Children's Privacy

Hintze Law Global Privacy Updates

The Hintze Law team monitors global privacy and data security developments to provide timely, practical insights for clients. Below is a summary of key updates from mid-April 2026 to date.

 

US Privacy Updates

Alabama Legislature Passes Comprehensive Privacy Bill

The Alabama legislature passed a bill, which if signed by the governor, would make Alabama the twenty-second state to enact a broadly applicable comprehensive privacy law.  The law would take effect May 1, 2027, and would be enforced by the attorney general (following a mandatory forty-five-day right to cure violations).  There do not appear to be any provisions that impose materially stricter obligations on companies than those that are required under other state comprehensive privacy laws.

CPPA Public Comment Period re: Employee Data

California regulators are signaling increased oversight. On April 20, 2026, the California Privacy Protection Agency (CalPrivacy) opened a public comment period on potential updates to California Consumer Privacy Act (CCPA) requirements related to employee data. The proposed changes focus on notice, disclosure, and transparency obligations, particularly in nontraditional interfaces and employment contexts. Comments are being accepted through May 20, 2026.

In parallel, the CPPA’s newly established Audits Division is expected to begin proactive compliance reviews later in 2026. Unlike the Enforcement Division, which investigates violations, the Audits Division will evaluate business practices and identify compliance gaps, with findings potentially referred for enforcement.

Illinois BIPA Ruling

In a significant ruling interpreting the Illinois Biometric Information Privacy Act (BIPA), the U.S. Court of Appeals for the Seventh Circuit held in Clay v. Union Pacific Railroad Company (April 1, 2026) that the 2024 amendment to BIPA applies retroactively. The amendment limits damages to a “per person” basis rather than “per scan,” substantially reducing potential exposure for businesses. As a result, claims pending as of, or brought after, August 2, 2024, are subject to this reduced damages framework.

 

Maryland Legislature Passes Comprehensive Privacy Law Amendment To Restrict Data Sharing

Maryland passed HB 711, amending the Maryland Online Data Privacy Act (MODPA) to impose new restrictions on sharing personal data with government entities involved in civil immigration enforcement. The amendment limits when organizations may respond to subpoenas or cooperate with law enforcement in this context, while still allowing compliance with court-issued warrants. These changes take effect July 1, 2026.

New Jersey Health Privacy Law

New Jersey’s newly enacted Privacy Protection Act, signed March 25, 2026, introduces targeted restrictions affecting government entities and healthcare providers. The provisions for health care facilities include:

  • Prohibiting the collection of information relating to a patient's "immigration status, citizenship status, place of birth, social security number, or individual taxpayer identification number," except when necessary to ensure the safe and appropriate delivery of health care services, as applicable by law, or to provide a requested public service, benefit, or program.

·         Providing that any record relating to such information used for health care services shall not be considered a government record or disclosed except under limited statutory exceptions; and

·         Clarifying that this prohibition does not apply when the patient to whom the record or information pertains has knowingly provided written consent for disclosure.

    • "The Department of Health, in consultation with the Attorney General, shall develop and make publicly available a standardized written consent form."

These provisions take effect on April 1, 2027.

Nebraska Age-Appropriate Design Code (AAADC)

Nebraska amended its Age-Appropriate Design Code (AAADC) through legislation signed on April 17, 2026. The amendments expand the scope of regulated entities and design features, lower applicability thresholds, and introduce new requirements such as tools enabling minors to delete or unpublish accounts. The law also strengthens protections against default settings or design practices that reduce minors’ privacy protections.

Idaho Passes Social Media Child Protection Law

On April 2, 2026, Idaho’s governor signed HB 542, which applies to any social media platform that, across their corporate group (parents, subsidiaries, and affiliates), has earned at least $1 billion in advertising revenue worldwide in one or more of the preceding three years.

Covered platforms will be subject to the following requirements for Idaho users:

·         Periodic age estimation triggered by users’ cumulative use of the platform

·         Collection of date of birth for new accounts

·         Verifiable parent consent (VPC) prior to creating or maintaining an account for a child user (age 16 or younger), changing terms and conditions applicable to a child account, and changing privacy settings of a child account

·         High-privacy default settings

·         No “addictive interface features” or “profile-based paid commercial advertising” in a child account’s display/feed

·         Account deletion requirements depending on whether the request comes from a child user or their parent

This law may be enforced by a private right of action (by a child or parent), including claims of harm to mental health and emotional distress. The Idaho AG may also investigate and enforce reckless or knowing violations as per se violations of state consumer protection act. There is a three-year statute of limitations for all claims. A successful action has penalties of actual damages or $10,000, whichever is greater, and there are punitive damages available in the event of “consistent pattern[s] of reckless or knowing conduct.”

All requirements except age estimation take effect July 1, 2026. Age estimation requirements functionally* take effect January 1, 2027.

Iowa AG Files Lawsuit Against Meta for Misrepresentation of Material Harmful to Minors and Addictive Design Features

On April 8, Iowa Attorney General Bird announced a state consumer protection lawsuit against Instagram alleging youth safety and “addictive” design claims. The lawsuit alleges that Meta allow adult sexual content, alcohol, tobacco, and drug use and references, and mature/suggestive themes on Instagram despite the app’s “T for Teen” rating. The lawsuit also alleges that Instagram has addictive design features, including notifications, infinite scroll, ephemeral content, quantification and display of social interaction, and algorithmic recommendation feeds.

The lawsuit seeks a permanent injunction against Meta’s alleged misrepresentations about the content available on Instagram and “civil penalties, disgorgement, and other costs and fees.”

West Virginia and Alabama Settles Children's Safety Claims with Roblox

On April 21, 2026, the Alabama AG and the West Virginia AG both announced settlements with Roblox. (Alabama's settlement can be found here.) The agreements levee $12.5M and $11M fines respectively and impose additional requirements which include:

  • Verifying the age of all users before granting chat access,

  • Restricting adults from contacting U16 users except through verified trusted friends

  • Alerting minors upon first entering a private chat

  • Defaulting all U16 and unverified users to safe content mode

  • Allocating funds and resources to internet safety compliance and enforcement.

Multiple states also recently reached settlements with Roblox regarding children’s data and online safety practices. These agreements impose new requirements, including age verification for chat access, restrictions on adult-minor interactions, default safety settings for younger users, and enhanced compliance investments. These settlements reflect a coordinated enforcement trend focused on protecting minors online. Read about in depth in our latest blog post.

 

International Updates

China PIPL Enforcement Campaigns: Increased Scrutiny Across Key Sectors

On April 2, 2026, Cyberspace Administration of China (CAC), together with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS), announced a set of nationwide enforcement initiatives under the Personal Information Protection Law (PIPL). The announcement lays out the most detailed and coordinated PIPL enforcement roadmap to date.

Unlike earlier enforcement efforts that were largely complaint‑driven or ad hoc, the 2026 initiatives take a structured, sector‑by‑sector approach, with regulators spelling out exactly what they plan to inspect and where.

Key highlights include:

  • Seven targeted enforcement campaigns, covering:

    • Apps and embedded SDKs

    • Internet advertising and adtech

    • Education (with a strong focus on children’s data)

    • Transportation and mobility platforms

    • Healthcare providers

    • Financial services

    • Criminal data‑trafficking and “insider” cases

  • Explicit focus on adtech and automated decision‑making, including profiling, personalized advertising, and failure to honor opt‑out choices.

  • Increased scrutiny of SDKs, signaling that third‑party code is no longer a compliance blind spot.

  • Escalation risk: the involvement of public security authorities underscores that serious or repeated violations may move beyond administrative penalties to criminal enforcement.

European Data Protection Board 2025 Report

On April 9, 2026, the European Data Protection Board (EDPB) published a report on its work in 2025. Over the year the EDPB:

  • Published guidelines on interactions between the GDPR and other EU digital laws, including the Digital Services Act, Digital Markets Act, and the EU AI Act;

  • Published guidelines and opinions on topics such as pseudonymisation

  • Focused on the right to erasure through the 2025 Coordinated Enforcement Framework, with participation from 32 supervisory authorities and responses from 764 controllers.

 

Industry / Tech Updates

Google Analytics Changes Affecting “Sales”

Changes to Google Analytics taking effect June 15, 2026, may have significant compliance implications. Businesses will no longer be able to prevent data collected through Google Analytics from being shared with Google Ads through Analytics settings alone. Instead, service configurations will determine whether Google acts as a data processor or controller, which may affect whether data sharing constitutes a “sale” or targeted advertising under applicable laws. This change increases both regulatory risk and potential exposure under statutes such as California’s privacy laws and the California Invasion of Privacy Act (CIPA).

 

 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique law firm that provides counseling exclusively on data protection, including privacy, AI, and data security. Our attorneys and consultants support clients across technology, advertising, media, fintech, healthcare, biotech, e-commerce, and mobile sectors.

Roblox Settles with Three States Over Alleged Child and Teen Online Safety Failures

By Emily Litka Sanford

In mid to late April 2026, Roblox settled with Alabama, Nevada, and West Virginia over allegations that its interactive gaming platform exposed children and teens to harmful content and predatory users. The three separate settlement orders will require Roblox to pay a total of $33 million to the three states and implement robust privacy and online safety controls. Note that, at this time, draft complaints have not been provided by Alabama, Nevada, or West Virginia, and the press releases do not describe the specific laws Roblox allegedly violated leading to the settlements.

Roblox faces similar scrutiny in Iowa, Kentucky, Nebraska, Tennessee, Texas, Florida, Louisiana, and Los Angeles County, as well as suits from private plaintiffs. Those complaints generally allege that Roblox was in violation of the states’ consumer protection laws because it misrepresented and had insufficient controls related to chat safety and content moderation.

Roblox will be required to take the following measures under the Alabama, Nevada, and West Virginia orders. While not all of these requirements are present in each states’ order, many are similar, and we describe these collectively. Note also that, at this time, the settlement order with West Virginia is not yet available — only a summary of the measures is provided in the press release issued by the West Virginia Attorney General.

  • Conducting heightened age assurance prior to accessing chat functionality: Roblox currently requires all users to self-report their age prior to accessing the platform. Roblox will be required to take heightened age assurance measures prior to enabling users to access chat functionality (Roblox began rolling out age checks via facial age estimation and ID verification late last year). Roblox also agreed to continue its practice of behavioral monitoring to assess whether a user is of a different age than they self-reported or was estimated.  

  • Implementing chat safety measures: The order provides detailed obligations for when adults can communicate with minor users, requiring parental consent for users under 13 and other approval mechanisms for users under 16 (in Nevada, the order also seeks to protect users under 16–17-years of age, obligating Roblox to “take steps” to address harms they may encounter). Roblox will also be required to surface an alert each time a user under 18 enters a private chat with another user about the dangers of communicating with strangers. To help law enforcement act on illegal interactions on the platform, Roblox agreed to not encrypt messages between minor users and other users.  

  • Providing an age-gated minor experience: To address minors’ access to inappropriate or unsafe content, Roblox will be required to create a default minor-safe experience for users under 16 and for users whose age hasn’t been verified. The orders will require parental consent to be obtained for users under 16 to access more mature experiences.

  • Assigning content maturity ratings for experiences: Roblox will be required to assign, or ensure that developers publishing experiences on its platform assign, a content maturity rating to its experiences. Roblox will need to have enforcement mechanisms in place to moderate developers that do not accurately represent their experiences and will be required to publish (among other public reporting requirements) the “statistics and measures” taken to address developer violations of Roblox policies.

  • Maintaining parental controls: Roblox is not required to ensure parents have accounts linked to their minor under the order; however, Roblox is required to take steps to increase the adoption of linked accounts. The settlement orders obligate Roblox to maintain parental controls (e.g., Alabama requires controls to set how much time a minor spends on the platform and spending limits).

  • Restricting personalized advertising and push notifications: The orders restrict Roblox from providing personalized advertising on the platform to children under 16, although it is unclear if this is a full prohibition or whether parental consent can be provided for these users to receive ads. Further, the orders also provide detailed requirements for when push notifications and other notifications can be sent to children under 16.

  • Awareness capabilities: The order with Nevada will require Roblox to conduct a multi-media public safety awareness campaign to the public about online safety, including its parental controls and age assurance practices.

 

Key Takeaways: These orders follow a current trend of increased scrutiny into child and teen online safety and experiences that are appealing to minors, especially those that permit engagement between users. As was reaffirmed in the Alabama Attorneys General press release, the settlement with Roblox “sends a clear message to every platform operating in this space” that they will continue to “aggressively enforce” child and teen online safety.

The obligations in the settlement orders are similar to many of the new obligations placed on online operators that have been established under the new age-appropriate design and minor privacy and safety laws in Colorado, Vermont, Nebraska, Arkansas, and New York, particularly around communication limitations between users, parental controls, limits on personalized adverting, and when notifications can be sent. The orders also introduce net new obligations on Roblox not specifically required under any current law like bans on encrypted messages with minors imposed by Alabama and Nevada.

With the new COPPA regulations having taken effect in April, the newly effective and soon to be effective state laws (New York, effective June 20, 2025; Colorado, effective October 1, 2025; Nebraska, effective January 1, 2026, with additional amendments coming into effect on July 17,2026; Arkansas, effective on July 1, 2026), and other recent state enforcement activity related to child and teen online safety under consumer protection laws, we expect to see continued regulatory enforcement activity in this space.

If you haven’t already, assess whether your organization’s online user experience will likely be considered appealing to, or have known users that are, children and teens. Organizations offering such experiences should devote significant resources and time to comply with this increasingly complex space, including, potentially, to develop processes and mechanisms to obtain parental consent, build or leverage third-party tools for age assurance, and conduct vendor and third-party management processes and tools to ensure that data isn’t shared or sold in manner that triggers additional consent and other obligations.


Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on data protection including AI, privacy, and data security. Hintze attorneys and data consultants support technology, advertising, media, fintech, health, biotech, ecommerce, and mobile industries.


Emily Litka Sanford is a Senior Associate at Hintze Law PLLC. She focuses her practice on global privacy and emerging AI laws and regulations. She regularly counsels on risk during product development, the development and operationalization of privacy programs, the preparation of data protection impact assessments, and the development of internal privacy policies and processes.