South Carolina Age-Appropriate Design Code Is Now in Force: How Will It Impact Your Business?
Legislative efforts to protect minors online have reached a fever pitch at both the federal and state levels, with Congress and state legislatures advancing a broad array of youth safety measures for app stores, social media apps, AI chatbots, and more. Against that backdrop, the enactment of a state law that imposes heightened statutory damages and personal liability on the officers and employees of covered businesses marks a significant escalation that warrants close attention from companies operating online services accessible to minors.
On February 5, 2026, South Carolina Governor Henry McMaster signed H. 3431 into law, adding a new Chapter 80 to Title 39 of the South Carolina Code titled “Age-Appropriate Code Design” (“the Act”). The Act took effect immediately and imposes novel obligations on covered online services that conduct business in South Carolina and are reasonably likely to be accessed by minors.
The Act goes beyond other laws that have followed an age-appropriate design code (AADC) model in several operational respects. Notably, the Act requires default protective safeguards for known minors, opt-outs from personalized recommendation systems, limits on covered design features, and annual public reports prepared by independent third-party auditors. It also carries significant enforcement risk, including Attorney General enforcement, treble financial damages, and potential personal liability for officers and employees for willful and wanton violations.
The Act applies to “covered online services,” which are businesses that provide online services (e.g., websites, applications, or AI-enabled features) in South Carolina that are “reasonably likely to be accessed by minors” and meet at least one of three size thresholds:
- annual gross revenues in excess of $25 million
- annually buying, receiving, selling, or sharing the personal data of 50,000 or more consumers, households, or devices
- deriving at least 50% of annual revenues from the sale or sharing of consumers’ personal data
The Act’s scope is broader than most prior frameworks in two respects. First, it drops the “for-profit” qualifier found in laws such as Maryland’s AADC so that any legal entity that owns, operates, controls, or provides a covered online service, including nonprofit and other noncommercial entities, may fall within its reach. Second, unlike Nebraska’s and Vermont’s design codes, the Act includes no carve-out for services that can show minors make up only a small share (e.g., fewer than 2%) of their audience. The Act does, however, exempt government entities, services covered by the Gramm-Leach-Bliley Act or HIPAA, and information collected as part of a clinical trial subject to existing federal protections.
There are several notable features of the Act:
1. Known Minors and COPPA-Directed Services
The Act’s minor-access trigger is more targeted than existing AADC models. The Act applies to a covered online service where either: (i) the covered online service has actual knowledge that a particular user is a minor under 18, in which case the covered online service must treat that individual as a minor; or (ii) the covered online service is “directed to children” under the Children’s Online Privacy Protection Act (COPPA) (and we previously covered updates to the COPPA Rule here), in which case the covered online service is expected to treat all users as minors unless the covered online service has actual knowledge the user is an adult.
Although the trigger is narrower in formulation than the common “reasonably likely to be accessed” standard, the Act’s definition of “actual knowledge” is broad: It encompasses all information and inferences available to the covered online service regarding the individual’s age, including, but not limited to, self-reported age, as well as any age the covered online service has attributed to or associated with the individual for marketing, advertising, product development, or any other purposes. As a result, companies that maintain age-related data signals (including via sources such as product analytics, school or parental-control signals, or other sources) may find themselves with “actual knowledge” obligations under the Act.
2. Annual Independent Audit
Each year, by July 1, covered online services must issue a public report prepared by an independent third-party auditor and submit a copy to the South Carolina Attorney General, who is required to post the report prominently on the Attorney General’s website. The report must cover, among other things, the covered online service’s “covered design features, its use of personal data, and its business practices as they pertain to minors,” including age verification or estimation methods and algorithm descriptions. The Act contains a number of prescriptive reporting requirements including, but not limited to:
- an accounting of the total number and types of reports generated, and an assessment of how those reports were handled, if known
- the covered online service’s process for handling data access, deletion, and correction requests for a minor’s data
- a description of algorithms used by the covered online service
- submission to the Attorney General, who is required to post the report prominently on the Attorney General’s website
This public, third-party audit requirement is a notable departure from earlier models. Rather than the data protection impact assessment approach used in California’s and Maryland’s AADCs, a feature that has drawn constitutional challenge (see below), South Carolina mandates a descriptive public report prepared by an auditor who must consult with experts on minors’ use of covered online services. Because the Attorney General must post each report publicly, covered services should anticipate that the exercise may raise operational and trade-secret considerations.
3. Design Features and Recommendation Systems
At its core, the Act imposes a duty of care: Covered online services must exercise reasonable care, in both their use of a minor’s personal data and the design and operation of the service, to prevent a defined set of heightened harms to minors, including compulsive usage, severe psychological harm, severe emotional distress, highly offensive intrusions on a minor’s reasonable privacy expectations, identity theft, discrimination, and material financial or physical injury. This formulation blends the duty of care concepts found in Vermont’s AADC and Colorado’s comprehensive privacy law. Notably, and likely in response to the constitutional challenges discussed below, the Act provides that the content a minor views does not by itself establish emotional distress or compulsive usage and that the duty does not require services to prevent minors from independently searching for content related to the enumerated harms. In two respects, however, the South Carolina formulation is arguably stricter than those antecedents: It omits the “reasonably foreseeable” qualifier that Vermont and Colorado use to cabin the harm assessment, and it requires services to prevent the enumerated harms rather than mitigate heightened risks of harm.
Covered online services are required to use reasonable care to prevent minors from developing compulsive usage (i.e., repetitive platform use that substantially impairs major life activities), which will necessitate covered online services to evaluate whether “covered design features” may contribute to such harmful usage patterns. The Act defines “covered design features” as any feature or component that will encourage or increase a minor’s frequency, time spent, or activity on the service. The following features are specifically enumerated as nonexclusive examples:
- infinite scroll
- auto-playing videos
- gamification, including streaks, badges, or rewards
- quantification of engagement (visible counts of likes, comments, clicks, views, or reactions)
- notifications and push alerts
- in-game purchases or digital items purchased with virtual currency
- appearance-altering filters
Covered online services must provide all users (not just minors) with easily accessible and easy-to-use tools to disable nonessential features, including covered design features. The required tools go well beyond design features: All users must also be able to limit their time spent on the service, limit the financial value of purchases, block messages from account holders outside their existing connections, restrict the visibility of their accounts and connections, disable the display of engagement counts (e.g., likes, comments, and views) on their own content, disable search-engine indexing of their profiles, and restrict the visibility of location information. Similar to prior AADCs, known minors must receive default protective safeguards, including default settings related to disabling nonessential covered design features. Additionally, the Act requires covered online services to give users an option to opt out of personalized recommendation systems (except for optimizations based on expressed preferences) and to make that opt-out the default for known minors. Covered online services that use personalized recommendation systems must also describe in their terms and conditions how those systems are used to provide information to minors and how minors or parents may opt out of or control them.
Covered online services must offer parental control tools that allow parents to manage account and privacy settings, restrict purchases and usage, set time-of-day and screen-time limits, and otherwise manage the minor’s experience. This requirement is similar to the parental tools requirement in the federal Kids Online Safety Act, which remains pending before Congress. The Act requires the covered online service to notify the minor when parental tools are in effect and what settings have been applied.
4. Notification and Push Alert Controls
The Act requires covered online services to offer accessible and easy-to-use tools to prevent notifications and push alerts to known minors during specified times in the minor’s local time zone:
- year-round between 10:00 pm and 6:00 am
- between 8:00 am and 3:00 pm, Monday through Friday, from August through May
The obligation to offer notification and push alert controls will require companies to conduct technical and operational reviews to align their current notification systems with the Act’s time-specific requirements.
5. Dark Patterns and Consumer Protection Exposure
The Act prohibits the use of dark patterns, defined as user interfaces designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice. Unlike most state privacy laws, which prohibit dark patterns only in the context of obtaining consent or collecting personal information, the Act’s prohibition is categorical, applying across a covered online service’s interfaces. South Carolina departs from prior AADC laws by deeming the use of dark patterns an unlawful trade practice under the South Carolina Unfair Trade Practices Act (the SCUTPA), subjecting dark-pattern violations to SCUTPA’s provisions, penalties, and damages.
Significantly, SCUTPA permits an individual action by a person who suffers an ascertainable loss (though not in a representative capacity) and provides for actual damages, attorneys’ fees, and treble damages for willful or knowing violations. Companies should review their user interfaces and user experience flows to ensure that no design elements could be characterized as having the substantial effect of subverting or impairing user autonomy under SCUTPA.
6. Treble Damages and Personal Liability for Willful and Wanton Violations
The Act significantly departs from prior AADC laws in its enforcement provisions. Covered online services are liable for treble the financial damages incurred as a result of any violation of the Act, with no cure period available. Separately, and notably, officers and employees of a covered online service may be held personally liable for willful and wanton violations of the Act. This combination of entity-level enhanced damages and individual-level personal liability is unique among state-level AADCs. Whereas other frameworks typically cap civil penalties on a per-violation basis (e.g., $50,000 per violation under Nebraska’s AADC and $10,000 per violation for Attorney General enforcement under Vermont’s), the Act’s treble-damages remedy is uncapped and scales with the financial damages resulting from a violation. Covered online services should ensure that relevant officers and employees are informed of the Act’s obligations and provided with compliance tools.
7. Constitutional Litigation and the Road Ahead
AADC-style laws have faced sustained First Amendment challenges, and the South Carolina Act is unlikely to be an exception. On March 12, 2026, the U.S. Court of Appeals for the Ninth Circuit issued a mixed ruling in NetChoice v. Bonta, the long-running challenge to California’s AADC Act (CAADCA). The court vacated the injunction against the statute as a whole and against the CAADCA’s age-estimation requirement, holding that the lower court had misapplied the U.S. Supreme Court’s facial-challenge framework, while at the same time affirming the injunction against the CAADCA’s data use and dark patterns restrictions, finding that terms such as “materially detrimental,” “best interests,” and “well-being” were unconstitutionally vague. The ruling was the Ninth Circuit’s second pass at the CAADCA: In 2024, the court affirmed the injunction against the law’s data protection impact assessment requirement and remanded the remainder for analysis under the U.S. Supreme Court’s Moody v. NetChoice framework. With further proceedings on remand likely, the CAADCA may remain unenforced for some time.
The decision has direct implications for South Carolina. NetChoice has already challenged the South Carolina Act in NetChoice v. Wilson (D.S.C.), a complaint that characterizes the Act as an “unlawful censorship regime” controlling how websites present speech and information to their users, and the Ninth Circuit’s vagueness analysis is likely to serve as persuasive authority where other states’ laws use similar language. South Carolina may have reduced some of this exposure: Rather than the open-ended “best interests” and “well-being” standards struck down in California, the Act enumerates specific harms and expressly provides that the content a minor views will not, by itself, establish a violation. Even so, the Act’s broad dark patterns prohibition, its duty of care, and its open-ended “covered design features” concept could invite comparable challenges. Maryland’s AADC, which NetChoice is also challenging, faces more direct exposure: It expressly requires covered services to act in the “best interests of children,” the very phrasing the Ninth Circuit found impermissibly vague.
8. What Should Covered Businesses Do Now?
As the Act is already effective, companies that operate covered online services should promptly do the following:
- Inventory age signals, including self-reported age, inferred age, product analytics, school or parental-control signals, and any age attributes used for marketing, advertising, or product development.
- Map covered design features, including infinite scroll, autoplay, gamification, engagement metrics, notifications, in-game purchases, virtual currency, and appearance-altering filters.
- Review personalized recommendation systems and implement required opt-out controls, including default opt-out settings for known minors and required terms-and-conditions disclosures.
- Identify a qualified independent third-party auditor and prepare an audit report by July 1.
- Implement or update parental tools, minor notices, notification and push alert controls, harm-reporting mechanisms, and public disclosures regarding design safety, privacy protections, and parental tools.
- Review user interfaces and user experience flows to identify and remediate any design elements that could constitute dark patterns under SCUTPA.
We would like to thank Rameses Neale for their assistance with this alert.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.
Contacts
- Jacqueline Klosek

Jacqueline Klosek
Partner - Omer Tene

Omer Tene
Partner - Raphael Kohler

Raphael Kohler
Associate - Jonathan Ng

Jonathan Ng
Associate