Privacy & Cybersecurity Law Blog

On February 9, 2026, trade association NetChoice filed a lawsuit challenging South Carolina’s newly passed Age-Appropriate Code Design (“SC AACD”) on First and Fourteenth Amendment grounds. The SC AACD was signed into law by South Carolina Governor Henry McMaster on February 5, 2026, making South Carolina the fifth U.S. state to enact such a law, following California, Maryland, Nebraska and Vermont. The law went into effect immediately upon enactment. NetChoice’s action against the SC AACD is the most recent in a string of lawsuits the group has filed to challenge similar laws, including in in California (which has since been enjoined) and Maryland. 

Applicability

The SC AACD applies to an online service “reasonably likely to be accessed by a minor” under 18 years of age, that either (1) has gross annual revenues of more than $25 million, (2) annually buys, receives, sells or shares the personal data of 50,000 or more consumers, households or devices, or (3) derives at least 50% of annual revenue from the sale or sharing of consumers’ personal data (note that the SC AACD does not define “consumer,” “sell,” or “share”).

To be “reasonably likely to be accessed by a minor,” a covered online service must meet either of the following criteria:

1. an individual using the covered online service is “known to be a minor” (i.e., where the covered online service has “actual knowledge that a particular consumer is a minor,” which includes “all information and inferences known to the covered online service relating to the age of the individual including, but not limited to, self-identified age, and including any age the covered online service has attributed [to] or associated with the individual for any purpose including, but not limited to, marketing, advertising, or product development purposes”); or
2. the covered online service is “directed to children” under 13 as defined under COPPA (i.e., determined by the covered online service’s (i) subject matter, (ii) visual content, (iii) use of animated characters or child-oriented activities and incentives, (iv) music or other audio content, (v) age of models, (vi) presence of child celebrities or celebrities who appeal to children, (vii) language or other characteristics, (viii) whether advertising is directed to children, and (ix) competent and reliable empirical evidence regarding audience composition and evidence regarding the intended audience, including marketing or promotional materials or plans, representations to consumers or third parties, reviews by users or third parties, and the age of users on similar websites or services).

a. If a covered online service is deemed to be “directed to children,” the operator of the covered online service must treat all users as minors, except where the covered online service has actual knowledge the individual is not a minor.

Requirements

The SC AACD requires covered online services to:

• Exercise reasonable care in (1) the use of a minor’s personal data, and (2) the design and operation of the covered online service to prevent: (a) compulsive usage of the covered online service; (b) severe psychological harm including, but not limited to, anxiety, depression, self-harm or suicidal ideations; (c) severe emotional distress; (d) highly offensive intrusions on the minor’s reasonable privacy expectations; (e) identity theft; (f) discrimination against the minor on the basis of race, ethnicity, sex, disability, or national origin; and (g) material financial or physical injury.
• Provide users with easy tools to (1) disable unnecessary design features, (2) limit the time spent on the service, (3) limit purchases made through the service, (4) block interactions with unconnected accounts, (5) restrict the visibility of the user’s account and information posted by the user to only users with connected accounts, (6) disable visible engagement metrics (e.g., number of likes, comments, clicks, views) regarding any item generated by the user, (7) disable search engine indexing of the user’s account profile for unconnected accounts, (8) prohibit any individual from viewing the user’s connections to other users, (9) restrict the visibility of the user’s location information only to whom the user shares such information and provide notice when the user’s precise geolocation information is being tracked or shared, and (10) provide minors the option to opt out of personalized recommendation systems, except for in certain limited circumstances.
  • For users the covered online service knows to be minors, safeguards (1) through (9), above, must be enabled by default.
• Collect only the minimum amount of personal data necessary to provide the specific elements of the covered online service with which the minor has knowingly engaged. Such information may not be used for secondary purposes.
  • Personal data collected for age verification or estimation must not be used for other purposes and must be deleted after use.
• Not serve targeted advertising or advertising for prohibited products to minors;
• Not use dark patterns;
• Not collect precise geolocation data of minors by default unless necessary to provide the covered online service (in which case, an “obvious notice” must be provided when geolocation data is being collected and used);
• Not profile minor users by default unless the profiling is (1) necessary to provide the service and (2) limited to only the aspects with which the minor user is actively and knowingly engaged;
• Provide the ability to prevent notifications and push alerts during set time periods (i.e., 10 PM to 6 AM year-round and 8 AM to 3 PM on weekdays during the school year).
• Provide “obvious notice” of when a minor is  being monitored by a parent (if the covered online service provides such functionality);
• Provide parents tools to (i) manage the minor’s account settings and change and control the minor’s privacy settings; (ii) restrict the minor’s purchases and other financial transactions; and (iii) view the minor’s total time spent on the covered online service and allow the parent to place time limits (including during school hours and at night).
  • These parental tools must be enabled by default for known minors.
  • Covered online services must notify a minor of when these parental tools are in effect and what settings have been applied.
• Provide report mechanism for parents, minors and schools to report harm to minors on covered online services.
• Provide notice describing:
  • The personalized recommendation systems used, how the systems provide information to minors and how minors or their parents can opt out of or control the systems;
  • Design safety for minors;
  • Privacy protections for minors;
  • Parental tools available; and
  • How minors and parents can use such measures, protections and tools.
• Engage a third-party auditor to prepare (in consultation with a minors’ online safety expert) a report detailing the covered online service’s design features, use of personal data and business practices with respect to minors. Such report must be made public and provided to the Attorney General.

Enforcement

The SC AACD is enforced by the South Carolina Attorney General, with no cure period for violations. It imposes strict penalties, including treble damages for non-compliant online services, and holds officers/employees personally liable for "wil[l]ful and wanton" violations.