New State Laws Strengthen Privacy Protections for Minors

2025 has been a quiet year thus far when it comes to states passing comprehensive data privacy laws, with no new laws passing as of June 1^st. There has been, however, action regarding the online privacy of minors, with states passing new laws or amending existing privacy laws to bolster protections for children.

Here is a breakdown of the minor privacy laws passed at the state level.

Vermont

The Vermont Legislature passed the Vermont Age-Appropriate Design Code Act. Pending the Governor’s signature, the act will place the following requirements on businesses:

• A covered business shall configure all default privacy settings provided to a minor through the online service, product, or feature to the highest level of privacy.
• Limit unwanted interaction between adults and minors on social media.
• Businesses shall not provide minors with a single setting that makes all default privacy settings less protective at once.
• Businesses shall not request or prompt a minor to make their privacy settings less protective, unless the change is strictly necessary for the minor to access a service or feature they requested.
• Prohibited from sending push notifications to minors.
• Prominently display descriptions of every feature of the service that uses the data of minors.
• Businesses shall not collect, sell, share, or retain any personal data of a minor that is not necessary to provide an online service, product, or feature with which the minor is actively and knowingly engaged.
• Businesses shall not use a minor’s data to select, recommend, or prioritize media for the covered minor.

The Attorney General will be responsible for enforcement. The law will take effect on January 1^st, 2027, if signed by the Governor.

Nebraska

Nebraska lawmakers also passed an Age-Appropriate Online Design Code Act, which the Governor signed. The Nebraska law focuses on features and algorithms that could keep minors online for longer periods, but it also includes the following privacy requirements and restrictions:

• Only collect, use, and retain the minimum amount of a minor’s data to provide the service.
• Online services shall not facilitate targeted advertising to a minor.
• Provide an obvious sign to a minor when precise geolocation information is being collected or used.
• Push notifications to minors are prohibited between 10 pm and 6 am, and between 8 am and 4 pm on school days.
• Default privacy settings must be set at the highest level of protection.

Nebraska’s law goes into effect on January 1^st, 2026. The Attorney General is responsible for enforcement.

Oregon

Oregon lawmakers passed an amendment to the state’s existing privacy law that prohibits controllers from processing personal data for targeted advertising, or selling personal data that pertains to a consumer if the controller has actual knowledge, or disregards knowledge of whether a consumer is under sixteen. The amendment, which also contains geolocation data restrictions, awaits the Governor’s signature.

CompliancePoint has a team of experts that can help ensure your organization is complying with all state privacy laws and minor privacy laws, including COPPA. Reach out to us at connect@compliancepoint.com to learn more about our services.