Growing up fast: An update on the global regulation of children's data
Each year, Freshfields publishes its Data Law Trends report – a forward-looking guide to the forces reshaping how businesses manage data, AI and digital risk globally.
Last October, our latest Data Law Trends report argued that businesses needed to rethink how they approached young people's data. Our report mapped a fast-moving global landscape with laws such as the UK Online Safety Act, EU Digital Services Act (DSA) and a patchwork of US state legislation bringing in new rules such as age assurance and content moderation regimes.
We predicted 2026 would see businesses facing growing enforcement and regulatory divergence and that the global legal tapestry would get more complicated as broad-based support to improve the online experience of children continued to drive change. Now halfway through 2026, every one of those trends has intensified.
This update outlines some key developments since our report nine months ago, how the direction of travel is becoming increasingly clear and why a convergence of intent and divergence of regulation around the world is making the regulation of children’s data one of the defining compliance challenges of the digital economy.
The EU: trending as predicted – and potentially further still
In the EU, DSA enforcement picked up pace and the Commission has opened several investigations into child safety and is in "full enforcement mode” regarding child protection online.
In early 2026, the European Commission established a dedicated expert panel to advise on banning social media access for children, which recently reported. Following the report, it is expected that the Commission will propose a bloc-wide under-13 social media ban and controls on use by older children this year, building on momentum from several member states that have already moved toward restricting children's access.
This sits alongside the forthcoming Digital Fairness Act, which aims to tackle various consumer protection issues, including manipulative design practices – so-called dark patterns – and addictive features in digital products. Children are a central concern. The combination of content regulation under the DSA, the push toward harmonized age verification, and now the prospect of outright age-based access restrictions means the compliance landscape for platforms operating in the EU is becoming significantly more demanding.
Meanwhile, the working group of national regulators that enforce EU data protection law has identified protecting children’s data as a strategic priority and it is working on new guidance.
For businesses, the message is that the EU is layering obligations – and each new layer adds cost, complexity and enforcement risk.
The US picture: just as active, and ever more fragmented.
At the federal level, updated Children's Online Privacy Protection Act (COPPA) rules came into force in 2025 with most rules having compliance deadlines that took effect in April 2026, bringing meaningful changes that affect a wide range of businesses.
Federal regulators are also being proactive, with the Federal Trade Commission’s (FTC) Strategic Plan for 2026-2030 stating that protecting children online is a “key concern” and a place where the FTC is focusing its efforts. There's a new federal dimension too: the FTC began enforcing the TAKE IT DOWN Act on 19 May 2026, which creates civil liability for platforms that fail to remove non-consensual intimate imagery, including those generated with AI.
New federal rules and focus set a stronger baseline in terms of protecting children – but states are moving faster. An ever-growing list of state laws such as Maryland's Age-Appropriate Design Code, California's Age-Appropriate Design Code Act and laws in Utah, Texas, Florida and New York each add their own obligations for platforms and services that children may interact with.
States, such as Minnesota and South Carolina, have also enacted further social media laws intended to protect minors or – as in the case of Georgia, Washington and Oregon – have moved to regulate AI-powered conversational agents with targeted protections for young people.
Companies operating nationally need a strategy that maps and manages the full state-level patchwork.
The UK: the Online Safety Act continues its phased rollout
The UK’s online safety regulator, Ofcom, has now begun issuing its first fines for non-compliance, and the government has imposed further duties on platforms and taken additional powers that will allow it to quickly impose further child protection measures.
The UK is now planning to go further and introduce an outright ban on children's access to various social media for under-16s and other restrictions and protections for child users up to the age of 18.
The regulatory direction is clear: the UK intends to be the safest place for children online.
The global picture: regimes protecting children online are maturing fast
What's striking across all three regions – and indeed globally, with Australia's social media ban and Brazil’s Digital Statute of the Child and Adolescent now in force – is the sheer breadth and speed of regulatory action. Twenty-seven privacy authorities worldwide recently completed a coordinated privacy sweep, which focused on the protection of children’s privacy on websites and mobile applications frequently used by children.
There is often convergence of intent among policymakers, even where the legal tools differ. Governments around the world have concluded that the status quo isn't working for children online – and they're prepared to impose real costs on businesses to change it.
For companies with younger users – or whose services are simply accessible to younger users – this is no longer a niche compliance issue. It touches product design, data architecture, content moderation, AI deployment and marketing strategy.
Our original chapter set out the strategic challenge for navigating this complexity – and several months on, it remains essential reading and our core predictions of escalating enforcement action and of growing regulatory divergence and complexity for businesses have been borne out. The pace has quickened, the obligations have grown, but the core insights still hold.
You'll find the full Data Law Trends report on the Freshfields website – and our team is ready to help you put it into practice.
The themes explored in this blog are continuing to evolve rapidly and are likely to feature prominently in the conversations leading into the next edition of our Data Law Trends report later this year.
