Age-appropriate design codes, chatbot regulations, and deepfake protections gain momentum
Protecting children’s privacy and safety online emerged as one of the most bipartisan and active areas of state lawmaking in 2025, with at least ten states passing new laws or amending existing ones to impose stronger protections around children’s personal data. The resulting legislative wave is creating a new regulatory reality for technology companies, social media platforms, and any business whose products or services reach young users.
The most significant development was the spread of age-appropriate design codes, which require online services to build privacy-protective features and limit functions that could expose minors to risks. Nebraska and Vermont both enacted new design-code-style laws in 2025, joining California, which adopted the first such statute in the nation. These laws shift the regulatory paradigm from reactive enforcement to proactive design requirements, placing the burden on companies to anticipate and mitigate harms before products reach young audiences.
Companion chatbot regulation marked a new frontier. California enacted SB 243, which requires operators of companion chatbots to disclose that users are interacting with an AI system rather than a human, implement technical safeguards when chatbots interact with known minors, and publish detailed protocols on their websites. The law reflects growing concern about the psychological impact of AI-powered conversational agents on young users, particularly in contexts involving mental health and emotional support.
The FTC continued to prioritize children’s privacy enforcement at the federal level, emphasizing COPPA as a core enforcement tool. The agency signaled that companies directing services to children under 13 should expect heightened scrutiny, particularly as updates to COPPA requirements took effect. Age verification laws also gained traction, though not without legal challenges. The Supreme Court upheld a Texas age-verification requirement for pornographic websites, but a separate Texas age-assurance law was enjoined by a federal court in late December 2025, illustrating the constitutional tensions inherent in these approaches.
Deepfake legislation targeting minors saw dramatic momentum. Of the more than 1,000 AI-related bills introduced across state legislatures in 2025, 301 targeted deepfakes, with 68 ultimately enacted. Most focused on sexual deepfakes, establishing criminal or civil penalties for the creation and distribution of synthetic intimate imagery without consent. Four additional states passed digital replica laws governing AI-generated likenesses used for commercial purposes, creating protections for digital identity and consent.
Healthcare-related AI applications drew particular legislative attention. Multiple states passed laws restricting AI from independently diagnosing patients or making treatment decisions, with disclosure obligations imposed when AI is used in patient communications. The intersection of mental health services and AI chatbots prompted several states to prohibit AI systems from acting as therapists, requiring human oversight in clinical contexts.
The broader state privacy framework also incorporated children’s protections. Maryland’s Online Data Privacy Act, effective October 2025, imposed some of the nation’s strictest limits on collecting and processing data relating to minors. Connecticut expanded its comprehensive privacy law to require risk assessments for processing children’s data, and California’s amended regulations will require businesses to assess AI system risks affecting minors beginning in 2027.
As the 2026 legislative session begins, children’s digital safety is expected to remain a top priority, with states likely to build on the momentum of 2025 while also addressing emerging issues such as agentic AI systems capable of autonomous interaction with young users.
Sources
1. “2025 Year in Review: Cybersecurity and Data Protection” — Paul Weiss, 2025. https://www.paulweiss.com/insights/client-memos/2025-year-in-review-cybersecurity-and-data-protection
2. “2025 Mid-Year Review: US State Privacy Law Updates (Part 2)” — Mayer Brown, November 19, 2025. https://www.mayerbrown.com/en/insights/publications/2025/10/2025-mid-year-review-us-state-privacy-law-updates-part-2
3. “Five Privacy Checkpoints to Start 2026” — Wiley, January 2026. https://www.wiley.law/alert-Five-Privacy-Checkpoints-to-Start-2026
4. “AI Legislation Across the U.S.: A 2025 End of Session Recap” — RILA, September 2025. https://www.rila.org/blog/2025/09/ai-legislation-across-the-states-a-2025-end-of-ses
5. “The Big Long List of U.S. AI Laws” — Morris Manning & Martin, December 11, 2025. https://www.mmmlaw.com/news-resources/102kaxc-the-big-long-list-of-u-s-ai-laws/
