Contact Us
/ Compliance Services / Age-Appropriate Design Code Audits / South Carolina Age-Appropriate Code Design Audits

South Carolina Age-Appropriate Code Design Audits

South Carolina's law doesn't allow your compliance team to handle this internally. It requires an independent third-party auditor, by name, in the statute. TestPros prepares and delivers the report.
Contact Us
  • 9 Required elements in every audit report § 39-80-70(A)
  • Treble damages for any violation § 39-80-80(B)
  • $25M Revenue threshold triggering coverage § 39-80-10(4)(A)
  • 50K Data subjects alternative threshold § 39-80-10(4)(B)
  • 0 No cure period. Law took effect immediately Act 96, Feb. 5, 2026

South Carolina Mandates an Independent Audit.
Every Other State Allows an Internal Assessment.

Comparison of Age-Appropriate Design Code laws across U.S. states: requirement type, who performs it, and enforcement status.
State Law Requirement Type Who Performs It Status
South Carolina ★ H. 3431 / Act 96 Independent Third-Party Audit Outside auditor, required by statute In effect. Reports due July 1, 2026
California AADC (AB 2273) Internal DPIA Company's own team Partially in effect Apr. 3, 2026
DPIA requirement still enjoined
Maryland AADC (HB 603) Internal DPIA Company's own team Under litigation
Nebraska AADC (LB 1074) Internal DPIA Company's own team In effect Jan. 1, 2026
Vermont AADC (S.90) Internal DPIA Company's own team Effective Jan. 1, 2027
Why this matters: In every other state with an AADC law, the assessment is internal, performed by the company's own team. South Carolina explicitly chose a different model. S.C. Code § 39-80-70 mandates a report "prepared by an independent third-party auditor," language that forecloses an internal review. This is not a risk assessment you can assign to your DPO.

Does Your Service Fall Under the SC AADC?

Under S.C. Code § 39-80-10(4), a "covered online service" is any online service or application that conducts business in South Carolina, is reasonably likely to be accessed by minors (under 18), and meets at least one of the following thresholds. All three conditions must be present.

  • Annual Gross Revenue

    Annual revenues exceed $25 million, adjusted in odd-numbered years to reflect Consumer Price Index changes.

  • Personal Data Volume

    Annually buys, receives, sells, or shares the personal data of 50,000 or more consumers, households, or devices, alone or in combination with affiliates.

  • Data-Derived Revenue

    Derives at least 50% of annual revenue from the sale or sharing of consumers' personal data.

Any Online Service Reasonably Likely to Be Accessed by Minors

If your platform, app, or online service operates in South Carolina and meets the coverage thresholds below, you are required to obtain an independent third-party audit annually. This includes a broad range of organizations, not just social media companies.

  • Social Media Platforms

    Any platform where users create profiles, share content, or interact with others, including newer or niche platforms, not just the major networks.

  • App Developers

    Mobile and web application developers whose products are available in South Carolina and likely to attract users under 18, across any category.

  • Gaming Platforms

    Online gaming services, in-game marketplaces, and companion apps, particularly those with engagement features like streaks, rewards, or in-app purchases.

  • Streaming & Content Services

    Video, audio, and content recommendation platforms that use algorithmic feeds, autoplay, or personalized suggestion systems accessible to minors.

  • EdTech & Learning Platforms

    Educational technology products and e-learning services that collect student data, use recommendation engines, or deploy engagement-boosting design features.

  • E-Commerce & Marketplaces

    Online retail and marketplace platforms that process minors' personal data, facilitate purchases, or use personalized product recommendation systems.

  • Community & Forum Platforms

    Discussion boards, fan communities, and user-generated content platforms where minors may participate, post, or interact with other users.

  • AI-Powered Services

    The law explicitly covers online services based in part or in whole on artificial intelligence, including AI companions, tutors, chatbots, and recommendation engines accessible to minors.

Not sure if you're covered? The first step in a TestPros engagement is a scoping review. We assess your service against the coverage criteria in § 39-80-10(4) before any audit work begins. Contact us to find out.

A Formal, Statute-Compliant Audit Report Ready for AG Submission

TestPros delivers a complete, structured public audit report that satisfies every requirement of S.C. Code § 39-80-70. Here's exactly what the engagement produces.

  • Public Audit Report

    A comprehensive written report addressing all nine statutory elements under § 39-80-70(A), structured for submission to the South Carolina Attorney General and formatted for public posting on the AG's website.

  • Coverage Scoping Review

    A documented assessment of whether your service meets the coverage criteria in § 39-80-10(4), including revenue, data volume, and minor access likelihood, so you have a defensible record of your compliance determination.

  • Design Feature Assessment

    Evaluation of your service's covered design features: infinite scroll, auto-play, gamification, push notifications, and others enumerated in § 39-80-10(3), assessed scroll, auto-play, gamification the statute's default-off requirements for known minors.

  • Algorithm & Data Practice Documentation

    Written descriptions of your recommendation algorithms, data collection practices, age verification methods, and harm reporting processes. These are all required elements of the public report.

  • Annual Recertification

    The SC AADC requires a new audit report every year. TestPros provides recurring engagement support so you maintain compliance without rebuilding the process from scratch each cycle.

Why It Matters

Missing the July 1 deadline carries serious consequences

South Carolina's enforcement provisions are among the most aggressive in current U.S. privacy law. There is no cure period; liability attaches the moment a violation occurs.

Treble damages: courts must award triple actual financial losses for any violation
Personal Officers and employees may be held individually liable for willful and wanton violations
Public All audit reports are posted publicly on the AG's website; non-filers are visible by absence

First reports due July 1, 2026. No cure period. Enforcement by the South Carolina Attorney General.

Nine Statutory Elements in Every Public Audit Report

S.C. Code § 39-80-70(A) enumerates nine required elements. Every element must be addressed. The completed report is submitted to the South Carolina Attorney General and published publicly on the AG's website. It is not a confidential internal review.

  1. Service Purpose

    Description of the purpose of the covered online service.

    § 39-80-70(A)(1)

  2. Minor Access Likelihood

    The extent to which the service is likely to be accessed by minors (under 18).

    § 39-80-70(A)(2)

  3. Harm Reporting Data

    Accounting of the total number and types of harm reports submitted, and an assessment of how those reports were handled.

    § 39-80-70(A)(3)

  4. Personal Data Practices

    Whether, how, and for what purpose the service collects or processes minors' personal data and sensitive personal data.

    § 39-80-70(A)(4)

  1. Design Safety, Privacy Protections & Parental Tools

    Design safety measures for minors, privacy protections, and parental controls the service has adopted, including default-on safeguards required for known minors under § 39-80-30(C).

    § 39-80-70(A)(5)

  2. Covered Design Features

    Whether and how the service uses covered design features, those that encourage or increase minors' time or activity on the service.

    Specifically enumerated in § 39-80-10(3): infinite scroll, auto-play, gamification (streaks, badges, rewards), quantified engagement counts, push notifications, in-app purchases, and appearance-altering filters. These must be disabled by default for known minors under § 39-80-30(C).

    § 39-80-70(A)(6)

  1. Minor Data Rights Processes

    The service's processes for handling minors' data access, deletion, and correction requests.

    § 39-80-70(A)(7)

  2. Age Verification & Estimation Methods

    Methods used to verify or estimate user age. Data collected for age verification cannot be used for other purposes and must be deleted after use (§ 39-80-40(A)).

    § 39-80-70(A)(8)

  3. Algorithm Descriptions

    Description of algorithms used by the service, including personalized recommendation systems that suggest, promote, or rank content based on user personal data.

    § 39-80-70(A)(9)

Nine Statutory Elements in Every Public Audit Report

S.C. Code § 39-80-70(A) enumerates nine required elements. Every element must be addressed. The completed report is submitted to the South Carolina Attorney General and published publicly on the AG's website. It is not a confidential internal review.

  1. Service Purpose

    Description of the purpose of the covered online service.

    § 39-80-70(A)(1)

  2. Minor Access Likelihood

    The extent to which the service is likely to be accessed by minors (under 18).

    § 39-80-70(A)(2)

  3. Harm Reporting Data

    Accounting of the total number and types of harm reports submitted, and an assessment of how those reports were handled.

    § 39-80-70(A)(3)

  4. Personal Data Practices

    Whether, how, and for what purpose the service collects or processes minors' personal data and sensitive personal data.

    § 39-80-70(A)(4)

  5. Design Safety, Privacy Protections & Parental Tools

    Design safety measures for minors, privacy protections, and parental controls the service has adopted, including default-on safeguards required for known minors under § 39-80-30(C).

    § 39-80-70(A)(5)

  6. Covered Design Features

    Whether and how the service uses covered design features, those that encourage or increase minors' time or activity on the service.

    Specifically enumerated in § 39-80-10(3): infinite scroll, auto-play, gamification (streaks, badges, rewards), quantified engagement counts, push notifications, in-app purchases, and appearance-altering filters. These must be disabled by default for known minors under § 39-80-30(C).

    § 39-80-70(A)(6)

  7. Minor Data Rights Processes

    The service's processes for handling minors' data access, deletion, and correction requests.

    § 39-80-70(A)(7)

  8. Age Verification & Estimation Methods

    Methods used to verify or estimate user age. Data collected for age verification cannot be used for other purposes and must be deleted after use (§ 39-80-40(A)).

    § 39-80-70(A)(8)

  9. Algorithm Descriptions

    Description of algorithms used by the service, including personalized recommendation systems that suggest, promote, or rank content based on user personal data.

    § 39-80-70(A)(9)

What Non-Compliance Costs

The South Carolina Attorney General enforces the law. There is no cure period; liability attaches without a remediation window. The enforcement provisions are more aggressive than those in comparable state privacy laws.

  • Treble Damages

    Courts must award triple the actual financial damages incurred as a result of any violation.

  • Executive Liability

    Individual officers and employees may be held personally liable for willful and wanton violations, not just the corporate entity.

  • Registry Exposure

    Reports are posted publicly on the AG's website. Absence from the registry signals non-compliance to regulators and plaintiffs' counsel alike.

  • Dark Pattern Claims

    Use of dark patterns constitutes an unlawful trade practice under the SC Unfair Trade Practices Act, opening a separate civil enforcement path.

Source: S.C. Code §§ 39-80-60(C), 39-80-80(B)-(C) (Act 96, H. 3431, signed February 5, 2026)

How a TestPros SC AADC Audit Engagement Works

A structured engagement, not a questionnaire you fill out and return. TestPros conducts the assessment, prepares the report, and delivers a document structured for submission to the South Carolina Attorney General.

  1. Scoping & Coverage Determination

    We review your service against the coverage criteria, including revenue, data volume, and minor access likelihood, and define the audit boundary. If you have multiple services or affiliated entities, we scope each appropriately.

  2. Documentation Request & Access Review

    We request access to data practice documentation, design configurations, algorithm descriptions, harm report records, age verification systems, and parental control implementations.

  3. Technical & Operational Assessment

    We evaluate each of the nine statutory elements against actual service behavior, not just policy documentation. This includes verification of default settings for known minors and review of covered design feature implementation.

  4. Expert Consultation

    Our process incorporates expert consultation on minors' use of covered online services, as required by statute, ensuring the report meets the legal standard of being "comprehensive and accurate."

  5. Public Report Preparation & Delivery

    We prepare the formal public audit report addressing all nine required elements, structured for submission to the South Carolina Attorney General on or before July 1.

  6. Annual Recertification Support

    The SC AADC requires an annual audit, not a one-time certification. We provide recurring engagement support so your organization maintains compliance year over year without rebuilding the process from scratch.

Independent Since Before the Internet Existed

The SC AADC requires an auditor that is genuinely independent: not a consulting arm of a platform vendor, not a law firm conducting a privileged review, not your internal team with a new job title. Here's what distinguishes TestPros.

  • Structurally Independent

    TestPros has no software to license, no platform to protect, and no upsell to make. We are an independent testing and assessment firm, which is exactly the model South Carolina's statute was written for.

  • Cross-Framework Assessment Depth

    Active service lines in digital accessibility (WCAG, ADA Title II, Section 508), cybersecurity (CMMC 2.0, NIST SP 800-53), HIPAA, and FCC regulatory assessment. This breadth provides audit depth across the overlapping frameworks a covered online service typically touches.

  • Federal & Regulated Sector Track Record

    Decades of assessment work for federal agencies, state and local government, and commercial clients operating in regulated environments. That is the same client profile SC AADC coverage affects most directly.

  • Traceable, Defensible Reports

    Every finding in a TestPros audit report is traceable to the specific statutory provision it addresses. Reports are structured for submission to the AG and written to withstand public scrutiny from day one.

1988
Founded

TestPros has provided independent IT assessment and testing services for over 35 years. We were independent before "third-party audit" was a compliance term. It's the only way we've ever operated.

  • Digital Accessibility
  • WCAG / Section 508
  • ADA Title II
  • CMMC 2.0
  • NIST SP 800-53
  • HIPAA
  • FCC Closed Captioning
  • SC AADC

Certified &
Independent

TestPros has been independently audited or appraised and is proud to hold the following company credentials:
renewed CMMI Level 3 Services Logo
ISO 20000-1 Certified Company
ISO 27001 Certified Company

AADC Requirements Are Expanding

South Carolina's third-party audit requirement is unique today, but the broader AADC landscape is growing. TestPros is building service coverage across all active state laws.

July 1 is the deadline.
Independent is the requirement.

Talk to TestPros about your SC AADC audit obligation: scope, timeline, and what the engagement involves. Contact us to get started.

Get in Touch

Or reach us directly: [email protected]  ·  703-787-7600