by-design, high default privacy settings, and safeguards against profiling minors.
- Applies to all users under 18.
  - Note: While California’s Age-Appropriate Design Code Act (CAADCA) was scheduled to take effect July 1, 2024, its enforcement has been blocked by a federal court as of March 13, 2025. A preliminary injunction is in place pending appeal, meaning the law is not currently enforceable.
Colorado Privacy Act Amendment (effective October 1, 2025)
- Prohibits targeted advertising and data sales involving minors without opt-in consent.
- Requires routine risk assessments when processing youth data.

Other states, including Maryland, Texas, New Jersey, and Virginia, have introduced or passed similar legislation. While the specific laws vary, the trend is uniform: under-18 protections are becoming the new standard.

Children’s Data Privacy Coverage by Jurisdiction (2025)

Jurisdiction / Law	Age Covered	Key Requirements & Highlights	Effective Date	Notes
Federal: Children’s Online Privacy Protection Act (COPPA)	Under 13	Verifiable parental consent; notice; data minimization; protections for children under 13	June 23, 2025 (updated rule)	Central federal children’s privacy law; does not raise age threshold beyond 13
Federal: Proposed Children and Teens’ Online Privacy Protection Act (COPPA 2.0)	Under 18 (proposed)	Extends protections to teens 13–17; prohibits targeted advertising to children/teens; stricter data minimization	Pending	Not yet law but passed Senate July 2024; potential expansion of federal protections
New York Child Data Protection Act (CDPA)	Under 18	Informed/opt-in consent for minors; bans targeted ads and addictive feeds for minors; enhanced parental involvement	June 20, 2025	One of the most comprehensive under-18 privacy laws
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)	All ages (includes minors)	Consumer rights including deletion, correction; specifically enhanced protections and increased fines for children’s data	CCPA Jan 1, 2020; CPRA Jan 1, 2023	Comprehensive state-wide privacy law covering all residents, including children
California Age-Appropriate Design Code Act (CAADCA)	Under 18	Privacy by design; default high privacy settings; risk assessments; limits profiling	July 1, 2024 (enforcement blocked)	Enforcement blocked by federal court injunction as of March 2025, pending appeals
Colorado Privacy Act Amendment	Under 18	Prohibits targeted advertising and sales of minors’ data without opt-in; requires risk assessments	October 1, 2025	Amendment to Colorado’s comprehensive privacy law
Maryland Age-Appropriate Design Code (Kids Code)	Under 18	Privacy by design; risk assessments; advertising restrictions	October 1, 2024	Focused on children’s online services
Maryland Online Data Privacy Act (MODPA)	Under 18	Broader privacy protections including targeted ad bans and data subject rights	October 1, 2025	Complements the Kids Code with broader consumer protections
Texas SCOPE Act	Under 18	Parental consent; limits on data sharing and service controls for minors	September 1, 2024	Expands protections to minors beyond COPPA
Virginia Consumer Data Protection Act (CDPA)	Under 13 / Under 18 (varies)	Parental consent for under 13; added protections and duties for services “directed to minors”	January 1, 2025	Enforcement includes provisions for minors beyond 13
EU General Data Protection Regulation (GDPR)	Under 16 (varies by country)	Parental consent requirements; design and code protections for children	May 25, 2018	Global standard influencing many U.S. laws

Other Laws

In addition to the prominent federal and state laws highlighted in the chart, many other states have enacted or are rapidly developing children’s privacy and social media laws that raise the age threshold to under 18. For example, states like Florida, Georgia, Louisiana, New Hampshire, New Jersey, Tennessee, Utah, Vermont, Nebraska, Connecticut, Montana, and Alabama have introduced laws requiring age verification, parental consent, restrictions on targeted advertising, limits on harmful design features such as infinite scroll or addictive feeds, and bans on certain communications to minors. Several of these laws include comprehensive privacy protections or impact assessments for minors’ data, while others impose specific social media account and content restrictions for children and teens. Notably, states like Tennessee and Minnesota have implemented comprehensive data privacy laws that incorporate heightened protections and rights for minors starting in 2025. Utah’s and Louisiana’s social media laws, for instance, impose direct limits on data collection and targeted advertising to youth. Collectively, these measures form an evolving and complex patchwork regulatory environment that businesses must monitor closely to ensure compliance with varied and increasingly strict children’s and teen privacy requirements across jurisdictions.

Enforcement Risks Are Rising

The Federal Trade Commission (FTC), state attorneys general, and even international regulators are stepping up enforcement against companies whose products or services have substantial youth audiences. Recent enforcement actions against social media platforms, gaming companies, and education technology providers have resulted in record fines, restrictions on operations, and mandatory design changes.

Businesses involved in targeted advertising, AI-enabled personalization, the sale of data (such as via data brokers), and data analytics involving minors are especially at risk.

What Businesses Should Do Now

If your website, app, platform, or digital tool attracts or serves users under 18, it is critical to:

Know your audience and implement age assurance tools that comply with state and federal standards.
Inventory any actual or constructive knowledge of minors signing up for accounts, including via account creation, where a date of birth may be collected.
Embed flexible privacy compliance frameworks that can scale with new state privacy laws.
Conduct regular risk assessments, particularly if your platform uses algorithms, personalization, or behavioral tracking.
Provide transparent privacy notices, written in a way that minors and their parents can understand.

For businesses navigating these complex and fast-shifting regulations, working with a dedicated children’s privacy attorney can ensure compliance while minimizing operational disruption.

Key Takeaway

Children’s privacy compliance is no longer just about under-13 COPPA rules. The United States is entering an under-18 regulatory era, following in the footsteps of the EU’s GDPR and other global frameworks. Businesses that adjust now, with privacy-by-design, transparent consent mechanisms, and robust oversight, will be best positioned to avoid penalties and earn the trust of younger users and their families.

Tags: Children's Privacy

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Insights