Age verification regulations in the United States of America

1. Understanding the US age verification laws

While the distribution of pornographic content has been regulated for quite some time already, Louisiana’s House Bill 142, also known as Act 440, enacted on January 1, 2023, was the first groundbreaking legislation addressing the issue of minors’ exposure to such content online. 

The importance of the Louisiana age verification law stems from the fact that it has set a precedent for other states to follow. Indeed nowadays many can see the significant impact of Louisiana’s age verification law in paving the way for the U.S.-wide trend towards stricter age verification laws. For instance, states like Arkansas, Virginia, Florida, South Dakota, West Virginia, Kansas, and Mississippi have introduced similar legislation to enforce age verification on digital businesses. These laws, just like their Louisiana counterpart, aim to regulate the accessibility of digital content and services, particularly those that could be harmful to minors.

As we continue to pave the way for further technological advancements, we see that many states do not hesitate to produce laws analogous to Louisiana age verification law. Yet others go beyond this “standard” approach and establish even more specific safeguards that are particularly important for social media providers. 

In any case, we can effortlessly see that age verification laws will undoubtedly play a pivotal role in creating a safer online environment for the younger generation and online businesses operating in the US, regardless of their sector, must familiarize themselves with the applicable framework.

2. Deep-diving into the US states’ age verification framework

Louisiana

House Bill 77

Codified as: Louisiana Revised Statutes, Title 51, Section 51:2121

Regulation overview: Pornography Age Verification Enforcement Act or the PAVE Act requires commercial entities that knowingly and intentionally publish or distribute material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:

Implement reasonable age verification method through the use of:

• A digitized identification card or
• A system that allows to verify the age through the government-issued identification or any commercially reasonable method that relies on public or private transactional data (for example, mortgage records, educational records, or employment records).

Link: House Bill 77 

Status: Applies from August 1, 2023

Exemptions, if any: Does not apply to:

• News or public interest broadcast, website video, report, or event; or
  undefined
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: The Act establishes civil liability for the violators. Any commercial entity that violates the requirements of the act may be penalized:

• By a fine of not more than $5,000 for each day of violation;
• By request from the Attorney General, an additional fine of not more than $10,000 for each violation where the entity knowingly failed to perform reasonable age verification to verify the age of individuals.

How is it enforced: Attorney General.

House Bill 142

Codified as: Louisiana Revised Statutes, Title 9, Section 9:2800.29

Regulation overview: Requires commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:

1. Not to retain any identifying information on the individual after performing age verification and after access has been granted to the material.

2. Implement reasonable age verification method, through use of:

• A digitized identification card or
• A system that allows to verify the age through the government-issued identification or any commercially reasonable method that relies on public or private transactional data (for example, mortgage records, educational records, or employment records).

Link: House Bill 142 

Status: Applies from January 1, 2023

Exemptions, if any: Does not apply to:

• News or public interest broadcast, website video, report, or event;
• News-gathering organizations; or
• Internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers unless certain criteria is met.

Applicable sanctions: The scope of penalties remains somewhat ambiguous. The Act provides that an entity who fails to implement reasonable age verification methods or knowingly retains identifying information of the individual after the access has been granted to the individual is liable to an individual for damages resulting from a minor accessing the material or retaining identifying information, including court costs and reasonable attorney fees.

How is it enforced: Through a private right of action.

Texas

House Bill 1181

Codified as: Texas Civil Practice and Remedies Code, Title 6, Chapter 129B

Regulation overview: Requires a commercial entity, including social media platform, that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to use reasonable age verification methods to verify that an individual attempting to access the material is 18 years of age or older.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include: 

1. Not to retain any identifying information on the individual after performing age verification.

2. Display specific notices on the landing page of the internet website on which sexual material harmful to minors is published or distributed and all advertisements for that website in 14-point font or larger.

3. Display the specific notice at the bottom of every page of an internet website (on which sexual material harmful to minors is published or distributed) in 14-point font or larger.

4. Implement age verification through the use of:

• Digital identification - that is information stored on a digital network that may be accessed by a commercial entity and that serves as proof of an individual's identity.
• Commercial age verification system which verifies age using government-issued identification or a commercially reasonable method that relies on public or private transactional data (for example, mortgage records, educational records, or employment records).

Link: House Bill 1181

Status: Applies from September 1, 2023

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers.

Applicable sanctions: The Act establishes civil liability for the violators. The Attorney General may bring an action to enjoin the violation, recover a civil penalty, and obtain another relief the court considers appropriate. A civil penalty may amount to not more than the total of:

• $10,000 per day that entity operates an internet website without appropriate age verification mechanisms required by this Act;
• $10,000 per each instance when the entity retains identifying information contrary to requirements under this Act;
• If the failure to implement age verification results in a minors's access to sexual material harmful to minors, an additional amount is not more than $250,000.

Additionally, the attorney general may recover reasonable and necessary attorney's fees and costs incurred in an action highlighted above.

How is it enforced: Attorney General

House Bill 18

Codified as: Texas Business and Commerce Code, Title 1, Subtitle A, Chapter 509

Regulation overview: Requires a digital service provider (website, application, program or software that collects personal information) to register the age of their users, to obtain verified parental consent to enable minors’ access to the range of functionalities and establishes providers’ duties to prevent harm to minors. 

Applicability: digital service provider which can be a website, application, program or software that collects personal information through the Internet. For example, this includes social media providers, video sharing platforms and streaming platforms. 
Core requirements include: 

• To verify the age of the users who want to create an account with the digital service provider
• To obtain the verified parental consent in order to collect more personal data than necessary for provision of the service and enable minor to perform a range of activities on digital service platform, such as:
• Purchases or financial transactions;
• Sharing, selling or disclosure of minor’s information;
• Usage of digital service for displaying targeted advertising.
• Develop and implement a strategy to prevent minors's exposure to harmful material, for example using content filters and reviewing effectiveness of filtering.
• To create tools that allow parents to supervise their children’s use of digital service. This should include controls of minor’s privacy, access to account settings and imposing time limits minors can spend on the digital service.
• Implement commercially reasonable age and identity verification method for users intended to access harmful content.

Link: House Bill 18
Status: Applies from September 1, 2024
Exemptions, if any: Does not apply to:

• State agencies
• Financial institutions
• Businesses that are governed by the Health Insurance Portability and Accountability Act of 1996
• Small businesses as defined by the United States Small Business Administration on September 1, 2024
• Higher education institutions
• Digital service providers where the information is used for employment purposes
• Operators that are governed by Texas Education Code that primarily provide services to students and educational institutions
• A person subject to the Family Educational Rights and Privacy Act of 1974.
• Digital service providers who exclusively facilitate e-mail or direct messaging services.
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers.

Applicable sanctions: The violation of the law is deemed as a deceptive act or practice and will be sanctioned accordingly. The law does not authorize private right of action, however parents may bring an action seeking a declaratory judgment or an injunction.
How is it enforced: By the Consumer Protection Division of the Attorney General’s Office. 

California

Age-Appropriate Design Code Act

Codified as: California Civil Code, Division 3, Part 4, Title 1.81.47

Regulation overview: The California Age-Appropriate Design Code Act (CAADCA) requires a business that provides an online service, product, or feature likely to be accessed by children to complete a Data Protection Impact Assessment to identify potential harms to which children may be exposed and, where appropriate, estimate the age of child users with reasonable certainty appropriate to the risks to which they may be exposed.

Applicability: CAADCA applies to any business whose online service, product, or feature is likely to be accessed by children where such service, product, or feature may expose a child to the risk of harm.

Core requirements include:

• Prior to offering new services to the public, to complete and make available upon request to the Attorney General, the Data Protection Impact Assessment;
• Document any risk of harm to children that arise from the data management practices of the business identified in DPIA and create a plan to mitigate or eliminate such risk before children access the online service;
• Estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or alternatively, apply the privacy and data protection measures designed for children to all consumers;
• Provide any privacy information, terms of service, policies, and community standards using clear and concise language suited to the age of children likely to access online services;
• Enforce published terms, policies, and community standards established by businesses, including privacy policies;
• Provide visible, accessible, and responsive tools to help children, or, when relevant, their parents or guardians, exercise their privacy rights and report concerns.

Link: Assembly Bill 2273 

Status: Applies from July 1, 2024

Exemptions, if any: Online service, product, or feature excludes:

• a broadband internet access service;
• a telecommunications service;
• the delivery or use of physical products.

This act does not apply to information or entities specified in the California Civil Code, section 1798.145 (for example, health care providers or entities cooperating with law enforcement agencies).

Applicable sanctions: Any business that is found to violate this act may be subject to the following:

• injunction;
• a civil penalty not exceeding $2,500 per affected child for each negligent violation;
• a civil penalty not exceeding $7,500 per affected child for each intentional violation.

How is it enforced: Attorney General

Protecting Our Kids from Social Media Addiction Act

Codified as: California Health and Safety Code, Division 20, Chapter 24

Regulation overview: The Protecting Our Kids from Social Media Addiction Act requires a operators of addictive internet-based services and applications to prevent children from accessing "addictive feed" before verifiable parental consent has been obtained. This means that operators must verify the age of persons who attemt to access their services and where relevant apply necessary restrictions onto the minors.

Applicability: The Act applies to any operator, who is a person providing an internet website, online service or mobile application, who can make content recommendations and suggestions to their users.

Core requirements include:

• Prior to offering "addictive feed" to a user, the operator must verify the age to whom it is offered and if a user is determined to be a minor - to obtain parental consent.
• The operator must not send notifications (from the service they provide, for example, social media message notifications) between 12 a.m. and 6 a.m. and between 8 a.m. and 3 p.m. from Monday to Friday from September through May in user's time zone, unless the operator obtained parental consent.
• The operator must provide a verified parent of the user who is a minor a list of functionalities that enable parent to regulate their child's interaction with the service/application and addictive feed.
• The operator must publicly disclose the number of minor users of their addictive internet-based service/application

Link: Senate Bill 976

Status: Applies from January 1, 2027

Exemptions, if any: Not applicable

Applicable sanctions: Any business that is found to violate this act may be subject to the civil penalty

How is it enforced: Attorney General

North Carolina

House Bill 8 / SL 2023-132 

Codified as: North Carolina General Statutes, Chapter 66, Article 51, Section 66-500

Regulation overview: Pornography Age Verification Enforcement Act or the PAVE Act requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, or partnerships.

Core requirements include:

1. Not to retain any identifying information on the individual after performing age verification and after access has been granted to the material

2. Implement age and identity verification through the use of:

• A digitized identification card or A system that allows to verify the age through the government-issued identification or any commercially reasonable method that relies on public or private transactional data (for example, mortgage records, educational records, or employment records);
• Another commercially reasonable method of age and identity verification.

Link: House Bill 8 / SL 2023-132 

Status: Applies from January 1, 2024

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Generally to internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers unless certain criteria are met (e.g. they create the material harmful to minors).

Applicable sanctions: The act establishes civil liability for the violators.

Parents or guardians of affected minors and/or persons whose identifying information is retained in violations of requirements under the PAVE Act may seek from the court the following types of relief:

• An injunction to enjoin a continued violation of the PAVE Act;
• Compensatory and punitive damages.
• All costs, expenses, and fees related to the civil suit investigation and proceedings associated with the violation, including attorney's fees.

How is it enforced: Private right of action - meaning any affected individual (e.g. a parent or guardian of a minor who gained access to the material) can bring the case to the court.

Montana

Senate Bill 544

Codified as: Montana State Statutes, Title 30, Chapter 14

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include: 

1. Not to retain any identifying information on the individual after performing age verification and after access has been granted to the material.

2. Implement reasonable age verification method through the use of:

• A digitized identification card or
• A system that allows to verify the age through the government-issued identification or  any commercially reasonable method that relies on public or private transactional data (for example, mortgage records, educational records, or employment records);
• Another commercially reasonable method of age and identity verification.

Link: Senate Bill 544 

Status: Applies from January 1, 2024

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers.

Applicable sanctions: The scope of penalties remains somewhat ambiguous. The Act provides that an entity who fails to implement reasonable age verification methods or knowingly retains identifying information of the individual after the access has been granted to the individual is liable to an individual for damages resulting from a minor accessing the material or retaining identifying information, including court costs and reasonable attorney fees.

How is it enforced: Most likely through the private right of action, but the Act is not too clear in this regard.

Virginia

Senate Bill 1515

Codified as: Code of Virginia, Title 8.01, Chapter 3, Article 3, Section 8.01-40.5

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include: 

• A commercially available database that is regulatory used by businesses or governmental entities for the purposes of age and identity verification or
• Another commercially reasonable method of age and identity verification.

Link: Senate Bill 1515 

Status: Applies from July 1, 2023

Exemptions, if any: Does not apply to the provider or user of interactive computer service on the internet.

Applicable sanctions: The scope of penalties remains somewhat ambiguous. The Act establishes that any commercial entity that violates this Act may be subject to civil liability for damages resulting from a minor's access to such material harmful to a minor and reasonable attorney fees and costs.

How is it enforced: Most likely, through a private right of action, but the Act is not too clear in this regard.

Arkansas

Senate Bill 66

Codified as: Code of Arkansas, Title 4, Subtitle 7, Chapter 88, Subchapter 13

Regulation overview: Protection of Minors from Distribution of Harmful Material Act requires a commercial entity to use a reasonable age verification method before allowing access to a website that contains a substantial portion of material that is harmful to minors.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:

1. Not to retain any identifying information on the individual after performing reasonable age verification and after access has been granted to the material.

2. Implement reasonable age verification method through the use of:

• A digitized identification card;
• A government-issued identification;
• Any commercially reasonable age verification method that holds an Identity Assurance Level 2 (IAL2).

Link: Senate Bill 66

Status: Applies from July 31, 2023

Exemptions, if any: Does not apply to:

• News or public interest broadcast, website video, report, or event;
• Cloud service providers; or
• Internet service providers, its affiliates or subsidiaries or search engines unless certain criteria are met (e.g. they create material harmful to minors).

Applicable sanctions: The scope of penalties remains somewhat ambiguous. The Act provides that an entity who fails to implement reasonable age verification methods or knowingly retains identifying information of the individual after the access has been granted to the individual is liable to an individual for damages resulting from a minor accessing the material or retaining identifying information, including court costs and reasonable attorney fees.

How is it enforced: Most likely, through a private right of action, but the Act is not too clear in this regard.

Senate Bill 396

Codified as: Code of Arkansas, Title 4, Subtitle 7, Chapter 88, Subchapter 14

Regulation overview: Requires social media companies to prevent a minor from being an account holder on the social media platform unless the minor has the express consent of a parent or legal guardian.

Applicability: 

Social media company - means an online forum that a company makes available for an account holder to:

• Create a public profile, establish an account, or register as a user for the primary purpose of interacting socially with other profiles and accounts;
• Upload or create posts or content;
• View posts or content of other account holders and
• Interact with other account holders or users, including, without limitation, establishing mutual connections through request and acceptance.

Core requirements include:

1. Not to retain any identifying information of the individual after performing age verification and providing access to social media platforms.

2. Social media companies must verify the age of an account holder and, if the holder is a minor, confirm that they have parental/guardian's consent to become a new account holder when opening an account. The age verification can be conducted through the use of:

• A digitized identification card;
• A government-issued identification;
• Any commercially reasonable age verification method.

Link: Senate Bill 396 

Status: Applies from Sep 1, 2023

Exemptions, if any: Does not apply to:

• A media company that exclusively offers subscription content in which users follow or subscribe unilaterally and whose platform's primary purpose is not social interaction;
• A social media company that allows a user to generate short video clips of dancing, voice-overs, or other acts of entertainment in which the primary purpose is not educational or informative;
• A media company that exclusively offers interactive gaming, virtual gaming, or an online service that allows the creation and uploading of content to interact in gaming, entertainment, or associated entertainment, and the communication related to that content;
• A company that offers cloud storage services, enterprise cybersecurity services, educational devices, or enterprise collaboration tools for kindergarten through grade twelve (K-12) schools and derives less than 25% of its revenue from operating a social media platform, including games and advertising;
• A company that provides career development opportunities, including professional networking, job skills, learning certifications, and job posting and application services;
• A social media platform that is controlled by a business entity that has generated less than $100,000,000 in annual gross revenue.
• An online service, a website, or an application that has a predominant function listed in A.C.A. § 4-88-1401(8(B)).

Applicable sanctions: A social media company, who violates the provisions of the act may be liable to:

• A penalty of $2,500 per violation, plus the court costs and reasonable attorney's fees;
• Damages resulting from a minor accessing a social media platform without their parent's or custodian's consent, including court costs and reasonable attorney's fees.

How is it enforced: Prosecutor and/or Attorney General. The private right of action is also authorized.

Mississippi

Senate Bill 2346

Codified as: Mississippi Code 1972, Title 11, Chapter 77

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:

1. Not retain any identifying information on the individual after performing age verification and after access has been granted to the material.

2. Implement reasonable age verification method through the use of:

• A digitized identification card or
• A system that allows to verify the age through the government-issued identification or any commercially reasonable method that relies on public or private transactional data (for example, mortgage records, educational records, or employment records).

Link: Senate Bill 2346 

Status: Applies from July 1, 2023

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: The scope of penalties remains somewhat ambiguous. The Act provides that an entity who fails to implement reasonable age verification methods or knowingly retains identifying information of the individual after the access has been granted to the individual is liable to an individual for damages resulting from a minor accessing the material or retaining identifying information, including court costs and reasonable attorney fees.

How is it enforced: Most likely, through a private right of action, but the Act is not too clear in this regard.

Utah

Senate Bill 287

Codified as: Utah Code, Title 78B, Chapter 3, Part 10

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:

1. Not to retain any identifying information on the individual after performing age verification and after access has been granted to the material.

2. Implement reasonable age verification method through the use of:

• A digitized identification card or
• Verification through an independent, third-party verification service that compares the personal information entered by the individual who is seeking access to the material that is available from a commercially available database(s) that government agencies and businesses regularly use for age and identity verification or
• Any commercially reasonable method that relies on public or private transactional data (for example, mortgage records, educational records, or employment records).

Link: Senate Bill 287 

Status: Applies from May 3, 2023

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: The scope of penalties remains somewhat ambiguous. The Act provides that an entity who fails to implement reasonable age verification methods or knowingly retains identifying information of the individual after the access has been granted to the individual is liable to an individual for damages resulting from a minor accessing the material or retaining identifying information, including court costs and reasonable attorney fees.

How is it enforced: Most likely, through a private right of action, but the Act is not too clear in this regard.

Senate Bill 194 and House Bill 464

Codified as: Utah Code, Title 78B, Chapter 3, Part 11 and Title 13, Chapter 71

Regulation overview: As a result of the lawsuits that challanged the House Bill 311, the Senate Bill 194 and the House Bill 464 were recently enacted. These laws while amending the substance of its earlier counterpart both form a framework that remained quite similar to their predecessor.

In short, Senate Bill 194 imposes a range of requirements on social media companies such as requiring to implement an age assurance system to determine whether the intended user is a minor. The House Bill 464 on the other hand establishes the private right of action for the violation of the Senate Bill 194.

Applicability: 

Social media company - means an entity that operates a social media service.

Social media service - means a public website or application that:

• displays user-generated content;
• allows to register an acocunt and create a visible profile;
• allows to post content viewable by other users;
• connects account holders and permits the social interactions within the service;
• creates a list to each account holder of other account holders with whom they have a connection

Core requirements include: 

• A social media company must implement the age assurance system to determine whether current or prospective Utah account holder is a minor
• A social media company needs to set default privacy settings for minor account holder to prioritize privacy as well as implement reasonable security measures. Additionally, the company needs to disable some features that may lead to addictive behaviours.
• A social media company need to provide a supervisory tool that allows a person selected by minor to introduce features such as daily service usage time limits or mandatory scheduled breaks.
• A social media company must obtain verifiable parental consent to enable minor account holder to change default privacy settings

Link: Senate Bill 194 and House Bill 464

Status: Both are fully applicable as of October 1, 2024

Exemptions, if any: Does not apply to email, cloud storage, document viewing, sharing, or collaboration services.

Applicable sanctions: Social media companies may be liable to the following penalties:

• An administrative fine imposed by the Division of Consumer Protection up to $2,500 for each violation, plus the court costs, reasonable attorney's fees, awards to injured persons and any other relief that the court may deem appropriate;
  undefined
• Allows for a private right of action (i.e., an individual bringing the case to the court against a social media platform).
• An administrative fine up to $5,000 for violation of the administrative or court order

How is it enforced: Department of Commerce the Division of Consumer Protection and private right of action

Ohio

House Bill 311 

Codified as: Ohio Revised Code, Title 13, Chapter 1349, Section 1349.09

Regulation overview: The Ohio Social Media Parental Notification Act requires social media operators to prevent a minor from being an account holder on the social media platform unless the minor has the express consent of a parent or legal guardian.

Applicability: 

Social media operator - means a person or entity that operates an online product that has users in Ohio and that allows users to do all of the following:

• Socially interact with other users within the same product;
• Create public or semipublic profile to sign into and use the product;
• Create list of other users with whom user is able to share social connection within the product;
• Create or post content viewable by others.

Core requirements include: 

• Present to the child's parent a list of the features offered by an operator's product related to censoring or moderating content, including any features that can be disabled for a particular profile.
• Obtain verifiable consent for any contract with a child, including terms of service, to register, sign up, or otherwise create a unique username to access or utilize the online web site, service, or product, from the child's parent using any of the following methods:
• Requiring a parent to sign and return to the operator a form consenting to the contract by postal mail, facsimile, or electronic mail;
• Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
• Requiring a parent to call a toll-free telephone number implemented by the operator and staffed by trained personnel;
• Requiring a parent to connect to trained personnel by videoconference;
• Verifying a parent's identity by checking a form of government-issued identification against databases of such information, and promptly deleting the parent's or legal guardian's identification from the operator's records after such verification is complete. 

Link: Ohio Revised Code

Status: Applies from January 15, 2024

Exemptions, if any: Does not apply to an online web site, service, or product where the predominant or exclusive function is:

• Cloud storage or cloud computing services;
• Broadband internet access services;
• Search engine services. 

Applicable sanctions: Attorney General has authority to bring civil action for a temporary restraining order, preliminary or permanent injunction, and civil penalties. Civil penalties are scalable and become bigger as the non-compliance continues:

• $1,000 for each subsequent day of first 60 days the operators fail to comply with the law;
• $5,000 for each subsequent day of 61st to 90th day, the operators fail to comply with the law;
• $10,000 for each subsequent day starting from 91st day, the operators fail to comply with the law.

How is it enforced: By Attorney General.

Indiana

Senate Bill 17

Codified as: Indiana Code, Title 24, Article 4, Chapter 23

Regulation overview: Requires an operator of adult oriented website that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Operators of adult oriented websites - these are persons who operate publicly accessible websites that publish material harmful to minors, if at least one-third of the images and videos published on the website depict material harmful to minors.

Core requirements include:

1. Not to retain any identifying information on the individual after performing age verification and after access has been granted to the material.

2. Implement reasonable age verification method through the use of:

• A mobile credential; or
• Verification through an independent, third-party verification service regularly used for age and identity verification that compares the personal information against information contained in the database(s);
• Any commercially reasonable method that relies on public or private transactional data (for example, mortgage records, educational records, or employment records).

Link: Senate Bill 17

Status: Applies from July 1, 2024, however the law's applicability was blocked by the Court

Exemptions, if any: Does not apply to:

• Newspaper or news service that publishes news through a website;
• Cloud service provider
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: Any business that is found to violate this act may be subject to the following:

Either

• actual damages;
• damages up to $5,000;
• Injunctive relief,

and

• Court costs, reasonable attorney’s fees, and other litigations costs

How is it enforced: Private right of action or by Attorney General

Idaho

House Bill 498

Codified as: Idaho Code, Title 24, Article 4, Chapter 23

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:
Implement reasonable age verification method through the use of:

• A digitized identification card or
• A system that allows to verify the age through the government-issued identification or any commercially reasonable method that relies on public or private transactional data (for example, mortgage records, educational records, or employment records).

Link: House Bill 498

Status: Applies from July 1, 2024

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: Any business that is found to violate this act may be subject to the following:

• Statutory damages starting from $10,000
• Injunctive relief, and
• Court costs, reasonable attorney’s fees, and other litigations costs

How is it enforced: Private right of action.

Tennessee

Senate Bill 1792

Codified as: Tennessee Code, Title 39, Chapter 17, Part 9, Section 39-17-912

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:
1. Not to retain any personally identifying information on the individual after performing age verification and after access has been granted to the material.

2. Implement reasonable age verification method for by applying:

• The matching of a photograph made on the device through which the user attempts to access material harmful to minors against the photograph on a valid government-issued identity document;
• A system that allows to verify the age through the public or private transactional data (for example, mortgage records, educational records, or employment records).

3. If the user's access to materials harmful to minors lasts longer than 60 minutes, the age verification needs to be performed at least once every 60 minutes.

Link: Senate Bill 1792

Status: Applies from January 1, 2025

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: Any violation of this act shall be considered as a Class C felony, which may lead to the following sanctions:

• Terms of imprisonment ranging from 3 to 15 years;
• Fines not exceeding $10,000;
• Where the fine for the breach of this law is imposed on a corporation, the amount of fine is increased to no more than $250,000.

How is it enforced: Attorney General and private right of action

South Carolina

House Bill 3424

Codified as: South Carolina Code, Title 37, Chapter 1, Section 37-1-310

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:
Implement reasonable age verification method through the use of:

• A digitized identification card;
• Independent, third-party age verification services used by businesses for age and identity verification;
• Other commercially reasonable methods that rely on public or private transactional data (for example, mortgage records, educational records, or employment records).

Link: House Bill 3424

Status: Applies from May 21, 2024

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: Any business that is found to violate this act may be subject to injunctive and other equitable relief.

How is it enforced: Attorney General

Oklahoma

Senate Bill 1959

Codified as: Oklahoma Statutes, Title 15, Section 791

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:
Implement reasonable age verification method through the use of:

• A digitized identification card;
• Independent, third-party age verification services used by businesses for age and identity verification;
• Other commercially reasonable methods that rely on public or private transactional data (for example, mortgage records, educational records, or employment records).

Link: Senate Bill 1959

Status: Applies from November 1, 2024

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: Any business that is found to violate this act may be subject to the following:

• Actual damages
• Court costs, reasonable attorney’s fees, and other litigations costs
• Injunctive and other equitable relief.

How is it enforced: Attorney General or private right of action

Kansas

Senate Bill 394

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:
Implement reasonable age verification method through the use of:

• A database that is used by businesses for age and identity verification;
• Other commercially reasonable method of age and identity verification.

Link: Senate Bill 394

Status: Applies from July 1, 2024

Exemptions, if any: Does not apply to internet service providers or interactive computer services

Applicable sanctions: Any business that is found to violate this act may be subject to the following:

• Actual damages
• Court costs, reasonable attorney’s fees, and other litigations costs
• Statutory damages not less than $50,000

How is it enforced: Private right of action

Florida

House Bill 3

Codified as: Florida Statutes, Title XXXIII, Chapter 501, Sections 501.1736-501.1738

Regulation overview: This law contains two lines of requirements. Firstly, it requires a social media platform to prevent a minor, who is below 14 years of age, from being an account holder on the social media platform and delete all personal information held relating to such accounts.

Secondly, it requires commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Social media platforms - means an online forum, website, or application that:

• Allows users to upload or view the content or activity of others;
• Has 10% or more of daily users who are below age of 16 and who spend on average 2hours/day on such a platform duirng previous 12 months period;
• Employs algorithms to analyze user data to select content for users;
• Has other traditional features of social media platforms (which are elaborated upon in this law).

Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:
1. For social media platforms to prevent a minors below 14 from creating an account and to delete without retaining any personal data for existing accounts of such minors.

2. For commercial entities Implement reasonable age verification method through the use of anonymous age verification tool which is provided by independent third party business for the purposes of age verification.

Link: House Bill 3

Status: Applies from January 1, 2025

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: Any business that is found to violate this act may be subject to the following:

• Statutory damages up to $50,000 per violation
• Compensation for actual damages up to $10,000
• Court costs, reasonable attorney’s fees, and other litigations costs

How is it enforced: Private right of action

Alabama

House Bill 164

Codified as: Code of Alabama, Title 13A, Chapter 6, Article 11, Section 13A-6-240

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:
1. Not to retain any personally identifying information on the individual after performing age verification and after access has been granted to the material.

2. Commercial entities who distribute adult materials through the adult website must obtain written consent of publishing or distributing such materials from every individual depicted on such materials.

3. Commercial entities must implement reasonable age verification method by using any commercially available software that provides reasonable assurances that person accessing the material is 18 years old or older.

4. Commercial entities who are required to use age verification method must display the following notices on landing pages of the adult website on which material hamrful to minors is published:

"ALABAMA HEALTH AND HUMAN SERVICES WARNING: Pornography is potentially biologically addictive, is proven to harm human brain development, desensitizes brain reward circuits, increases conditioned responses, and weakens brain function."
"ALABAMA HEALTH AND HUMAN SERVICES WARNING: Exposure to this content is associated with low self-esteem and body image, eating disorders, impaired brain development, and other emotional and mental illnesses."
"ALABAMA HEALTH AND HUMAN SERVICES WARNING: Pornography increases the demand for prostitution, child exploitation, and child pornography."
"U.S. SUBSTANCE ABUSE AND MENTAL HEALTH SERVICES ADMINISTRATION HELPLINE:
"1-800-662-HELP (4357)
"THIS HELPLINE IS A FREE, CONFIDENTIAL INFORMATION SERVICE (IN ENGLISH OR SPANISH) OPEN 24 HOURS PER DAY, FOR INDIVIDUALS AND FAMILY MEMBERS FACING MENTAL HEALTH OR SUBSTANCE USE DISORDERS. THE SERVICE PROVIDES REFERRAL TO LOCAL TREATMENT FACILITIES, SUPPORT GROUPS, AND COMMUNITY-BASED ORGANIZATIONS."

Link: House Bill 164

Status: Applies from October 1, 2024

Exemptions, if any: Does not apply to:

• News gathering organizations;
• Unless certain criteria are met, internet service providers, its affiliates or subsidiaries, search engines, or cloud services providers (e.g. they create material harmful to minors).

Applicable sanctions: Any business that is found to violate this act may be subject to the following:

• Actual damages
• Court costs, reasonable attorney’s fees, and other litigations costs
• Statutory damages not less than $50,000

How is it enforced: Private right of action

Maryland

Maryland Age-Appropriate Design Code Act

Codified as: Maryland Code, Title 14, Subtitle 48

Regulation overview: Requires a commercial entity that knowingly and intentionally publishes or distributes material harmful to minors on the internet from a website that contains a substantial portion of such material to perform a reasonable age verification to verify the age of the individuals attempting to access the material.

Applicability: Commercial entities - these are any legally recognized entities, such as, among others, corporations, limited liability companies, and partnerships.

Core requirements include:
Prior to offering new services to the public, to complete and make available upon request to the Attorney General, the Data Protection Impact Assessment;

• Document any risk of harm to children that arise from the data management practices of the business identified in DPIA and create a plan to mitigate or eliminate such risk before children access the online service;
• Estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or alternatively, apply the privacy and data protection measures designed for children to all consumers;
• Provide any privacy information, terms of service, policies, and community standards using clear and concise language suited to the age of children likely to access online services;
• Enforce published terms, policies, and community standards established by businesses, including privacy policies;
• Provide visible, accessible, and responsive tools to help children, or, when relevant, their parents or guardians, exercise their privacy rights and report concerns.

Link: Senate Bill 571

Status: Applies from October 1, 2024

Exemptions, if any: Does not apply to:

• Companies who are subject to the Gramm-Leach-Bliley Act (i.e. federally regulated financial service providers)
• Companies who are subject to the federal Health Information Technology for Economic and Clinical Health Act;
• Companies who are subject to regulations under the Health Insurance Portability and Accountability Act of 1996

Applicable sanctions: Any business that is found to violate this act may be subject to the following:

• Civil penalty of $2,500 per affected child for each negligent violation;
• Civil penalty $7,500 per affected child for each negligent violation

How is it enforced: Division of Consumer Protection of the Office of the Attorney General

3. Actionable insights for your business

Familiarize with laws and regulations

To pave the way for compliance, businesses should first familiarize themselves with the relevant laws and regulations in the regions where they operate. This includes understanding the scope, the specific age thresholds for different types of content, authorized age verification measures, and the penalties for non-compliance. Informed legal counsel can provide valuable guidance in this area.

Assess current practices

It is recommended businesses assess their current practices and identify potential gaps in age verification. This process ranges from reviewing website design and user registration processes to specific content access controls. It’s important to remember that age verification is not a one-size-fits-all solution; what works for one business in one jurisdiction may not work for another.

Apply age verification systems 

Implementing robust age verification systems is a crucial step. These systems can be very different, with simple forms, such as self-declaration, becoming less and less attractive. Meanwhile, more sophisticated methods such as identity verification services have become more suitable for compliance purposes. Even though robust age verification solutions typically require more resources, they offer greater accuracy and reliability, and informed businesses should weigh the costs and benefits of different systems to determine the most suitable option.

Train internal staff

Training internal staff to handle age verification is equally important. Employees should understand the importance of age verification, know how to use the systems in place, and be able to handle any issues that arise, particularly those that are outlined within the applicable laws or regulations. Regular training sessions can help ensure that staff are up-to-date with the latest practices and regulations.

Stay up-to-date

Finally, businesses should always aim to stay up-to-date, which involves regular reviews and updates to their age verification practices. As laws and technologies constantly evolve, businesses need to stay ahead of these changes to remain compliant and efficient. Regular audits can come in handy and help identify any issues early and allow for timely rectification.