Last year saw a proliferation of US state laws regulating the processing of children’s data. 2025 promises to be just as active, with new rules either already in effect or coming into force later this year.
Companies in the ad tech ecosystem should pay attention to the evolving children’s privacy landscape at the US state level, as these developments will continue to affect how online services can market and advertise to minors.
Here’s an updated look at the state of state privacy laws.
New restrictions for minors under 18
The California Consumer Privacy Act and similar state privacy laws in Oregon, Montana and New Hampshire have requirements that companies obtain opt-in consent from minors 13-15 years old to sell their personal data or use it for targeted advertising.
New Jersey has a similar opt-in consent rule but for consumers that are 13-16 years old. Other laws extend the opt-in requirement to 13-17-year-olds, including Delaware’s new privacy law (which took effect earlier this year), last year’s amendments to the Connecticut Data Privacy Act and new rules promulgated under the Colorado Privacy Act (effective October 1, 2025).
Some states are pushing the scope of restrictions for minors under 18 even further.
Starting on October 1, 2025, Maryland’s Online Data Privacy Act will outright ban targeted advertising and sales of personal data for consumers under 18. On that same date, a separate Maryland law focused solely on children’s data, the Maryland Kids Code, will also come into effect mandating holistic privacy design changes for online services geared toward minors under 18.
The Maryland Kids Code will require companies to: conduct data protection assessments, limit data processing to reasonably necessary purposes, restrict profiling activities and collection of precise geolocation data and cease any use of “dark patterns” that impair a child’s privacy decision-making. Additionally, companies will be required to design their online services to avoid benefiting themselves “to the detriment of children” and to not result in (i) reasonably foreseeable and material, physical or financial harm to children; (ii) severe and reasonably foreseeable psychological or emotional harm to children; (iii) a highly offensive intrusion on children’s reasonable expectation of privacy; or (iv) discrimination against children based on protected characteristics such as race or sexual orientation.
The Maryland code shares similarities with other new laws, including the California Age-Appropriate Design Code Act (currently challenged on Constitutional grounds), Connecticut SB 3 and the Texas SCOPE Act – all of which went into force in 2024.
Additionally, the New York Child Data Protection Act (NYCDPA), effective June 20, 2025, will prohibit websites, mobile applications and other online operators from collecting, using, disclosing or selling personal information of known minors under the age of 18 without opt-in consent unless strictly necessary for certain permitted activities. Such permitted activities include, but are not limited to: providing or maintaining a specific product or service requested; protecting against malicious, fraudulent or illegal activity; complying with legal obligations; and detecting, responding to or preventing security incidents or threats.
The NYCDPA has a uniquely prescriptive feature requiring operators to, within fourteen days of learning that an individual is a minor under 18: (a) delete the minor’s personal data unless consent has been obtained or the data processing is strictly necessary; and (b) notify any third parties that process or have received the data that it relates to a minor.
Social media restrictions
The rollout of new social media regulations at the US state level also creates new challenges for advertisers seeking to reach younger demographics on these platforms.
In 2024, several state laws went into effect regulating social media platforms’ methods of marketing and advertising to minors, including laws in Louisiana, Texas and Utah (with Utah’s law currently subject to legal challenges).
Additional laws have or will become effective this year, including the following:
- Florida’s Social Media Safety Act, effective as of January 1, 2025, requires social media platforms to conduct age verification and delete the accounts of users under 14. That deletion requirement includes accounts that the platform “treats or categorizes as belonging to an account holder who is likely younger than 14 years of age for purposes of targeting content or advertising.” Similar restrictions apply for users between 14-15 years old if a parent has not consented to the creation of the account.
- Georgia’s Protecting Georgia’s Children on Social Media Act, effective July 1, 2025, will require social media companies to verify users’ ages and obtain parental consent for users under 16. It will also prohibit “the display of any advertising in the minor account holder’s account based on such minor account holder’s personal information, except age and location.”
The bottom line
Companies in the ad tech ecosystem must continue to pay attention to restrictions and prohibitions relating to the collection and processing of children’s data and evaluate whether new and emerging US state legislation affects their operations. Legislators are setting strict requirements, and if current trends hold, more states will likely take similar action.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow Davis+Gilbert and AdExchanger on LinkedIn.
For more articles featuring Richard Eisert, click here.
