Changes are coming for businesses that appeal to minors. States continue to push new restrictions on processing child and teen data, with a particular focus on targeted advertising to minors. Adding to the pressure, the California attorney general recently announced a new enforcement action that broadly interprets that state’s sales and advertising restrictions for minors and requires novel remediations that may signal the AG’s expectations regarding minors in the state.
Expanding State Privacy Laws for Minors
Following October’s launch of new restrictions on processing minors’ data in Maryland, Minnesota, and Colorado, more states are imposing new requirements on processing minors’ data, starting January 1, 2026. Notably:
- Amendments to Oregon’s consumer privacy law will go into effect, prohibiting the sale of personal data collected from individuals the controller knows are under 16 or whose age the controller willfully disregards, and the processing of such data for targeted advertising.
- Nebraska’s Age-Appropriate Online Design Code Act (AAODCA) will require covered online services to provide high-privacy default settings for minors, prohibit them from facilitating targeted advertising to minors, and restrict the hours during which they can send push notifications to minors’ devices, among other requirements. The AAODCA will be enforceable starting July 1, 2026.
- California’s requirements regarding sensitive personal information will apply to personal information a business has actual knowledge is from individuals under 16. Willful disregard of age will be deemed actual knowledge under the revised California Consumer Privacy Act regulations.
New Children’s Privacy Enforcement Action from the California Attorney General
California’s attorney general also signaled continued focus on child and teen privacy with the announcement of a settlement with Sling TV, the first enforcement action stemming from the AG’s sweep of streaming services announced last year.
According to the complaint, Sling TV knew or willfully disregarded that viewers under 16 were using its services, in part because Sling TV includes channels and programming directed to children. The complaint alleges that Sling TV failed to obtain required authorization to sell or share personal information, or engage in cross-context behavioral advertising, with respect to these consumers. In addition to a penalty of $530,000, the settlement requires Sling TV to:
- Allow consumers to create profiles intended for children and/or minors
- Maintain a system for programmers to designate channels as “made for children or minors”
- Turn off sales and sharing of data for child profiles by default as well as cross-context behavioral advertising based on third-party data
- Turn off sales and sharing for channels that are “made for children or minors” by default as well as cross-context behavioral advertising, and not otherwise enable ad partners to display any advertising based on personal information related to the consumer or household
- Delete personal information previously collected from known children and minors
- Implement and maintain a program to monitor its compliance with these requirements for three years
The complaint and settlement also address alleged deficiencies in Sling TV’s opt-out notices and methods, including the interplay between cookie controls and CCPA opt-out rights. Notably, Sling did not admit any liability in the settlement.
As state regulations and enforcement expectations on child and teen privacy evolve, organizations should stay tuned for new developments and be ready to update compliance as needed.
If you have questions about how to adapt your business for changing child and teen privacy mandates, or have other questions about privacy, data strategy, or streaming business models, please reach out to the authors or contact Venable’s Privacy & Data Security Group for assistance.