South Carolina's Age-Appropriate Design Code Is Now Law — And July Is Coming Fast
Signed on February 5, 2026, South Carolina's Social Media Regulation Act introduces the nation's most aggressive independent audit requirement for online platforms accessible by minors. Here is what makes it different — and what companies offering covered services must do before July 1, 2026.
The wave of state-level children's digital privacy laws keeps building. California started it in 2022 with their age-appropriate design code. Maryland, Nebraska, and Vermont followed with their own variations. Now South Carolina has entered the arena — and in at least one critical dimension, it has gone further than any state before it.
On February 5, 2026, Governor Henry McMaster signed H3431, the South Carolina Social Media Regulation Act, into law as Act No. 96. The law creates Chapter 80 of Title 39 of the South Carolina Code, the Age-Appropriate Code Design (AADC) chapter, and it is already in effect.
One deadline should be flashing red on every compliance calendar: July 1, 2026.
The law's substantive obligations cluster into four pillars:
Notification Restriction Requirements (§ 39-80-40(E))
That matters because the UTPA carries its own independent enforcement mechanisms, civil penalties, and the possibility of attorney fees. Plaintiffs' counsel will notice.
2. Treble Damages and Personal Officer Liability: Most state AACDs set per-child civil penalties ($2,500–$7,500 in California; $50,000 per violation in Nebraska). South Carolina's damages model is structurally different: it multiplies actual financial damages by three. More strikingly, § 39-80-80(C) provides that individual officers and employees may be held personally liable for willful and wanton violations. This is an executive accountability provision with no clear parallel in any other state AADC currently in force. It belongs on the agenda of every board and C-suite review of these obligations.
3. No Grace Period: The law took effect on the date of the Governor's signature, February 5, 2026. There is no phased implementation of the kind Nebraska offered (civil penalties beginning July 2026) or Maryland's staged requirements. All substantive obligations were live the moment the Governor signed. The first independent audit report is due July 1, 2026 — roughly five months after enactment.
Under § 39-80-70(C), covered services are required to provide auditors “full and complete cooperation and access to information and operations” necessary for a comprehensive, accurate report. Scope-limiting or delaying access to auditors could constitute a violation.
Our audit engagements are structured around the law's nine required report elements, with a methodology that satisfies South Carolina's requirement for auditors to 'follow inspection and consultation practices designed to ensure that reports are comprehensive and accurate,' including the statutory mandate to consult with experts on minors' use of covered online services.
Reach out for a consultation.
Are you one of our COPPA Safe Harbor participants? Unlock preferred pricing and a fast-track application process.
The wave of state-level children's digital privacy laws keeps building. California started it in 2022 with their age-appropriate design code. Maryland, Nebraska, and Vermont followed with their own variations. Now South Carolina has entered the arena — and in at least one critical dimension, it has gone further than any state before it.
On February 5, 2026, Governor Henry McMaster signed H3431, the South Carolina Social Media Regulation Act, into law as Act No. 96. The law creates Chapter 80 of Title 39 of the South Carolina Code, the Age-Appropriate Code Design (AADC) chapter, and it is already in effect.
One deadline should be flashing red on every compliance calendar: July 1, 2026.
| February 5, 2026 Signed & Effective immediately |
3X Treble damages for violations |
9 Required audit report elements |
July 1, 2026 Annual independent audit deadline |
What the Law Does
The South Carolina AADC applies to any "covered online service" (broadly defined as platforms and apps that conduct business in South Carolina) that is "reasonably likely to be accessed by minors" and meets at least one of three size thresholds: annual gross revenues exceeding $25 million, processing data of 50,000 or more consumers, or deriving 50% or more of revenue from data sales.The law's substantive obligations cluster into four pillars:
- Design Safety: Covered services must exercise “reasonable care” in design to prevent compulsive usage, psychological harm (including anxiety, depression, self-harm, and suicidal ideation), severe emotional distress, privacy intrusions, identity theft, and discrimination against minors.
- Privacy by Default: All protective settings — limits on geolocation, profiling, targeted advertising, and notification windows — must be activated by default for known minors. The framework is opt-out, not opt-in.
- Parental Controls: Easy-to-use parental tools for managing settings, restricting purchases, viewing usage time, and setting time-of-day limits are required and must themselves be on by default.
- Annual Independent Public Audit: Every covered service must file a public report prepared by an independent third-party auditor with the Attorney General by July 1 of each year. There is no grace period and no cure right for late filing.
The Notification Windows: School Hours and Bedtime
South Carolina's law is unusually specific about when push notifications to known minors are restricted. Covered services must offer the ability to block notifications during the following windows, and these must be the default setting for known minors:Notification Restriction Requirements (§ 39-80-40(E))
- Nightly, year-round: 10:00 PM to 6:00 AM, seven days a week.
- School hours (August through May): 8:00 AM to 3:00 PM, Monday through Friday.
- The statute requires these windows to be calculated in the minor's local time zone, an implementation detail that will require geographic time zone detection for many platforms.
Dark Patterns: A Trade Practices Violation
One of South Carolina's sharpest enforcement teeth is its treatment of dark patterns. The law defines "dark pattern" as any user interface "designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice." Using a dark pattern against a minor is not merely a violation of this chapter, it is expressly designated an unlawful trade practice under South Carolina's Unfair Trade Practices Act (UTPA, § 39-5-20).That matters because the UTPA carries its own independent enforcement mechanisms, civil penalties, and the possibility of attorney fees. Plaintiffs' counsel will notice.
Three Things That Make South Carolina Genuinely Different
1. Public, Not Private: California’s and Maryland's Data Protection Impact Assessment (DPIA) model keeps audit findings internal. South Carolina's model is structurally opposite: the independent auditor's report is submitted to the Attorney General, who is required to post it in a prominent place on the AG website. This means advocacy organizations, plaintiffs' attorneys, journalists, and regulators in other states can all read it. Precision and defensibility in the audit report matter in ways internal DPIAs do not require.2. Treble Damages and Personal Officer Liability: Most state AACDs set per-child civil penalties ($2,500–$7,500 in California; $50,000 per violation in Nebraska). South Carolina's damages model is structurally different: it multiplies actual financial damages by three. More strikingly, § 39-80-80(C) provides that individual officers and employees may be held personally liable for willful and wanton violations. This is an executive accountability provision with no clear parallel in any other state AADC currently in force. It belongs on the agenda of every board and C-suite review of these obligations.
3. No Grace Period: The law took effect on the date of the Governor's signature, February 5, 2026. There is no phased implementation of the kind Nebraska offered (civil penalties beginning July 2026) or Maryland's staged requirements. All substantive obligations were live the moment the Governor signed. The first independent audit report is due July 1, 2026 — roughly five months after enactment.
The Timeline
The law was signed February 5, 2026. The first independent audit report is due to the Attorney General by July 1, 2026. For platforms that have not started, that window is shrinking and the auditor must be retained, given full access to operations, and their report finalized before that date.Under § 39-80-70(C), covered services are required to provide auditors “full and complete cooperation and access to information and operations” necessary for a comprehensive, accurate report. Scope-limiting or delaying access to auditors could constitute a violation.
How BBB National Programs Can Help
BBB National Programs has built its practice around the intersection of technology design, data governance, and children's digital privacy, which is the exact overlap that the South Carolina AADC puts under the microscope. We provide the independent third-party audit services that § 39-80-70 requires, with deep expertise in minor-facing platforms and the statutory compliance frameworks that the law demands.Our audit engagements are structured around the law's nine required report elements, with a methodology that satisfies South Carolina's requirement for auditors to 'follow inspection and consultation practices designed to ensure that reports are comprehensive and accurate,' including the statutory mandate to consult with experts on minors' use of covered online services.
Reach out for a consultation.
Are you one of our COPPA Safe Harbor participants? Unlock preferred pricing and a fast-track application process.