TL;DR: U.S. children’s data regulation is shifting from consent-only models toward age assurance, default protections, and design obligations, with South Carolina, Alabama, and renewed KOSA momentum expanding compliance pressure across minors’ personal data, app distribution, and platform safety, according to OneTrust. Consent workflows alone are no longer enough; governance now has to cover product defaults, verification, and jurisdiction-by-jurisdiction enforcement.
NHIMG editorial — based on content published by OneTrust: US Children’s Data Laws and Consent: What Businesses Need to Know in 2026
By the numbers:
- In the Vermont Age Appropriate Design Code, services are considered reasonably likely to be accessed by a minor if at least 2% of users are between 2 and 17 years old.
Questions worth separating out
Q: How should organisations handle age assurance for minors without collecting too much personal data?
A: Use a proportionate approach that matches the sensitivity of the service and the legal threshold in each jurisdiction.
Q: Why do children’s data laws require product design changes instead of consent alone?
A: Because consent does not stop a harmful or overly permissive product experience.
Q: What do privacy teams get wrong about parental consent workflows?
A: They often treat consent as a one-time paperwork step rather than a governed identity relationship.
Practitioner guidance
- Map minor-user identification rules Document how your service determines whether a user is a child or teen, including self-declared age, inferred age, and age-verification triggers.
- Rework default settings for minor accounts Review advertising, recommendations, location sharing, messaging, and profile visibility defaults for accounts that may fall within youth-data laws.
- Centralise parental consent evidence Store consent status, parent-child linkage, and verification outcomes in one auditable system so downstream services can enforce the correct permissions consistently.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- How OneTrust links parent and child identities inside Collection Points for auditable consent management
- How Hosted Web Forms and API-based Collection Points support parent identifiers and routing of Double OptIn communications
- How OIDC and the OneTrust ID Verification API can be used to verify identities while limiting unnecessary personal-data exposure
- How the workflow is designed to support consent attribution, preference handling, and downstream enforcement across systems
👉 Read OneTrust's analysis of U.S. children’s data laws and consent →
Children’s data laws and age assurance: what privacy teams need to do?
Explore further
Age assurance is becoming an identity governance control, not just a privacy workflow. The article shows that regulators are now asking organisations to determine who a user is, not simply whether a consent box was ticked. That pushes age classification, parental linkage, and auditability into the same governance conversation as access decisions and identity lifecycle management. Practitioners should treat minor identification as a governed identity attribute, not an isolated compliance field.
A question worth separating out:
Q: Who is accountable when a service misclassifies a minor account or applies the wrong defaults?
A: Accountability usually spans privacy, product, legal, and platform owners because the failure is operational as well as regulatory. The organisation must be able to show how age was determined, how consent was recorded, and how features were restricted. Under children’s data laws, those records are part of the evidence chain.
👉 Read our full editorial: Children’s data laws now push consent toward design and age assurance