By the SafeGuard Privacy Team

Where sensitive data is involved—particularly data of children—California isn’t the only regulator to watch.

Florida’s recent complaint against Roku highlights that children’s data are a key enforcement priority nationwide. Businesses that handle children’s data should not only continue monitoring the FTC’s enforcement of COPPA, but also ensure they comply with each state’s privacy rules for children’s data.

Sensitive Data Under the Florida Privacy Law

Florida’s Digital Bill of Rights (FDBR), which became effective on July 1, 2023, is considered a narrowly scoped privacy law because—except for sales of sensitive data—many of its requirements apply only to controllers that make more than $1 billion in global gross annual revenues. Importantly, this revenue threshold does not apply to sales of sensitive data, including personal data collected from a child, which the FDBR defines as a consumer under 18 years of age.

Florida v. Roku Highlights the Willful Disregard of Age Standard

In FDBR, the standard states that a covered business:

[M]ay not … process the personal information of any child [younger than 18] if the online platform has actual knowledge of or willfully disregards that the processing may result in substantial harm or privacy risk to children. (emphasis added)

And further states:

A controller that willfully disregards the consumer’s age is deemed to have actual knowledge of the consumer’s age.

In a press release and in the complaint itself, Florida’s Attorney General uses strong language to make its case. The AG says the Roku case is part of an effort to “hold any company that conceals or exploits [children’s] information accountable.” The complaint alleges that Roku knows it collects personal information from children and “buries its head in the sand so that it can continue processing and selling children’s valuable personal and sensitive data.”

What facts does Florida allege to justify these claims? For companies that provide services and advertise to mixed audiences that include children, it alleges fairly common fact scenarios, including:

  • The Roku streaming platform does not allow users to create child-specific profiles, enabling Roku to claim it has no knowledge of the age of its users;
  • Roku continues processing and selling data even when a user “waves a flag signaling…that he or she is a child,” such as by viewing content from Roku’s kids and family streaming service;
  • Roku’s most-searched content includes shows clearly intended for children, like Bluey, SpongeBob SquarePants, and Inside Out;
  • Roku’s streaming devices include apps directed to children, and targeted advertisements are placed in such apps; and
  • Children can search for child-oriented content in Roku’s search interface.

The Florida complaint concludes that, in view of all these facts, Roku willfully disregards its collection and processing of personal information from children. It’s easy to draw analogies between these facts and the practices of websites, streaming content providers, and other online services offering content for children. The risks are especially challenging for content providers with mixed audiences that include children.

Worth noting: Florida is not the only state that has filed a case against Roku recently. The Michigan Attorney General filed a similar case in April 2025.

COPPA Plus

The Children’s Online Privacy Protection Act (COPPA) is the keystone federal law by which the FTC protects children’s personal information from unauthorized use. COPPA became law in 1998 and was substantially updated in 2013 and 2025.

In general, it requires parental consent for the use of personal information from children under 13. Despite the FTC’s more pro-business enforcement posture under the current administration, it clearly prioritizes protecting children’s data—as evidenced by its $10 million settlement with Disney this year.

U.S. state privacy laws are expanding COPPA’s requirements. All include protections for children’s personal information. Typically, and similarly to COPPA, they treat it as an element of sensitive personal data requiring consent for use. Some go beyond COPPA’s requirements by adding new rules—for example, rules for children between 13 and 18, social media uses, bans on using children’s data for targeted advertising, data sales, or precise geolocation, as well as age verification requirements and age-appropriate design codes.

The trend is clear: beyond COPPA compliance, state privacy laws require businesses that collect and share children’s personal information to comply with consent requirements and provide heightened protections. State regulators are ramping up their enforcement efforts to ensure compliance.