Click here to download a PDF of this client alert.

A California jury delivered a landmark verdict on March 25, 2026, awarding approximately $6 million in damages to a woman who alleged that her childhood use of social media platforms operated by Meta and Google contributed to severe depression and anxiety. The case is among the first to hold major technology companies financially accountable at trial for mental health injuries tied to a minor’s use of their products. While the litigation focused on product liability and negligence theories, its implications extend directly to the realm of privacy law compliance, particularly for any business that collects, processes or monetizes the data of users under 18.

This verdict arrives at a moment when the regulatory landscape for children’s privacy is shifting rapidly. The federal Children’s Online Privacy Protection Act (COPPA) remains foundational, but a growing patchwork of state laws has started to emerge with the introduction of Age-Appropriate Design Code (“AADC”) laws. Five states (California, Maryland, Nebraska, South Carolina and Vermont) have now passed AADC laws that push online services to exercise “reasonable care” to prevent specific harms to minors, with South Carolina being the most recent to do so. These statutes are imposing additional obligations on the collection and use of minors’ data that many businesses are only beginning to understand.

For companies operating digital platforms, apps, games or any online service that may collect data from users under 18, the legal exposure is no longer theoretical. Minors’ privacy is now squarely on the regulatory agenda, and private litigation has emerged as a credible enforcement mechanism. Verdicts like this one can be expected to encourage additional suits.

One of the most pressing compliance challenges this verdict highlights is the need for robust age verification strategies. Businesses can no longer rely on a simple checkbox asking users to confirm they are over 13 or over 18. Regulators and courts are scrutinizing whether age-verification mechanisms are genuinely effective or merely performative. Companies should be evaluating the full spectrum of age assurance technologies and understanding the legal requirements that apply in each jurisdiction where they operate, as the standards vary significantly from state to state and continue to evolve.

Kutak Rock’s privacy and data security team has been tracking these developments closely and advising clients on how to adapt their compliance programs in real time. We help clients across industries from e-commerce to digital advertising to navigate these risks before they become crises.

If your organization collects or may collect data from users under 18, we encourage you to reach out. Whether you need a comprehensive compliance audit or guidance on a specific product launch, our privacy and data security attorneys are ready to help. Contact members of the firm’s Privacy and Data Security team with any questions.