Effective February 5, 2026, South Carolina enacted HB 3431 imposing new obligations on certain online services reasonably likely to be accessed by minors. The law took effect immediately upon the governor's signature, with no phase-in period, and does not provide an express grace (cure) period. Most significantly, the new law applies to minors under 18 years of age, which raises the age of a “minor” set forth by the federal Children's Online Privacy Protection Act (COPPA).

Who Is Covered

The law applies to a "covered online service" doing business in South Carolina that is reasonably likely to be accessed by minors and meets one or more thresholds, including:

• >$25M annual gross revenue
• Buying/receiving/selling/sharing personal data of 50,000+ consumers/households/devices
• Deriving 50%+ of revenue from selling/sharing personal data

Importantly, the law defined a minor as “a consumer who is less than eighteen years of age.”

A service is "reasonably likely to be accessed by minors" under two distinct triggers. First, where an individual is "known to be a minor," the service must treat that individual as a minor. Second, where the service is "directed to children" under COPPA, the service must treat all users as minors unless it has actual knowledge a particular user is not a minor. The statute defines "known to be a minor" to include actual knowledge and all inferences the service has attributed or associated with the individual for any purpose, including marketing, advertising, or product development.

Key Requirements

Covered online services must implement a set of safety-by-design and privacy controls, including:

1. Reasonable care duty. Services must exercise reasonable care in the design and operation of the service and the use of minors' personal data to prevent enumerated harms to minors. This includes compulsive usage (defined as persistent and repetitive use that substantially limits major life activities such as sleeping, eating, learning, or communicating), severe psychological harm or emotional distress, privacy intrusions, identity theft, discrimination, and material financial or physical injury.

2. User tools to limit features and exposure. Services must provide accessible tools to all users to limit or disable certain product and engagement features. This includes defined "covered design features," such as infinite scroll, autoplay, gamification, engagement metrics, push notifications, in-game purchases, and appearance-altering features. The tools must also allow users to control account visibility, contact from non-connected accounts, engagement counts, profile indexing by search engines, and location visibility. Where the service knows a user is a minor, these safeguards must be enabled by default.

3. Personalized recommendations. Services must offer an option to opt out of personalized recommendation systems (with an exception for optimizations based on expressed preferences) and make the opt-out default for known minors.

4. Data minimization, retention, and ads limitations. The law includes minors-focused data minimization and retention limitations and a prohibition on facilitating targeted advertising to minors. It also restricts default collection of precise geolocation for minors (absent necessity) and requires certain notice and controls around notifications during specified night and school-hour windows for known minors.

5. Parental controls. Services must provide parental tools (default-on for known minors) to manage settings, restrict purchases/transactions, and set time-of-day and total-usage limits, with notice to the minor when controls are active.

6. Reporting, dark patterns, and disclosures. The act requires reporting mechanisms for imminent threats, restricts certain categories of ads directed to known minors, prohibits "dark patterns," and requires disclosures about recommendation systems and available controls.

7. Annual independent audit report. By July 1 each year, covered services must publish an independent audit report and submit it to the South Carolina attorney general for public posting. Given the absence of any phase-in period, the first reports are presumably due July 1, 2026.

Enforcement and Exposure

The South Carolina attorney general enforces the statute and may seek treble financial damages for violations. Officers and employees may be held personally liable for willful and wanton violations. Notably, the prohibition on dark patterns is also an unlawful trade practice under the South Carolina Unfair Trade Practices Act (SCUTPA), which may create private litigation exposure in addition to attorney general enforcement.

Practical Next Steps for Businesses

• Confirm whether your service is "reasonably likely" to be accessed by minors under either trigger (known minor or COPPA "directed to children" standard) and whether the coverage thresholds are met.
• Inventory product features implicated by the statute (e.g., recommendations, feeds, notifications, engagement mechanics).
• Implement default-on protections for known minors, validate adtech configurations, update disclosures, and stand up an audit workplan ahead of the July 1 reporting cycle.

We strongly urge businesses to prioritize compliance review given the law's immediate effective date, the absence of an express cure period, and exposure to both AG enforcement and potential private litigation on dark patterns.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.