Online systems pose heightened risks for minors because they are at a uniquely vulnerable stage of development and participate in a broad range of activities online. These activities can have many benefits—allowing minors to learn about an endless array of topics, connect with loved ones around the world, play games, and explore their developing identities. Unfortunately, the lack of adequate safeguards to protect minors from commercial surveillance leaves them exposed to a wide range of harms.

I. Minors Face Online Harms

Commercial Surveillance Harms

From educational software to toys, gaming, and social media, minors’ online presence is constantly monitored, often without their knowledge or valid consent. The sweeping collection of personal data from such a young age presents exceptional privacy and data security threats to minors. Incomprehensible privacy disclosures, deceptive design elements, broad commercial surveillance practices, and targeted advertising make the digital ecosystem too complex for adults—let alone minors—to fully understand. Existing laws like the Children’s Online Privacy and Protection Act (COPPA) do not sufficiently protect minors from the myriad harmful effects of commercial surveillance systems.

Minors are uniquely vulnerable to the effects of these commercial surveillance systems. The constant monitoring and profiling of children online can make it difficult to develop a sense of autonomy and personality. In the targeted advertising context, sellers have tremendous power, taking advantage of this informational asymmetry and the still-developing critical thinking skills of children and teens to target young people for commercial gain.

Harms from manipulative platform design features

Most adolescents spend hours each day on online platforms. These digital services, especially social media, are readily available and have a strong commercial incentive to maximize user engagement, especially from minor users who are most impressionable and spend the most time online. This has “fueled a gold rush for children’s attention.” Even from a young age, a study of applications used by young children between 3 and 5 years old found that 80% of the apps had manipulative design features, “including para-social relationship pressure, fabricated time pressure, navigation constraints, and lures to encourage longer gameplay or more purchases.”  

The more time a minor spends on a service, the more data that’s generated about interests, habits, behaviors, fears, social graphs, and other information that is valuable for building a digital profile of the minor and targeting advertising to them.

Companies employ design features that prey on minors’ psychological development for profit, leading to overuse or compulsive use of social media and other platforms that harm minors’ health and wellbeing. Design features include endless scroll, push notifications, and recommender algorithms that surveil minors and use that data to figure out the best way to manipulate each minor into staying on the platform as long as possible. Minors are uniquely vulnerable: as children reach adolescence, their brain regions associated with the need for attention, feedback, and reinforcement become more sensitive, while the brain regions involved with self-control are not yet matured. These manipulative platform design strategies deprive minors of their autonomy, taking control of their online experiences out of their hands and subjecting them to heightened health, privacy, and data security risks. 

Harms from AI Chatbots

Generative AI and companion chatbots, which already pose risks to adult users, can cause even more severe harm to children and teen users, negatively impacting health outcomes. A companion chatbot has human-like features and is designed to make the user feel like they are chatting with another person. Companion bots like Character.AI, Replika, Nomi, and other AI companions have become increasingly popular among teens and children. In 2025, Google rolled out its Gemini chatbot specifically targeted to young children under 13, with utterly insufficient safeguards to mitigate serious risks to young users. These platforms allow users to engage in conversations with generative AI entities that are designed to simulate humanlike conversations. Teens are drawn to these chatbots for companionship, support, and guidance and as an effect of experiencing loneliness offline.

AI chatbots pose serious mental and physical health risks to minors as they develop psychological dependence on AI chatbots for para-social companionship or emotional support. Because an AI chatbot is not human, it lacks judgement and does not consider the complexity of certain questions or consequences of providing risky information or advice to minors. Young people using these platforms can be exposed to developmentally inappropriate, hyper-sexual, vulgar, and otherwise unsafe information. Some examples include generating suicide notes or plans, providing information about “dangerously restrictive” diet plans, advising on how to hide eating habits from family, and explaining how to get drunk or hide being drunk at school. After endearing itself to a minor as a human-like resource, AI chatbots providing such harmful content can encourage extremely dangerous behavior offline with devastating health outcomes. 

II. The Legal Landscape of Kids’ Online Privacy

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (“COPPA”) is the primary federal children’s online privacy law in the U.S. It specifically aims to protect the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of the users. The Act took effect in April 2000 and the COPPA Rule was revised in 2013 and again in 2025. COPPA was initially enacted in response to a growing awareness of internet marketing techniques that targeted children and collected their personal information from websites without any parental notification. COPPA applies to commercial websites and online services that are directed at children. The main obligations for covered entities under COPPA include:

• Obtaining verifiable parental consent before collecting personal information from a child under 13 years old
• Providing a detailed privacy policy for data collected from users
• Limiting collection and retention of personal information

COPPA violations are unfair or deceptive trade practices under § 5 of the Federal Trade Commission Act, and the FTC can impose civil penalties for its violation. State Attorneys General also have authority to enforce COPPA.

In April 2025, after a nearly six-year rulemaking process, the Federal Trade Commission finalized updates to modernize the COPPA Rule. The COPPA Rule clarifies obligations for websites, apps and other covered entities that collect kids’ data. Among other updated provisions, critical updates to the COPPA Rule include: 

• Enhanced data security and retention requirements: The Rule expands operators’ obligation to protect the confidentiality, security, and integrity of personal information collected from children by requiring a formal information security program. The required information security program includes an obligation to evaluate data security risks, deploy safeguards to mitigate those risks, and test and monitor the efficacy of safeguards, including evaluating the entire information security program annually. It also mandates strict data retention and deletion requirements for personal data.
• Increased transparency obligations related to data collection and use: The Rule includes changes to the notice requirements that will significantly enhance transparency about operators’ collection, use, and sharing of kids’ data. For example, the Rule now requires a direct notice on the website or online service to include “identities and specific categories of any third parties to which the operator discloses personal information and the purposes for such disclosures […].”
• Strong limits on data sharing with external parties, including the advertising ecosystem: The Rule now requires operators to obtain separate and additional verifiable parental consent prior to disclosing a child’s personal information to third parties like advertisers and data brokers. These provisions will provide significant friction, slowing the incessant data flow of personal data to third parties.

State laws protecting kids’ online privacy and safety

State legislatures have enacted different types of laws that provide minors with privacy and online safety protections. These state-level legislative models include comprehensive privacy laws containing provisions specific to minors; age-appropriate design codes; laws that age gate or require parental access to certain content or platforms like social media; and laws that restrict access to certain design features like “addictive feeds” or push notifications. Many of these state laws include protections that go beyond COPPA and regulate areas where COPPA is silent, like platform design or protections for teenagers.

Here are some examples:

• State comprehensive privacy laws with provisions specific to minors’ online privacy and safety
  • Maryland Online Data Privacy Act
  • Colorado Privacy Act and recent amendment
• Children’s data privacy and protection laws
  • New York Child Data Protection Act
  • Texas Securing Children Online Through Parental Empowerment (SCOPE) Act
• Age-appropriate design code laws
  • Vermont Age-Appropriate Design Code
  • California Age-Appropriate Design Code
• Laws that age gate or prohibit access to content or social media platforms
  • Florida HB3: Social Media Safety Act
  • Texas HB 1181
• Laws that restrict access to high-risk design features
  • California SB 976 Protecting Our Kids from Social Media Act
  • New York SAFE for Kids Act

Emerging Federal and State Frameworks

Legislators on the federal and state level continue to develop and introduce legislative frameworks to mitigate harm facing minors online. Congress has considered the Kids Online Safety Act (KOSA) and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) for consecutive sessions. Where COPPA 2.0 would largely modernize and extend COPPA’s protections to older teenagers, KOSA would focus on online safety by regulating harmful platform design practices. Both federal and state legislators have also introduced bills to regulate app stores. Utah enacted the App Store Accountability Act and Congress is considering a similar bill by the same name. Looking forward, AI Chatbots have emerged as another significant focus for regulation on the state and federal level.

Kids Privacy in Court

Kids’ online privacy and safety is at the center of many lawsuits across the country. Big Tech has been challenging the constitutionality of most state-level kids’ online safety and privacy law that have been enacted, often through an industry group called NetChoice. In 2025, the Supreme Court heard a challenge from Free Speech Coalition (another industry group representing the pornography industry) to a Texas law requiring pornographic websites to verify ages of users in order to block children from accessing the websites. Visit EPIC’s Platform Governance & Accountability page to learn more about the issues at the center of many of the cases challenging platform governance laws and regulations, including age assurance, Section 230, and the First Amendment.

In the last five years, state attorneys general have been particularly active in this area, investigating and bringing enforcement actions against Big Tech companies and social media platforms for harming minors online. State AGs often work collaboratively and rely on various authorities like state consumer protection laws, COPPA, tort law, and newer state privacy laws. In October 2023, forty-two State AGs filed suit against Meta for designing a social media platform that it knew was harmful to teens. The State AGs alleged that Meta violated consumer protection laws, causing harm to teens by designing platforms to encourage compulsive use and maximizing engagement and time online, among other tactics. Read more about State AG enforcement in EPIC’s report, State Attorneys General and Privacy: Enforcement Trends, 2020-2024.

III. EPIC Model Legislation

In 2026, EPIC released two pieces of model legislation to protect privacy by ensuring that digital platforms, including chatbots, are designed safely and responsibly. EPIC’s Model Age-Appropriate Design Code protects kids online by prohibiting addictive design features for minors, giving them control over their privacy, and preventing companies from designing to promote compulsive use. EPIC co-published the People-First Chatbot Bill with the Consumer Federation of America and Fairplay. The People-First Chatbot Bill gives lawmakers a straightforward approach to address the harms caused by chatbots that have been developed and deployed by tech companies with little oversight or transparency.

Learn more about the Model Age-Appropriate Design Code here.

Learn more about the People-First Chatbot Bill here.