On May 14, 2026, California Attorney General Rob Bonta issued proposed regulations and opened a 45-day public comment period addressing compliance with the age determination and parental consent requirements of the Protecting Our Kids from Social Media Addiction Act, or S.B. 976 (the “Act”). Enacted in September 2024, the Act is intended to protect users under 18 from addictive features on online platforms, including social media, by restricting operators of addictive internet-based services or applications from providing algorithmically driven addictive feeds or sending notifications during certain nighttime and school hours unless the operator has reasonably determined that the user is not a minor or has obtained verifiable parental consent. The proposed regulations, which the Attorney General must adopt by January 1, 2027, seek feedback on how platforms should meet those requirements, with written comments due during the 45-day comment window and a public hearing scheduled for June 30, 2026.
Ongoing Litigation Challenges to the Act
The Act remains subject to ongoing litigation. The Act was challenged in the Northern District of California on First Amendment and vagueness grounds. The district court partially enjoined the Act’s notification restrictions, notification-related default setting, compelled-disclosure requirement, and like-count default setting, while allowing other provisions to remain in place, including the personalized-feed restrictions, private-mode default, and age-verification framework, which is not yet operative until 2027. The litigation was appealed to the Ninth Circuit Court of Appeals, which remanded the case back to the district court in NetChoice, LLC v. Bonta (9th Cir. Mar. 12, 2026). Further proceedings are expected to address the scope of the revised injunction, any as-applied challenges, and the age-verification provisions after the Attorney General adopts implementing regulations.
Overview of the Proposed Regulations
The proposed regulations implement and expand the Act by clarifying key definitions, including the introduction of “covered features” which generally means user-generated content that is chosen or ranked for a person based on their data or activity. The proposed regulations establish an operational framework for compliance, particularly through prescriptive requirements for age assurance, verifiable parental consent, and transparency in how operators assess and document user age. Additionally, the proposed regulations strengthen enforcement and risk mitigation by imposing obligations related to fraud prevention, appeals processes, and consistent application of minor status determinations across platforms, thereby addressing implementation gaps in the statute. Key elements of the proposed regulations include:
- Age Assurance Framework: The proposed regulations require operators that do not have actual knowledge that a user is a minor to make a reasonable determination that the user is not a minor before providing covered features, using one or more commercially reasonable and technically feasible age assurance methods that are effective, measurable, consistent, and testable.
- Insufficient Age Determinations: The proposed regulations treat an age determination as unreasonable if it relies on self-declaration, general contractual age restrictions, certain online payment methods, inconclusive outcomes, or methods with known risks that the operator has not reasonably mitigated, and they prohibit operators from requiring government-issued identification or using it as the sole age assurance method.
- Transparency and Reporting: The proposed regulations require operators to publish and maintain a website report describing their age assurance methods, the data and rationale supporting those methods, how the methods yield a reasonable determination, and the measures used to ensure accuracy, prevent misuse, and test, audit, and review effectiveness.
- Cross-Platform Consistency: The proposed regulations require operators to apply actual knowledge or a reasonable determination that a user is a minor across all access points to the operator’s platform, including websites, online services, online applications, and mobile applications.
- Appeals and Error Correction: The proposed regulations require operators to maintain a process for users to appeal minor-status determinations or inconclusive age assurance outcomes and to receive and respond to reports or information indicating that a user is a minor or that age or location data was falsified.
- Parental Consent Framework: The proposed regulations require operators to notify users and obtain user consent before seeking verifiable parental consent, then provide the parent with required notice and a verifiable consent method that is reasonably calculated to confirm the individual is the minor’s parent, including at least one option that does not require account creation, a purchase, or government-issued identification.
- Revocation Rights: The proposed regulations allow users and parents to revoke consent at any time, require operators to provide simple and easily accessible revocation mechanisms that are as easy to use as the consent mechanisms, and require operators to stop seeking parental consent or providing covered features immediately after revocation.
- Anti-Circumvention Obligations: The proposed regulations require operators to implement, maintain, and document reasonable measures or protocols to prevent circumvention, fraud, or misuse of age determination and parental consent methods, including measures that account for emerging technologies and efforts to conceal or misrepresent California location.
- Data Governance Requirements: The proposed regulations require operators to limit age assurance data to what is necessary for compliance, use it only for compliance, collect and store it with industry-standard security measures, retain it only as long as needed, and delete it immediately thereafter.
Rulemaking Process and Timeline
The proposed regulations are subject to California’s Administrative Procedure Act rulemaking process:
- Notice of Proposed Rulemaking: Issued on May 15, 2026, initiating the formal rulemaking process.
- Public Comment Period: A 45-day comment period is open, with written comments due by June 30, 2026, at 5:00 p.m.
- Public Hearing: Scheduled for June 30, 2026, with both in-person and remote participation options.
- Post-Comment Revisions: The Department may issue revised text subject to an additional 15-day comment period if modifications are made.
- Final Rulemaking Steps: Following consideration of comments, the Department will finalize the regulations and issue a Final Statement of Reasons before submission for administrative approval.
- Effective Timeline: The regulations are intended to be in place ahead of the statutory deadline requiring implementation by January 1, 2027.
Next Steps
Companies subject to the Act should monitor the rulemaking process, evaluate their existing compliance frameworks under the Act, and consider whether to submit comments before the June 30, 2026 deadline. Because the proposed regulations are likely to change before final rules are adopted, companies should treat compliance planning as an ongoing process until rulemaking is complete.
For more information, Alston & Bird’s Privacy, Cybersecurity, and Data Strategy Team has extensive experience advising clients on California compliance and state privacy investigations. Please contact us and sign up for alerts at AlstonPrivacy.com.
