The state of enforcement: Part II — Kids and teens' privacy

State regulators are ramping up children's privacy enforcement, focusing on parental consent, company knowledge of minors, and protective safeguards.

Contributors:
David Botero
Westin Fellow
IAPP
Editor's note
This is the second article in a three-part series that focuses on U.S. enforcement trends during 2025 and early 2026. The first article explored regulators' growing focus on consumer privacy rights, including enforcement actions against opt-out processes that rely on friction, misrepresentation, or delays in fulfilling consumer requests.
Kids' and teens' privacy has become an increasingly important privacy issue for policymakers with new legislation introduced at the federal and state levels. But with federal proposals like the Kids Online Safety Act and Children and Teens’ Online Privacy Protection Act 2.0 having stalled across multiple sessions of Congress, U.S. regulators have focused on enforcing the privacy rights that minors have under existing state and federal statutes, using the tools available to protect children's privacy.
Specifically, the efforts of state attorneys general have centered on parental notice and consent to the collection of minors' data — business practices that may indicate knowledge of children consumers and the implementation and maintenance of safeguards to protect their data.
Parental notice and consent
State enforcers have primarily focused on companies that collect and process minors' personal data without verifiable parental notice and consent. Most children's privacy statutes require that companies provide notice and obtain verifiable consent from parents before they collect, process or use children's data.
Therefore, lawsuits throughout the states are about the absence of notice. Companies have failed to disclose the specific categories of children's data they collect and how they use it. They have also neglected to obtain parental consent from parents to collect and process their children's personal information.
For example, the Texas state attorney general sued Snap, alleging the company collected a wide range of personal information from users and shared it with third parties for purposes including targeted advertising and feature development. The state argued that Snap violated the Securing Children Online Through Parental Empowerment Act, which prohibits digital service providers from "sharing, disclosing or selling a known minor’s personal identifying information" without verified parental consent. Additionally, state enforcers said the company did not provide parental account controls.
Contributors:
David Botero
Westin Fellow
IAPP