Texas has never been known for light regulatory touches, and its latest move in the data privacy space is no exception. The Securing Children Online through Parental Empowerment Act — better known as the SCOPE Act — builds on the state’s existing privacy framework and pushes into territory that few U.S. states have been willing to go. For anyone who collects, processes, or profits from personal data, understanding what Texas is doing here matters well beyond the state’s borders.
What the SCOPE Act Actually Does
At its core, the SCOPE Act targets the relationship between digital platforms and minors. It requires operators of digital services — social media platforms in particular — to obtain verifiable parental consent before collecting personal data from users under 18, and prohibits those platforms from using targeted advertising directed at minors. It also mandates that platforms provide parents with tools to monitor and control their child’s account activity, and bars design features that are intended to be addictive or that encourage excessive use by younger users.
The law places affirmative obligations on businesses, not just restrictions. Covered entities must implement and maintain a privacy-protective default setting for any minor user, meaning that the most data-protective configuration must be the out-of-the-box experience — not something a parent has to hunt through a settings menu to find.
Enforcement sits with the Texas Attorney General’s office, which can pursue civil penalties of up to $10,000 per violation, with each individual instance of noncompliance counting as a separate violation. For platforms operating at scale, that math gets uncomfortable quickly.
This Didn’t Come Out of Nowhere — Texas Already Had a Framework
To understand the SCOPE Act, it helps to know where Texas was before it. The Texas Data Privacy and Security Act (TDPSA), which took effect in July 2024, established a comprehensive privacy baseline for the state. It covers any business that processes personal data of Texas residents and meets certain thresholds, granting consumers rights to access, correct, delete, and opt out of the sale of their data or its use in targeted advertising.
The TDPSA was already more expansive than many people realized. Unlike California’s law, it doesn’t have a revenue threshold — meaning smaller businesses that handle significant volumes of personal data can still fall under its scope. It also includes a data protection assessment requirement for high-risk processing activities, which puts it closer to the GDPR’s accountability model than most U.S. state laws.
The SCOPE Act layers on top of that foundation, specifically addressing the gap that the TDPSA — like most general privacy laws — left around children and adolescents. Where the TDPSA is broadly about consumer rights, the SCOPE Act is about proactive protection for a specific population considered especially vulnerable to data exploitation.
How Texas Stacks Up Against the Rest of the Country
The U.S. privacy landscape has been fragmenting steadily for years, with each new state law adding its own twist to an increasingly complex patchwork. Texas is now among the more aggressive actors in that space.
California set the template. The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA), gives consumers rights over their data and created the California Privacy Protection Agency — the first dedicated state privacy enforcement body in the country. California also passed its own children’s privacy law, the Age-Appropriate Design Code, which shares DNA with the SCOPE Act’s philosophy around default protections and design standards. California’s law, however, covers children under 18 with a risk-based design framework rather than a strict parental consent model, and has faced its own legal challenges over First Amendment concerns.
Colorado, Virginia, and Connecticut all passed comprehensive privacy laws within roughly the same window and share a common architecture: consumer rights to access and delete, opt-out rights for targeted advertising and data sales, and data protection assessments for sensitive processing. Virginia’s Consumer Data Protection Act (VCDPA) is notably business-friendly in its structure — it doesn’t have a private right of action, meaning only the Attorney General can bring enforcement cases. Colorado and Connecticut both followed suit on that point, though Colorado’s law includes a rulemaking process through the Attorney General’s office that has produced some of the more detailed implementing regulations in the country.
None of these states have gone as far as Texas on the minor-specific protections embedded in the SCOPE Act. Most treat minors as a subset of consumers with some heightened sensitivity, rather than building an entirely separate affirmative-consent and design-obligation framework around them.
The GDPR remains the global benchmark against which every U.S. state law gets measured, and the gap is still significant. The GDPR’s Article 8 addresses children’s consent — requiring member states to set a consent age between 13 and 16 for information society services, with parental authorization required below that threshold. More broadly, the GDPR’s principles of data minimization, purpose limitation, and privacy by design are built into the regulation’s DNA in a way that U.S. laws have only partially replicated. The SCOPE Act’s default-protective-settings requirement is one of the clearest nods to GDPR-style privacy by design in any U.S. children’s privacy law to date.
What the GDPR has that virtually no U.S. state law matches is teeth. Fines under the GDPR can reach €20 million or 4% of global annual turnover — whichever is higher. Texas’s per-violation structure is serious for a state law, but it doesn’t approach that scale for a large platform.
Where Violations Are Most Likely to Surface
Based on the law’s structure, the areas of highest compliance risk aren’t always the ones businesses expect.
The age verification and parental consent requirements are the most visible obligations, but they’re also where practical implementation gets complicated fast. There is no federally standardized method for verifying a user’s age, and the methods that do exist — ID verification, credit card checks, third-party services — carry their own privacy tradeoffs. A business that collects more data to verify age may inadvertently create new compliance exposure under the TDPSA or COPPA in the process.
The design prohibition is subtler but potentially broader. Banning features “intended to be addictive” requires regulators to make judgments about design intent, which is both legally complex and difficult for businesses to self-assess. Companies that have relied on engagement-maximizing features — infinite scroll, push notifications, streak mechanics — will need to evaluate whether those features are defensible when applied to a user base that includes minors.
The default settings requirement is where many platforms will find the steepest operational lift. Configuring systems so that privacy-protective defaults apply automatically to minor accounts — rather than being available as an opt-in — often requires significant backend work, particularly for platforms that weren’t built with age-differentiated account types in mind.
What This Means for the Broader Privacy Conversation
Texas passing the SCOPE Act — and doing so on top of an already substantive general privacy law — signals something important about where U.S. data privacy regulation is heading. The question is no longer whether states will regulate data privacy. The question is how detailed, how enforceable, and how costly those regulations will become.
The absence of a federal privacy law continues to be the defining structural problem. Businesses operating nationally face genuinely different legal obligations in California, Texas, Colorado, Virginia, and Connecticut — and those differences are not trivial. Each law has its own definitions, thresholds, consumer rights, and enforcement mechanisms. Building a compliance program that satisfies all of them requires either significant legal investment or the practical decision to simply comply with the strictest applicable standard everywhere.
For many organizations, that second option — build to the highest bar — is becoming the more rational choice. It reduces complexity, simplifies vendor management, and positions the business more defensibly if a new state law or a federal framework raises the floor.
The SCOPE Act raises the floor in Texas. And in a state with 30 million residents and a GDP larger than most countries, what Texas does tends to get noticed.
