On February 5, 2026, South Carolina Governor Henry McMaster signed H. 3431, Age-Appropriate Code Design (SC AACD) into law, becoming the fifth state to enact an age-appropriate design code law after California, Maryland, Nebraska, and Vermont.1 The law, which went into immediate effect upon the governor’s signature, adds to the steadily increasing patchwork of teens’ and children’s online safety legislation in the U.S. Notably, covered online services are liable for treble damages incurred as result of a violation of the statute. Further, officers and employees may be held personally liable for “wil[l]ful and wanton” violations of the SC AACD. The law is already facing a legal challenge by a trade association.
The provisions and key takeaways are summarized below.
Scope
The SC AACD sets forth a number of strict privacy and safety guardrails for online services that do business in South Carolina, are data controllers, meet certain revenue or data processing thresholds, and are “reasonably likely to be accessed by minors” under the age of 18. An online service is “reasonably likely to be accessed by a minor” under 18 if it either: 1) has actual knowledge that a user is a minor (in which case the service must treat that individual as a minor) or; 2) is “directed to children” under the Children’s Online Privacy Protection Act (COPPA) and its implementing regulations (in which case, the service must treat all users using or visiting the covered online service as minors, except where the service has actual knowledge that the individual is an adult).
This definition is somewhat narrower than the definitions included in the age-appropriate design codes in Vermont, California, and Maryland, which set forth a broader, multi-factor test to determine coverage, looking at factors such as audience composition and other indicators that suggest minors are a meaningful segment of the service’s user base. The SC AACD is more similar to the Nebraska Age-Appropriate Design Code (AADC) in that it focuses on actual knowledge that a user is a minor or whether the service is directed to children under 13 under COPPA (see our prior alerts on the Nebraska and Vermont, Maryland, and California laws).
Covered online services have the following obligations:
Duty of Reasonable Care
Covered online services must exercise “reasonable care” in the use of a minor’s personal data and the design and operation of the covered online service. This includes limiting certain “covered design features”2 (i.e., features that increase minors’ time and activity on the service) to “prevent” the following enumerated harms: “compulsive usage”3 of the covered online service, severe psychological harm (e.g., anxiety, depression, self-harm, or suicidal ideations), severe emotional distress, privacy intrusions, identity theft, discrimination against the minor on the basis of race, ethnicity, sex, disability, or national origin, and material financial or physical injury. While this duty of care is similar to that in the Vermont AADC, the SC AACD arguably goes further by prescribing that online services take steps to “prevent” these enumerated harms. Further, unlike the Vermont AADC’s minimum duty of care, the SC AACD does not limit the harm to “reasonably foreseeable” emotional distress and compulsive use.
User Tools and Safeguards
Covered online services must provide users (not limited to minor users) with easily accessible and easy-to-use tools to: 1) disable nonessential design features, including “covered design features”; 2) limit time spent on the service; 3) set financial limits on purchases and transactions; 4) block unwanted communications from unconnected accounts; 5) restrict account visibility to connected accounts; 6) block visible engagement metrics; 7) restrict account profile search visibility to connected accounts; 8) prevent others from seeing the user’s connections to others; and 9) restrict location information visibility to only those the user chooses to share it with while notifying users when their precise geolocation is being tracked or shared; and 10) opt out of certain “personalized recommendations systems.”
Default Protections for Minors
Consistent with the Maryland AADC, the SC AACD imposes a number of strict default protections for minors. For example, covered services must turn on the user tools and safeguards described in above by default, opt minors out of “personalization recommendation systems” by default, and set personal data settings to the highest level of protection by default (e.g.,covered online services are prohibited from facilitating targeted advertising to minors; automated profiling and precise geolocation information collection for minors is only permitted by default if strictly “necessary” for the provision of service).
Strict Data Minimization for Minors’ Personal Data
Covered online services may only collect, use, share, or retain the minimum amount of a minor’s personal data “necessary” to provide the specific elements of the covered online service with which a minor has knowingly engaged. Note that the data minimization requirement is strictly limited to what is “necessary” and not reasonably necessary. Further, such personal data may not be used for secondary purposes. Personal data collected for age verification or estimation must not be used for other purposes and must be deleted after use.
Notifications and Push Alerts
Similar to the Nebraska AADC, covered online services under the SC AACD must offer a tool for minor users to prevent notifications and push alerts from 10 p.m. to 6 a.m. all year and from 8 a.m. to 3 p.m. on weekdays during the school year in the minor user’s time zone.
Parental Tools
Covered online services must provide parents with accessible and easy-to-use tools that help them protect and support minors using the covered online services. These parental tools must be turned on by default for known minors. The parental tools must at least include the ability for the parent to manage the minor’s account and privacy settings, restrict the minor’s purchases and transactions, view how long the minor has used the service, and place limit the minor’s use of the service, including to specific days and times. Minors must be clearly notified of when parental tools are in effect and what settings have been applied.
Reporting Harms
Covered online services must provide a mechanism for parents, minors, and schools to report harm to minors. especially those harms that pose an imminent threat to a minor.
Prominent Disclosures and Dark Patterns (Including Private Right of Action)
Covered online services are required to provide “comprehensive, clear, conspicuous, and easy-to-understand information in a prominent location describing the design safety for minors, the privacy protections for minors, and the parental tools that the covered online service has adopted pursuant to [the SC AACD]” including “a clear, conspicuous, and easy-to-understand explanation of how minors and parents may utilize those design safety measures, privacy protections, and tools.” Covered online services also cannot use dark patterns. The law states that the use of dark patterns constitutes an unlawful trade practice under Section 39-5-20 of the South Carolina Unfair Trade Practices Act and that covered online services that violate this section are “subject to the provisions, penalties, and damages of the South Carolina Unfair Trade Practices Act.” The South Carolina Unfair Trade Practices Act provides a private right of action.4
Annual Independent “Audits” (but No DPAs)
Notably, similar to the Nebraska and Vermont AADCs, the SC AACD lacks the prescriptive data protection assessment requirements that are included in the California and Maryland AADCs, and which have been challenged as unconstitutional. However, the statute contains a prescriptive annual, independent “audit” requirement that is substantively similar to other DPA requirements.
Under the SC AACD, by July 1 of each year, a covered online service must submit to the state attorney general (AG) and prominently publish on its website an annual report prepared by an independent third-party auditor that contains a “detailed description of the covered online service as it pertains to minors, including its covered design features, its use of personal data, and its business practices as they pertain to minors.” The statute outlines a number of prescriptive requirements. For example, each audit report must outline the purpose of the online service, its accessibility to minors, details on the handling of minors’ personal data, safety and privacy measures, parental tools, use of design features, processes for data management, age verification and estimation methods, and descriptions of algorithms used by the online service. Independent auditors are required to follow “inspection and consultation practice” designed to ensure their audit reports are comprehensive and accurate and must consult with experts in the field. Covered online services are obligated to cooperate with audits and provide them access to all information and operations necessary to ensure that the report is comprehensive and accurate.
Enforcement and Individual Liability
The SC AACD took effect upon the Governor’s signature on February 5, 2026. The state AG has enforcement authority. Notably, the law does not provide for a cure period or safe harbor. Covered online services are liable for treble damages incurred as result of a violation of the statute. Officers and employees may be held personally liable for “wil[l]ful and wanton” violations of the SC AACD.
Key Takeaways
Businesses should expect robust legislative activity in 2026 as U.S. states continue to expand children’s and teens’ online privacy and safety protections. Regulators at the federal and state levels have made kids’ online safety a top enforcement priority in recent years, and we expect this trend to continue into the foreseeable future.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and specializes in issues pertaining to children and teen privacy and online safety. We will continue to monitor developments at the state, national, and international level in order to assist companies with compliance. For more information, please contact Maneesha Mithal, Tracy Shapiro, Doo Lee, or another member of the firm’s Data, Privacy, and Cybersecurity practice.
[1]The California Age-Appropriate Design Code Act (AADC) remains enjoined while pending review before the U.S. Court of Appeals for the Ninth Circuit, and the Maryland AADC remains in litigation. The Vermont AADC takes effect January 1, 2027. The Nebraska AADC took effect January 1, 2026, but explicitly provides that the Attorney General cannot initiate enforcement actions to recover civil penalties until July 1, 2026.
[2]“Covered design features” means any feature or component of an online service that “will encourage or increase a minor’s frequency, time spent, or activity on a covered online service” including, but not limited to: infinite scroll, auto-playing videos, gamification elements, engagement metrics (e.g., visible likes, comments, clicks, views, or reactions any user-generated item has received), notifications and push alerts, in-game purchases or virtual currencies, and appearance-altering filters. See Section 39-80-10(3).
[3]“Compulsive use” broadly means “the persistent and repetitive use of a covered online service that substantially limits one or more of a user’s major life activities including, but not limited to, sleeping[,] eating, learning, reading, concentrating, communicating, or working.” Section 39-80-10(1).