Emerging Design-Code Laws Aim to Strengthen Children’s Online Pri

Bhashit (Sheek) Shah

Email

872/263-0836

Bio and Articles

Marisa K. McConnell

Email

734-372-2937

Bio and Articles

Find Your Next Job !

Health Law Attorney

Trial Attorney - Indiana - (Remote)

Marketing Manager
PLI Practising Law Institute

Litigation Manager - General Liability

Explore More Job Openings

Design-Code Laws: The Future of Children’s Privacy or White Noise?

by: Bhashit (Sheek) Shah, Marisa K. McConnell of Varnum LLP - Advisory

Thursday, March 6, 2025

Print Mail Download info_icon_img

/>i

In recent weeks, there has been significant buzz around the progression of legislation aimed at restricting minors’ use of social media. This trend has been ongoing for years but continues to face resistance. This is largely due to strong arguments that all-out bans on social media use not only infringe on a minor’s First Amendment rights but, in many cases, also create an environment that allows for the violation of that minor’s privacy.

Although companies subject to these laws must be wary of the potential ramifications and challenges if such legislation is enacted, these concerns should be integrated into product development rather than driving business decisions.

Design-Code Laws

A parallel trend emerging in children’s privacy is an influx in legislation aimed at mandating companies to proactively consider the best interest of minors as they design their websites (Design-Code Laws). These Design-Code Laws would require companies to implement and maintain controls to minimize harms that minors could face using their offerings.

At the federal level, although not exclusively a Design-Code Law, the Kids Online Safety Act (KOSA) included similar elements, and like those proposed bills, placed the responsibility on covered platforms to protect children from potential harms arising from their offerings. Specifically, KOSA introduced the concept of “duty of care,” wherein covered platforms would be required to act in the best interests of minors under 18 and protect them from online harms. Additionally, KOSA would require covered platforms to adhere to multiple design requirements, including enabling default safeguard settings for minors and providing parents with tools to manage and monitor their children’s online activity. Although the bill has seemed to slow as supporters try to account for prospective challenges in each subsequent draft of the law, the bill remains active and has received renewed support from members of the current administration.

At the state level, there is more activity around Design-Code Laws, with both California and Maryland enacting legislation. California’s law, which was enacted in 2022, has yet to go into effect and continues to face opposition largely centered around the law’s alleged violation of the First Amendment. Similarly, Maryland’s 2024 law is currently being challenged. Nonetheless, seven other states (Illinois, Nebraska, New Mexico, Michigan, Minnesota, South Carolina and Vermont) have introduced similar Design-Code Laws, each taking into consideration challenges that other states have faced and attempting to further tailor the language to withstand those challenges while still addressing the core issue of protecting minors online.

Why Does This Matter?

While opposition to laws banning social media use for minors has demonstrated success in the bright line rule restricting social media use, Design-Code Laws not only have stronger support, but they will also likely continue to evolve to withstand challenges over time. Although it’s unclear exactly where the Design-Code Laws will end up (which states will enact them, which will withstand challenges and what the core elements of the laws that withstand challenges will be), the following trends are clear:

There is a desire to regulate how companies collect data from or target their offerings to minors in order to protect this audience. The scope of the Design-Code Laws often does not stop at social media companies, rather, the law is intended to regulate those companies that provide an online offering that is likely to be accessed by children under the age of 18. Given the nature and accessibility of the web, many more companies will be within the scope of this law than the hotly contested laws banning social media use.
These laws bring the issue of conducting data privacy impact assessments (DPIAs) to the forefront. Already mandated by various state and international data protection laws, DPIA requirements compel companies to establish processes to proactively identify, assess and mitigate risks associated with processing personal information. Companies dealing with minor data in these jurisdictions will need to:
- Create a DPIA process if they do not have one.
- Build in additional time in their product development cycle to conduct a DPIA and address the findings.
- Consider how to treat product roll-out in jurisdictions that do not have the same stringent requirements as those that have implemented Design-Code Laws.

As attention to children’s privacy continues to escalate, particularly on the state level, companies must continue to be vigilant and proactive in how they address these concerns. Although the enactment of these laws may seem far off with continued challenges, the emerging trends are clear. Proactively creating processes will mitigate the effects these laws may have on existing offerings and will also allow a company to slowly build out processes that are both effective and minimize the burden on the business.