While federal children’s privacy legislation remains stalled, state attorneys general are proving they do not need new laws to take meaningful action. The latest wave of enforcement actions makes one thing clear: regulators are aggressively using existing tools under COPPA and state privacy statutes to target companies that fail to properly notice parents, obtain consent, or maintain real safeguards for minors.
This is not theoretical risk. Recent cases against Snap, Roku, Sling TV, Character.AI, and Jam City show that state enforcers are looking closely at how companies actually behave — not just what their privacy policies say.
Knowledge is being established through circumstantial evidence
One of the most important takeaways from these actions is how state AGs are proving that a company “knew” or “should have known” it was dealing with minors. They are not relying solely on direct admissions. Instead, they are pointing to child-directed content, “Kids & Family” sections, parental control features, age-gating tools, and targeted advertising that pushes kids’ content to users who previously engaged with it.
In the Roku cases in Michigan and Florida, for example, the presence of kids’ screensavers, kids’ theme packs, and dedicated kids’ content sections was used to argue that the company had actual or constructive knowledge that minors were using the platform. Similar logic appears in the Sling TV case in California. Companies that create features or content categories clearly aimed at children should assume enforcers will treat those features as strong evidence of knowledge.
Consent failures remain the easiest target
Across multiple states, the core allegation is straightforward: companies collected and processed minors’ personal data — sometimes sensitive data like geolocation or biometrics — without providing proper notice to parents or obtaining verifiable parental consent. This includes sharing data with third parties for advertising and product development.
These cases serve as a reminder that the baseline requirements under COPPA and many state laws have not changed. If your product or service is directed to children, or if you have actual or constructive knowledge that minors are using it, you generally need parental notice and consent before collecting personal information. Many of the recent complaints allege companies simply skipped this step entirely.
Having safeguards is not enough — they must actually work and be maintained
Perhaps the most practical lesson from these enforcement actions is that good design on paper is meaningless if it is not properly implemented and maintained. The California case against Jam City is particularly instructive. The company had created a “kid’s version” of its apps with stronger privacy protections, but allegedly failed to maintain those protections across several apps. As a result, users between 13 and 16 were able to access features that should have been restricted, leading to improper data collection.
The settlement required not only better age-screening tools going forward, but also deletion of previously collected data and notification to third parties. The message is clear: implementing privacy-by-default settings or age-gating mechanisms creates an obligation to keep those systems functioning as intended. “Set it and forget it” is no longer a viable strategy.
Any organization with a mixed-audience platform, child-adjacent features, or content that could reasonably appeal to minors should treat these cases as a warning. State enforcers are increasingly willing to connect the dots between the features you offer and the conclusion that you knew — or should have known — children were using your service.
Key areas to examine include:
- Whether child-directed content, sections, or features could be used to establish knowledge.
- Whether age-gating and parental control tools are accurate, functional, and consistently applied.
- Whether data collection and sharing practices for known or likely minors meet notice and consent requirements.
- Whether safeguards that were designed to protect minors are actually being maintained over time.
The enforcement trend also highlights the growing compliance burden created by inconsistent state standards. Different states are applying varying knowledge thresholds and consent requirements. This fragmentation increases risk for any company operating nationally.
State attorneys general have shown they are willing and able to bring significant enforcement actions using existing authority while federal legislation stalls. The cases are not limited to obvious bad actors. They target companies that failed to properly design, implement, or maintain basic protections for minors.
Companies that treat children’s privacy compliance as a one-time checkbox exercise are exposing themselves to real regulatory risk. The expectation now is continuous attention — accurate knowledge assessments, functioning safeguards, proper notice and consent flows, and ongoing maintenance of whatever protections you put in place.
Those that have not yet stress-tested their current practices against the standards emerging from these enforcement actions should do so promptly. The cost of getting this wrong is no longer theoretical.