South Carolina’s Social Media Regulation Act Is Now in Effect: What Companies Must Do Now

South Carolina has enacted one of the most comprehensive youth design and privacy laws in the United States and it is effective immediately.

On February 5, 2026 the Governor signed the South Carolina Social Media Regulation Act, which adds a new Age-Appropriate Code Design (AADC) chapter to the state’s consumer protection laws. The statute imposes sweeping design, data, and governance obligations on online services reasonably likely to be accessed by minors under 18.

There is no grace period, no right to cure, and significant financial and personal liability for non-compliance.

For companies already navigating children’s codes in the UK, California, Maryland, Nebraska, and Vermont, South Carolina further intensifies an already complex and fast-moving compliance landscape.

What Does the South Carolina Social Media Regulation Act Do?

The law requires covered online services to proactively design their products and data practices to protect minors’ privacy, safety, and well being by default.

Unlike laws focused on parental consent or age gates, South Carolina’s framework regulates:

• Product and interface design
• Default settings
• Personalization and algorithms
• Data minimization
• Advertising and profiling
• Parental controls and reporting mechanisms
• Independent public audits

The statute applies to websites, applications, and AI-powered services that meet its applicability thresholds.

Who Is Covered?

A company is a “covered online service” if it:

• Conducts business in South Carolina
• Is reasonably likely to be accessed by minors under 18
• Determines the purposes and means of processing personal data
• Meets at least one size threshold (e.g., $25M+ annual revenue, 50,000+ users or data records, or derives 50%+ of revenue from selling or sharing personal data)

A service is considered “reasonably likely to be accessed by a minor” if:

• The company has actual knowledge (including inferred or attributed age) that a user is under 18, or
• The service is directed to children under COPPA

If your company personalizes content, uses recommendation algorithms, tracks engagement, infers age, or designs features that appeal to younger users, this law likely applies.

Core Compliance Obligations (What Companies Must Implement)

South Carolina’s law is operational by design. Compliance requires changes across product, engineering, privacy, and governance, not just legal review.

1. Duty of Care in Design and Data Use

Covered services must exercise reasonable care in:

• How minors’ personal data is processed
• How design features affect minors’ behavior and wellbeing

The law explicitly targets covered design features, including infinite scroll, autoplay, gamification, engagement metrics, notifications, in-game purchases, and appearance-altering filters.

2. Protective Defaults and Youth Controls

Services must provide easy-to-use tools to:

• Disable unnecessary design features
• Limit time spent on the service
• Restrict purchases and financial transactions
• Block messages, reactions, and contact from non-connected accounts
• Restrict profile visibility, engagement metrics, search indexing, and location sharing

When a user is known to be a minor, these safeguards must be enabled by default at the highest level of protection.

3. Personalized Recommendation Systems

Users must be able to opt out of personalized recommendation systems. For minors, this must be the default. Only recommendations based on a user’s expressed preferences, not inferred behavior or time spent, may remain enabled.

4. Data Minimization and Retention Limits

Covered services may only:

• Collect and use minors’ data necessary to provide the requested service
• Retain data for as long as needed for that purpose

Data used for age verification or estimation cannot be repurposed and must be deleted after use.

5. Advertising, Profiling, and Dark Patterns

Covered services may not:

• Facilitate targeted advertising to minors
• Profile users known to be minors (with narrow exceptions)
• Use dark patterns that impair user autonomy

Dark pattern violations are enforceable under South Carolina’s Unfair Trade Practices Act, creating private litigation exposure.

6. Time-Based Restrictions and Notifications

Services must offer tools to block notifications and alerts:

• Between 10 p.m. and 6 a.m., year-round
• During school hours (8 a.m.–3 p.m., August–May)

7. Parental Tools and Transparency

Covered services must provide parents with tools, enabled by default, to:

• Manage privacy and account settings
• Restrict purchases
• View total usage time
• Limit access by day and time

Minors must be notified when parental monitoring tools are in effect.

8. Reporting and Public Disclosures

Companies must:

• Provide mechanisms for parents, minors, and schools to report harm
• Publish clear, prominent disclosures describing youth design protections, privacy safeguards, and parental tools
• Explain how recommendation systems operate and can be controlled

Independent Public Audits: A Significant New Obligation

Starting July 1 each year, covered services must publish a public report prepared by an independent third-party auditor, submitted to the Attorney General and posted publicly.

The audit must cover:

• Youth access risk
• Harm reporting
• Data and sensitive data use
• Design features
• Age verification or estimation methods
• Algorithms and recommendation systems

Preparation for these audits must begin well before July 2026.

Enforcement, Penalties, and Personal Liability

South Carolina’s enforcement provisions are among the most aggressive in the U.S.:

• Enforced by the Attorney General
• Treble damages for violations
• No right to cure
• Personal liability for officers and employees in cases of willful and want on misconduct
• Private lawsuits for dark pattern violations

Will the Law Be Challenged in Court?

Almost certainly. Similar Age-Appropriate Design Code laws in California and Maryland are currently under constitutional challenge. However, South Carolina’s law is in effect today.

Until a court says otherwise, companies are expected to comply. Waiting on litigation is not a viable compliance strategy, particularly given the law’s immediate enforceability and personal liability provisions.

How PRIVO Helps Companies Comply Across Children’s Codes

South Carolina is not an outlier. It is part of a growing global and U.S. patchwork of laws that include:

• The UK Age-Appropriate Design Code
• California, Maryland, Nebraska, and Vermont AADC laws
• Ongoing regulatory and enforcement activity worldwide

PRIVO’s Children’s Code Program helps companies operationalize compliance across jurisdictions by:

• Supporting online services to comply with privacy and safety by design requirements
• Assessing risks and harms created by features and functionality
• Preparing organizations for independent audits and regulatory scrutiny
• Monitoring regulatory developments as new states adopt similar frameworks

PRIVO helps organizations move beyond interpretation to execution.

What Companies Should Do Now

If your service may be accessed by minors:

• Understand whether it is in scope of the South Carolina law
• Assess design features and personalization systems
• Review default settings, notification timing, and data collection and use
• Prepare for public audit and disclosure requirements
• Align legal, product, privacy, trust & safety, and executive teams

South Carolina’s Social Media Regulation Act is in force and more states will follow.

👉 Contact PRIVO to Learn More

To read the full text of the regulation click here.