Roku’s $25 Million Florida Settlement Signals the Rising Wrath of State AG Privacy Enforcement on Children’s Data

At first glance, it looks like a cooperative win-win. But beneath the surface lies a much larger story: state attorneys general across the political spectrum are increasingly wielding their enforcement powers against major technology and streaming companies over how they handle children’s personal data — and the data brokers that help them do it.

“This resolution ensures that meaningful safeguards will be implemented to protect the privacy and personal data for all children. We appreciate Roku’s cooperation in working toward a solution that provides tools for parents to decide how their children’s data are used.”
— Florida Attorney General James Uthmeier

The Roku Case: What Actually Happened

The Florida Attorney General’s Office of Parental Rights filed suit against Roku in Collier County Circuit Court in October 2025. The complaint alleged that Roku violated the Florida Digital Bill of Rights (FDBR) and the Florida Deceptive and Unfair Trade Practices Act by:

• Failing to perform adequate age verification, thereby avoiding “actual knowledge” that children were using the platform and sidestepping consent requirements for minors’ data.
• Selling, sharing, or processing children’s sensitive personal data without proper parental consent or authorization.
• Partnering with third-party data brokers in ways that allegedly helped the company circumvent Florida law.
• Failing to provide effective parental consent mechanisms, clear privacy disclosures, and functional opt-out tools.

Under the settlement, Roku will begin implementing enhanced child protection features immediately, with full nationwide deployment expected within 12 months. The company emphasized its existing protections and commitment to parental choice.

Florida Digital Bill of Rights: Why Children’s Data Is Treated Differently

Enacted in 2023 and effective in 2024, the FDBR is notable for its strong protections for minors. Key provisions include:

• Sensitive data definition explicitly includes any personal data collected from a known child under 18.
• Controllers generally must obtain affirmative authorization before processing or selling sensitive data of known children (with COPPA-like rules for under 13 and stronger consent expectations for 13–17).
• Special rules for “online platforms” (social media, games, streaming features likely accessed by children) that prohibit processing that could cause “substantial harm or privacy risk” to children — including mental health harms, addiction, bullying, and exploitation.
• Penalties tripled (up to $150,000 per violation) when the violation involves a known child under 18.
• Data minimization and profiling restrictions apply more strictly to children’s data.

The Roku case is widely viewed as the first major public enforcement action under the FDBR’s children’s provisions. It sends a clear signal that Florida intends to treat inadequate age verification and data broker workarounds as serious compliance failures.

The National Picture: A Coordinated “Wrath” of AG Enforcement

Florida is far from alone. 2025 and early 2026 have seen an unprecedented wave of state attorney general privacy enforcement actions targeting children’s data, streaming services, gaming apps, ed-tech platforms, and data brokers. Here are some of the most significant examples:

California: Streaming, Gaming, and Data Broker Crackdowns

California AG Rob Bonta has been particularly active:

• Sling TV (2025): $530,000 settlement — first enforcement from a sweep of streaming services. Allegations centered on failure to obtain required authorization before selling or sharing personal information of consumers under 16.
• Jam City (2025): $1.4 million settlement over sharing personal information of users aged 13–16 without affirmative opt-in consent.
• Tilting Point Media: $500,000 settlement involving a children’s mobile game that collected and sold kids’ data without proper parental consent due to flawed age screens and SDK configurations.
• CalPrivacy (CPPA) launched a dedicated Data Broker Enforcement Strike Force in late 2025 and has pursued aggressive registration and compliance actions under the Delete Act, including forcing at least one non-compliant broker to shut down operations.

Texas and Multi-State Actions

Texas AG Ken Paxton has secured massive settlements involving location tracking and automatic content recognition (ACR) on smart TVs — practices that often intersect with children’s viewing data. Texas has also ramped up enforcement of its Data Broker Act registration requirements.

In November 2025, California, Connecticut, and New York jointly announced a $5.1 million settlement with ed-tech provider Illuminate Education over failures to protect sensitive student data following a breach.

Other Notable Actions

• Connecticut’s first CTDPA enforcement action: an $85,000 settlement with TicketNetwork over unreadable privacy notices and broken opt-out mechanisms.
• Michigan AG action against a media streaming provider alleging collection and use of children’s data without parental consent despite child-directed content on the platform.
• Utah lawsuit against Snap involving collection and disclosure of known children’s personal data without verifiable parental consent.

Why This Wave Is Happening Now

Several factors are converging:

1. Regulatory Patchwork Maturity: States that passed comprehensive or children-focused privacy laws in 2023–2024 now have enforcement infrastructure and political will.
2. Political Bipartisanship: Both Democratic and Republican AGs are prioritizing children’s online safety and data protection — a rare area of alignment.
3. Data Broker Scrutiny: The Delete Act in California and similar registration regimes elsewhere have made brokers a high-priority target. Companies that route children’s data through brokers are increasingly exposed.
4. Consumer and Parent Pressure: High-profile incidents and growing awareness have made these cases politically popular.
5. Lack of Federal Action: With no comprehensive federal privacy law or updated COPPA in sight, states are filling the vacuum aggressively.

Compliance Takeaways for Streaming, App, and Data Companies

The Roku settlement and its counterparts offer clear lessons:

• Age verification is now table stakes for any service likely to be used by minors. “We didn’t know” defenses are losing credibility when child-directed content or features exist.
• Data broker relationships require rigorous contractual controls and due diligence. Simply passing data downstream no longer insulates a company from liability.
• Parental consent and control mechanisms must be prominent, functional, and easy to use — not buried in settings.
• Data minimization and purpose limitation for children’s data are being enforced, not just recommended.
• Proactive privacy assessments and documentation of “substantial harm or privacy risk” analyses (especially under laws like Florida’s) are becoming essential.
• Engineering investment is the new normal. Settlements are increasingly requiring concrete product changes measured in millions of dollars rather than (or in addition to) fines.

Roku Data Privacy Settlement in Florida

The Roku resolution is not an outlier — it is a harbinger. State attorneys general have discovered that aggressive enforcement on children’s privacy resonates with parents across the political spectrum, costs companies real money in compliance upgrades, and generates significant headlines. Companies that treat age verification, parental controls, and data broker oversight as checkbox exercises do so at their peril.

For privacy, compliance, and legal teams at streaming platforms, connected TV manufacturers, gaming companies, ed-tech providers, and any business that touches minors’ data, the message is unambiguous: the era of lax enforcement is over. The states are serious, coordinated, and increasingly sophisticated.