Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
In most states, the age of majority is 18 years old. For purposes of U.S. privacy laws, however, minors can legally consent to the processing of their personal data starting at age 13.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
N/A.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
No.
N/A.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
N/A.
N/A.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
Yes.
At the federal level, the U.S. Children’s Online Privacy Protection Act (COPPA) requires businesses to seek parental consent before collecting, using, or disclosing personal data collected online from children under 13. COPPA’s parental consent requirements apply when: (1) a business has actual knowledge that a specific end user is a child; (2) a business operates an online property directed to children under 13, even if it does not collect users’ ages; or (3) a business collects data from users of an online property knowing that property is child-directed.
In addition, most state consumer privacy laws treat personal data from children under 13 as “sensitive data” that requires parental consent before processing. Compliance with COPPA’s consent requirements is generally sufficient to meet these state law obligations.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Federal law does not provide for minors to consent to processing of their own personal data. Some state laws that require consent for processing personal data about minors provide that teens aged 13 to 17 must consent rather than parents.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
Under the U.S. Children’s Online Privacy Protection Act (COPPA), any method for obtaining verifiable parental consent must take into consideration available technology and be reasonably calculated to ensure that the person providing the consent is the child’s parent. The COPPA Rule identifies a non-exhaustive list of methods businesses may use to obtain verifiable parental consent and the Federal Trade Commission can also approve specific methods that companies submit for review.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
Businesses subject to the U.S. Children’s Online Privacy Protection Act (COPPA) must comply with certain notice requirements. Such businesses must provide online notices that include certain contact information, a description of the data collected from children, how the operator uses the data, the operator’s disclosure practices for such data, and procedures for the review or deletion of children’s data. Additionally, COPPA typically requires providing a direct notice to parents.
State consumer privacy laws also include notice obligations, including that regulated businesses provide appropriate notice of the processing of sensitive data (including data about known children), as well as the processes to withdraw consent for such processing.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
No.
The U.S. Children’s Online Privacy Protection Act (COPPA) provides for parents to exercise rights on behalf of children. Direct exercise of such rights by children is not explicitly prohibited by COPPA, but it is not contemplated in the law.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
While not explicitly addressed in the U.S. Children’s Online Privacy Protection Act, there is no prohibition on children’s ability to file a complaint to U.S. regulators without parental involvement.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
No.
Under the U.S. Children’s Online Privacy Protection Act (COPPA), any method for obtaining verifiable parental consent must take into consideration available technology and be reasonably calculated to ensure that the person providing the consent is the child’s parent. The COPPA Rule identifies a non-exhaustive list of methods businesses may use to obtain verifiable parental consent and the Federal Trade Commission can also approve specific methods that companies submit for review.
These COPPA verifiable parental consent requirements may differ based on the types of personal data collected from children, the business’s processing activities, and the purposes for which such data is processed. Certain processing activities, for example, do not require parental consent. Moreover, businesses are prohibited from conditioning a child’s participation in an activity on the child’s disclosure of more personal data than is reasonably necessary for that activity.
Further, personal data collected from children under 13 is generally considered “sensitive” under state consumer privacy laws, and the processing of sensitive data is subject to additional requirements.
Certain U.S. state consumer privacy laws also require consent for certain uses of personal data about teens (with age ranges varying by state). For further information, see the response to this question.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Federal Trade Commission (FTC) has authority to enforce the U.S. Children’s Online Privacy Protection Act (COPPA) and has brought numerous enforcement actions relating to children’s data processing invoking both COPPA and Section 5 of the FTC Act with respect to the processing of children’s personal data. (For further information, see the response to this question.)
The FTC has limited authority to seek civil penalties under Section 5 for an initial violation. More commonly, the FTC and the company negotiate a consent decree with the company that exposes the company to penalties if it later violates that consent decree.
The FTC can seek civil penalties of up to $53,088 per each COPPA violation. COPPA settlement amounts vary significantly, and the largest COPPA settlement to date imposed penalties of $275 million USD.
Are there specific rules concerning electronic direct marketing to children?
Yes.
Entities that market directly to children must follow truth-in-advertising standards to comply with Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce”. The Federal Trade Commission (FTC) has issued guidance and policy statements on advertising to children. In addition, companies often look to FTC enforcement actions to understand what advertising-related practices the FTC considers to be unfair or deceptive.
Additionally, the Children’s Advertising Review Unit (CARU) of the Better Business Bureau publishes and enforces guidelines, titled the Self-Regulatory Guidelines for Children’s Advertising, which impose standards for children’s advertising. Although CARU is not a government entity, CARU refers potential enforcement actions to government regulators like the FTC.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
At the federal level, the U.S. Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent before personal data collected online from children under the age of 13 may be used for profiling or targeted advertising. COPPA establishes detailed requirements for obtaining such consent.
In addition, several state privacy laws require consent before personal data about children and teens (with age ranges varying by state) may be used for targeted advertising purposes. Individuals over age 13 can consent to these uses themselves.
Are there specific rules concerning online contextual advertising to children?
Yes.
At the federal level, the U.S. Children’s Online Privacy Protection Act (COPPA) permits operators of child-directed properties to collect persistent identifiers from children under the age of 13 for contextual advertising without obtaining verifiable parental consent. Operators relying on this exception may not collect personal data other than persistent identifiers and may use the identifiers only to enable contextual advertising or otherwise support internal operations.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
Children’s advertising is a significant focus of U.S. regulators. Both federal and state regulators have brought civil enforcement actions under unfair or deceptive acts or practices (UDAP) laws related to the content and delivery of children’s advertisements.
The Federal Trade Commission relies on its Section 5 FTC Act authority to bring such enforcement actions and states have similar authorities under state UDAP laws. As a state enforcement example, a company agreed to pay $462 million USD in 2023 to resolve a multi-state action brought by state attorneys general that involved marketing products to children both online and offline.
Federal and state regulators have also brought privacy-related civil enforcement actions that address the use of children’s personal data for advertising. At the federal level, companies that violate the U.S. Children’s Online Privacy Protection Act (COPPA) face civil penalties of up to $53,088 per violation. Multiple COPPA settlements have focused on advertising practices, though settlement amounts have varied significantly. State authorities may also bring enforcement actions under COPPA. Recently, a mobile app developer entered into a settlement with the California Attorney General to resolve alleged violations of COPPA, the California Consumer Privacy Act, and the California Unfair Competition Law. The California Attorney General alleged that the company failed to obtain verifiable parental consent before processing personal information from children under 13 for “personalized” advertising, and the action settled for $500,000 USD.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
In most U.S. states, the age of majority is 18 years old, at which point individuals have the legal capacity to contract and enter into an agreement to use digital services.
Do consumer protection rules apply to children?
Yes.
U.S. consumer protection laws of general applicability apply equally to children and adults.
Are there any consumer protection rules which are specific to children only?
Yes.
There are various consumer protection rules in the U.S. that are specific to children. For example, at the federal level, the U.S. Children’s Online Privacy Protection Act (COPPA) restricts personal data collected online from children under 13. States also have enacted various consumer protection laws that are specific to children, such as laws that restrict children below a certain age from accessing social media accounts without parental consent.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The U.S. Children’s Online Privacy Protection Act (COPPA) enforcement actions brought by both federal and state regulators commonly address children’s use of digital services. At the federal level, companies that violate COPPA face civil penalties of up to $53,088 per violation, though settlement amounts vary significantly.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
State laws in the U.S. restrict children from accessing certain goods and services.
Several states have passed laws preventing minors from creating or maintaining social media accounts without parental consent. Although “minor” is defined differently under each state law, many states restrict access to social media platforms for users under age 18.
Several states have also passed laws requiring pornographic websites to verify that users are over age 18 before allowing access to the site. Such requirements face legal challenges, though these challenges primarily involve whether the state has used the appropriate means to restrict access.
State laws also generally implement age restrictions on minors’ access to gambling, alcohol, and nicotine products. These restrictions generally apply to the extent minors may access these products online, though few states have laws specifically targeting online access to these products.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
California, Colorado, Maryland, and New York have passed laws that regulate the design of online products that are accessed, or in some cases, “likely to be accessed” by children.
The specific requirements vary for each state but generally govern how businesses interact with children online through a combination of assessment requirements, default privacy settings, and minimum duties of care intended to prevent reasonably foreseeable harms to children and teens. Such laws have faced legal challenges.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
Most states that require parental consent for minors to access social media accounts also require that social media platforms implement age verification systems. Specific age verification requirements vary by state, with Florida imposing more prescriptive requirements than under most state laws.
Similarly, state laws relating to minors’ access to pornography impose age verification requirements on platforms that publish a certain percentage of “content harmful to minors” on their sites. The specific age verification requirements vary by state, with some states providing an enumerated list of age verification methods permitted under the law.
The U.S. Children’s Online Privacy Protection Act (COPPA) does not have age verification requirements, though online properties that are not primarily targeted to children can choose to implement age gates to limit COPPA compliance measures to users under 13. Online properties that are directed to children as their primary audience must assume all users are children.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
As described above, there are requirements to implement parental controls and facilitate parental involvement through notices. See more information here.
Maryland’s Kids Code permits, but does not require, businesses that provide online products accessed by children to allow parents to monitor or track a child’s online activity.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
The Federal Trade Commission (FTC) has considered online safety in its enforcement actions. As a prominent example, in 2022, the FTC reached a settlement agreement with a video game developer relating to child and teen players. In relevant part, the FTC alleged that the company engaged in unfair practices by enabling real-time voice and text communications for children and teens by default. The FTC alleged that, when paired with the company’s practice of matching children with strangers to play games, these default settings harmed children and teens, who had been bullied and harassed while playing the game. The company agreed to detailed changes to its practices and paid $275 million USD in penalties to resolve related privacy allegations.
Are there any existing requirements relating to children and AI in your jurisdiction?
No.
Emerging laws related to AI, such as the Colorado AI Act, apply equally to children but do not contain requirements specific to children.
Most U.S. states have updated their laws criminalizing Child Sexual Abuse Material (CSAM) to include AI-generated CSAM. These state laws typically expand upon existing laws criminalizing the possession or distribution of CSAM to clarify that such provisions apply to AI-generated CSAM, including deepfakes. Federal agencies similarly treat AI-generated CSAM as any other CSAM subject to federal laws prohibiting the production, distribution, and possession of such materials.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
No.
N/A
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
Numerous states have enacted laws applicable to children’s use of online educational products and services. These laws impose obligations on online operators that provide such educational services on behalf of schools, including restrictions on uses of student data for non-educational purposes. As enforcement examples, the New York State Education Department has brought several public enforcement actions under New York Education Law Section 2-d against third-party contractors to educational institutions, assessing civil monetary penalties ranging from $120,000 to $750,000 USD.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
To date, certain states have enacted laws regulating student personal data collected from online services on behalf of educational institutions. (For further information, see the response to this question.)
Additional child online safety measures have been debated in the U.S. Congress in recent years but not enacted. The Federal Trade Commission also finalized several proposed updates to the Children’s Online Privacy Protection Act (COPPA) Rule in January 2025, but these updates are subject to further review as a result of the presidential administration change in January 2025.
Contributors
Kelly DeMarchis Bastide
Venable
Julia Tama
Venable
