Children's privacy across US states — heightened protections
Primary statement
Children's privacy operates per multi-state requirements: (1) CCPA — opt-in for sale/sharing for consumers under 16 (1798.120 implications); (2) CTDPA Public Act 24-148 — children-specific amendments effective 1 Oct 2024 / 1 Jul 2026 expansion; (3) MODPA — strict minimisation for children (14-4604); (4) MODPA — data protection assessment for children's processing (14-4607); (5) TDPSA template for children with opt-in for SPI processing including age data. State-level children's protections are the most active 2024-26 amendment area; rules vary materially.
Audit-fatigue payoff
A unified children's privacy programme — age detection / verification + parent/guardian flow + per-state addendum + minimisation + DPA — satisfies children's requirements across all 9 contributing frameworks. The MODPA strict minimisation standard is the audit-defensible ceiling.
Strictness matrix
Scope
Scope: known children's data + actual-knowledge / wilful-disregard standard for age. MODPA strict minimisation applies; collection limited to what is strictly necessary. Most states extend protection to consumers under 13 or under 18 depending on processing type.
Ceiling source: modpa:MD.14-4604
Rationale: MODPA strict minimisation scope for children is the audit-defensible specification.
Threshold
Threshold: STRICTLY NECESSARY data collection only. Sale of children's data prohibited. Targeted advertising to children prohibited or opt-in. The strictly-necessary standard is uniquely strict; other states accept "reasonably necessary".
Ceiling source: modpa:MD.14-4604
Rationale: MODPA § 14-4604 strictly-necessary threshold is the strictest US standard.
Method
Method: (1) age detection / verification mechanism per processing; (2) parent/guardian flow where consent required; (3) strict minimisation (MODPA 14-4604); (4) prohibition on sale of children's data; (5) data protection assessment per MODPA § 14-4607 for children's processing; (6) per-state addendum library; (7) CTDPA Public Act 24-148 specifics from 1 Jul 2026.
Ceiling source: modpa:MD.14-4607
Rationale: MODPA § 14-4607 data protection assessment + § 14-4604 minimisation are the most prescriptive.
Frequency
Data protection assessment per children's processing activity at inception + on material change. Age detection: continuous (per registration / authentication). Per-state addendum review: annual. CTDPA PA 24-148 compliance preparation: by 1 Jul 2026.
Ceiling source: modpa:MD.14-4607
Rationale: Per-activity DPA with continuous age detection is the audit-defensible cadence.
Evidence
Required evidence: (1) children's data inventory; (2) age detection/verification mechanism evidence; (3) parent/guardian consent flow evidence; (4) MODPA strict minimisation analysis per processing activity; (5) data protection assessment per § 14-4607; (6) per-state addendum library (CA, CT, MD, TX, etc.); (7) opt-in for SPI processing including age data (TDPSA).
Ceiling source: modpa:MD.14-4607
Rationale: MODPA § 14-4607 evidence with data protection assessment is uniquely strict for US state-level children's privacy.
Auditor test pattern
Step 1: Inspect the children's data inventory. Step 2: Verify age detection/verification mechanism. Step 3: Inspect parent/guardian consent flow where required. Step 4: For Maryland processing, verify strict minimisation per MODPA. Step 5: Inspect data protection assessments per § 14-4607. Step 6: Inspect per-state addendum library. Step 7: For CTDPA PA 24-148, verify preparation for 1 Jul 2026 requirements.
Common findings
Common 2024–26 findings: (1) Age detection absent — children's data collected without knowing it; (2) MODPA strict minimisation not applied — same minimisation as adult processing; (3) Data protection assessment for children's processing absent; (4) Per-state addendum library missing — single global children's policy applied; (5) CTDPA PA 24-148 preparation not started; (6) Sale of children's data not prohibited at the system level.