​​South Carolina enacts age-appropriate design code with significant requirements for online platforms​

Broad scope & thresholds  

The Act applies to “covered online services” that do business in South Carolina, are “reasonably likely to be accessed by minors” (children under 18), and meet certain thresholds for revenue or data volume. A service is reasonably likely to be accessed by minors if it has actual knowledge that minors engage with the service or if it is directed at children as defined under the Children's Online Privacy Protection Act (“COPPA”) and corresponding regulations. The actual knowledge standard can be satisfied by any information or inferences a company holds about a user's age, including age estimates generated for marketing, advertising, or product development purposes. As a result, even services that do not ask users to self-identify their age may still have certain obligations under the law.  

Heightened “Duty of Care” for minors 

Unlike most previous state AADC laws, which require mitigating the risk of harm, South Carolina's new Act requires that covered services exercise reasonable care to prevent harm to minors online. Covered online services must exercise reasonable care both in how they use minors' personal data and in how they design and operate the online service, particularly with respect to certain “Covered Design Features” like infinite scrolling, auto-play, gamification, visible likes, push notifications, and in-app purchases. The law lists a wide range of harms that covered online services must address, from compulsive use and psychological harm to identity theft, discrimination, and financial injury. How the requirement to “prevent” these types of harms will be interpreted and enforced in comparison to the standards established in other AADC laws will be a key issue to monitor as the Act is implemented and enforced. 

Mandatory protective tools & defaults for minors 

Covered services must provide a range of protective tools and default settings. Key requirements include: 

User controls 

• Disable Covered Design Features: All users must have simple, accessible tools to turn off any Covered Design Features that are not necessary to provide the covered online service. 
• Time Limits & Purchasing Controls: Users must be able to set time limits and disable purchasing functions. 

Default privacy & contact settings for minors 

• Restricted Contact Settings: Defaults must limit who can contact a minor on the service. 
• Profile Visibility Limits: Defaults must restrict who can view a minor's profile or see their connections. 
• Location Collection Notices: Services must notify users whenever a minor's precise location is collected or shared. 

Additional protections 

• Reporting Mechanisms: Services must provide ways for parents, minors, and schools to report harm, including “imminent threats.” 
• Prohibition on Targeted Ads for Age-Restricted Products: Targeted advertising to minors for products such as alcohol, tobacco, gambling, and drugs is banned. 
• Ban on Dark Patterns: Use of dark patterns is prohibited and deemed an unlawful trade practice under South Carolina's Unfair Trade Practices Act. 
• Transparency for Personalized Recommendation Systems:  
  • Terms and conditions must clearly explain how recommendation systems function for minors. 
  • Services must explain how minors or parents can opt out. 
  • Safety, privacy, and parental-control features must be prominently disclosed in plain language. 

Public independent third-party audits   

Rather than mandating internal data protection assessments, a requirement that has drawn constitutional challenges in the California and Maryland AADCs, South Carolina's AADC law mandates that annual audits be performed by independent third parties. On or before July 1 of each year, covered services must publish and submit a public report prepared by the third-party auditor that covers details such as how the service operates with respect to minors, what data is collected and why, what safety tools are available, and how the service's algorithms work. The report must also be submitted to the South Carolina Attorney General, who is required to post the report in a prominent location on the Attorney General's website. 

Enforcement & personal liability for employees  

The penalties under the Act are significant. The state Attorney General is authorized to bring an action against covered online services, and if a violation is established, the court will automatically treble the actual damages proven. Where dark patterns are involved, penalties under South Carolina's Unfair Trade Practices Act may allow an individual who suffers an ascertainable loss of money or property to bring a limited private right of action to recover actual damages, attorney's fees, and court costs. Additionally, if the court finds that the unfair or deceptive act was a willful or knowing violation of the Act, it will award treble actual damages. Notably, the Act goes a step further than other AADC laws by exposing individual officers and employees to personal liability for “willful and wanton” violations of the Act. 

Next steps 

The Act took effect immediately upon signing, with operational requirements beginning March 1, 2026, and the first third-party audit reports due July 1, 2026. Although NetChoice (a trade group of online businesses) has already filed a constitutional challenge to the Act on First Amendment, Section 230, and Commerce Clause grounds, companies may wish to evaluate whether they fall within the Act's scope and consider appropriate next steps, with the law effective and available to enforce.

Authored by Mark Brennan, Bret Cohen, Aaron Lariviere, Thomas Veitch, Pat Bruny, Ryan Campbell, Erin Mizraki, Ellen Jin, and Dorea Marshall.