Key Takeaways: Nebraska has joined a national trend of states adopting online protections for minors with the adoption of the Age-Appropriate Online Design Code Act. The law, which will go into effect on January 1, 2026, imposes a number of requirements for providers of online services to design their features with privacy and security of children’s information as a core concern while prohibiting certain activities that impair such protections.

Overview of the AAODCA:

Nebraska is the latest state to enact children’s online privacy protection legislation, as the unicameral legislature passed LB504, otherwise known as the Age-Appropriate Online Design Code Act (“AAODCA”), on May 28, 2025. The bill, which Governor Pillen signed into law on Friday, May 30, 2025, is modeled on the California Age-Appropriate Design Code Act and will go into effect on January 1, 2026. Nebraska is the third state to officially enact such legislation, following in the footsteps of California (in 2022) and Maryland (in 2024).

The AAODCA is intended to promote the concept of “privacy by design,” a proactive approach to privacy protection that focuses on embedding data protection principles and choices into the design and operations of technologies rather than framing such considerations as an afterthought, in relation to children’s online activities.

The AAODCA applies to “covered online services,” which are legal entities that own, operate, control, or provide an online service that: conducts business in the state of Nebraska; alone or jointly with others determines the purpose and means of processing consumer data; exceeds $25 million in gross annual revenue; buys, sells, receives, or shares the personal data of 50,000 or more consumers, and derives at least 50% of its revenue from the sale or sharing of consumers’ personal data. The law exempts online services with actual knowledge that fewer than two percent of its users are minors.

Covered online services must provide minors with easy-to-use tools that are designed to limit the ability of other users or visitors to communicate with the minor, prevent other individuals from viewing the personal data of the minor, restrict the sharing of the minor’s precise geolocation information (and provide clear notice when such tracking is taking place), and provide minors with the option to limit the amount of time the minor spends on the service. Such tools are to be available with respect to “covered design features,” which are defined as any feature or component of an online service that encourages or increases the frequency, time spent, or activity of a user on the service, including infinite scroll, rewards for visit frequency, push notifications, in-game purchases, or appearance-altering filters.

The AAODCA also imposes a data minimization principle, mandating that online services only collect and use the minimum amount of a minor’s personal data necessary to provide the minor with the specific elements of an online service with which the minor has knowingly engaged, and prohibiting covered online services from collecting and using minors’ personal data for any reason other than that for which it was collected.

The law will also prohibit online services from facilitating both targeted advertising and advertising for prohibited products (such as drugs, tobacco, gambling, and alcohol) to minors using their service and from creating a profile of the minor unless necessary to provide a service requested by the minor. Push notifications to minors must be disabled between school hours (8:00 a.m. and 4:00 p.m.) and nighttime (10:00 p.m. to 6:00 a.m.) on weekdays during the school year.

The established default settings for these features must provide the highest protection available for the minor’s safety and the use of dark patterns (i.e., features which subvert or impair user autonomy) is expressly prohibited.

The AAODCA also has a number of provisions related to parental rights. Covered online services will be required to provide parents with tools to help them protect and support minors using the covered online service, and such tools must be enabled by default for known children under the age of 13. Parents of known children under 13 also must be provided the options to manage their child’s privacy and account settings, including the ability to change and control privacy settings, restrict purchases, as well as view and restrict the total time the child has spent on the covered online service.

Enforcement authority for the AAODCA rests with the state Attorney General, who will have the power to bring actions against companies beginning on July 1, 2026, six months after the law goes into effect. Violations of the statute will constitute a deceptive trade practice under the Nebraska Deceptive Trade Practices Act and may result in civil penalties of up to $50,000 per violation.

Comparison to California:

California became the first state to enact an age-appropriate design code law with its adoption of the California Age Appropriate Design Code Act (“CAADCA”) in August 2022. CAADCA is widely viewed as the leading statute of its kind in the United States. The AAODCA contains similar parental control mechanisms, and a data minimization and default setting requirement, as well as prohibitions on targeted advertising to children and the use of dark patterns.

In several respects, however, the Nebraska law is narrower than CAADCA. For example, CAADCA requires covered businesses to complete a data protection impact assessment for its online service, while the AAODCA has no internal audit requirements. Additionally, Nebraska’s law does not impose a duty of care on businesses to prevent foreseeable harm to minors, a feature that is present in the CAADCA.

Conclusion:

Nebraska’s Age-Appropriate Online Design Code Act is part of a growing patchwork of state laws aimed at protecting minors online. While it aligns with national trends in many respects, it is narrower in scope than the California Age-Appropriate Design Code Act. Companies operating online services accessible to Nebraska minors should begin reviewing their platforms, privacy settings, parental controls, and data collection and use practices to ensure compliance by the effective date of the law. For more information on the AAODCA or for advice on your company’s data privacy and security compliance efforts, please reach out to an expert in our Data Privacy and Security practice area. 

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}