South Carolina Just Made Your AI Habit a Privilege Problem
On February 5, 2026, Governor Henry McMaster signed the South Carolina Age-Appropriate Design Code Act. It took effect the same day, with no cure period (the legislative equivalent of “effective immediately, figure it out”). NetChoice sued within days to block it, and that fight is ongoing. While the lawyers argue about the lawyers’ law, the statute is on the books, and the South Carolina Attorney General is the one enforcing it.
Most of the early coverage filed this under “social media regulation.” That framing is too small. The act reaches into how online services handle data about minors, and the practical reach runs well past Instagram and TikTok. If your work involves dropping documents into a public AI tool, the act is now part of your risk picture. You are not the named target. You are exposed anyway. One caveat before we go further: this is not legal advice, and the law is genuinely unsettled.
What the act actually does
H. 3431 regulates “covered online services,” meaning companies that do business in South Carolina, are “reasonably likely to be accessed by minors,” and clear the size thresholds (roughly $25 million in gross annual revenue, or handling personal data of 50,000 or more consumers a year). For anything inside that definition, the obligations are sweeping: a duty of reasonable care to prevent harm to minors, strict data minimization, bans on profiling and on facilitating targeted advertising, limits on design features like infinite scroll and autoplay, and mandatory independent audits that the Attorney General gets to publish.
Two enforcement features separate this from the four earlier state design codes (California, Maryland, Nebraska, Vermont). Plaintiffs can recover treble damages under the South Carolina Unfair Trade Practices Act. And officers and employees of covered services can be held personally liable for “willful and wanton” violations. That second one should ruin a few weekends at every major AI provider operating in the state. Indirectly, it should get the attention of every professional who leans on those providers.
Why it lands on the tools you use
A consumer AI tool (ChatGPT, Claude, Gemini, Copilot) clears the size threshold without breaking a sweat. The closer question is whether it is “reasonably likely to be accessed by minors.” Under the statute, a service crosses that line if it has actual knowledge that minors use it, or if it is directed to children as defined by the federal Children’s Online Privacy Protection Act (COPPA). General-purpose AI tools are used by minors constantly, the press has documented it, the platforms’ own usage data shows it, and a regulator will not strain to argue actual knowledge.
Once a provider is a covered service, every input containing a minor’s personal data, every uploaded document, every prompt, becomes data it must handle under the act’s minimization, profiling, and design rules. That changes the platform’s posture toward your inputs. Which, in turn, changes yours.
Healthcare and finance got a door. Law didn’t.
The act carves out two data categories in Section 39-80-20. Data already governed by HIPAA is exempt. Data already governed by the Gramm-Leach-Bliley Act is exempt. These are exemptions for kinds of data, not whole industries, and they mostly cover healthcare and financial professionals. (Cold comfort, honestly. A clinician pasting pediatric notes into a consumer chatbot still has a HIPAA problem; the act just declines to pile a second one on top.)
Legal practice has no equivalent. There is no federal statute that protects attorney-client communications or work product as a regulated data category the way HIPAA protects health data. The act contains no exemption for attorneys, mediators, or judicial proceedings. So when you upload a document containing a minor’s personal data into a public AI tool, there is no carve-out to stand behind.
Consider how often minor data turns up in the documents a lawyer is tempted to feed a chatbot. A custody motion with a child’s name, school, and therapist notes. A juvenile defender’s summary of a client record. A damages workup for an injured minor, school and pediatric records attached. A special-needs trust. A mediator drafting a parenting plan. A Section 504 or IDEA dispute. An asylum case for an unaccompanied minor.
Upload any of those and two things happen at once. The provider, now a covered service, has ingested minor data under conditions that may not meet the act’s requirements, and it carries that regulatory risk. And you have made a third-party disclosure of confidential information without your client’s informed consent, almost certainly outside the provider’s terms for that data category. That is a problem under ABA Model Rule 1.6 and the parallel South Carolina rule, and it can waive privilege over the underlying communications. A federal court has already said as much. In United States v. Heppner (S.D.N.Y., Feb. 17, 2026), the court ruled that a client’s inputs into a consumer AI tool are not privileged, and that those inputs can waive privilege over the original conversations with counsel that produced them.
So the act hands no one a new cause of action against the uploading attorney. What it does is raise the temperature on the whole ecosystem you depend on. Providers staring down treble damages, personal officer liability, and published audits will tighten their terms for minor-related inputs, and those terms then become your contractual and ethical baseline. Breaking them stops being a private contract footnote and starts being evidence of unreasonable care under Rule 1.6, and a tidy predicate for a malpractice claim.
The trap nobody reads far enough to find
There is a second way the act reaches a professional directly. It applies to any covered online service that is reasonably likely to be accessed by minors and meets the thresholds. Most solo and small firms will not hit the revenue or data-volume numbers. Larger practices and platforms in regulated fields can.
A few worth thinking through: a pediatric practice with a patient portal minors use directly. A family-law mediation platform with an online intake form filled out by minors over thirteen. A school-law firm whose client portal exposes documents to minor clients in IDEA matters. If the operator has actual knowledge that minors use the service, or it is directed to children under COPPA, and it meets the thresholds, it can be a covered service. At which point the personal liability provision attaches to its officers and employees. That is a “call your privacy lawyer” situation, not a “run a quick self-audit” one.
What to actually do
- Run sensitive documents through PII Anomalyzer to detect and anonymize the personally identifiable information before you paste anything into a consumer AI tool. It works on your own machine, so nothing is uploaded anywhere to be cleaned.
- Stop pasting documents with minor-related personal data into consumer AI tools. The data is not exempt under this act, it is not protected work product once you have handed it to a third party, and the privilege math after Heppner is not in your favor.
And if your own practice runs a platform minors can access, get a written legal opinion on covered-service status before you assume you are clear. The thresholds are lower than people expect, and personal liability for willful violations is a bad thing to discover after the Attorney General calls.
One honest caveat
The act took effect February 5, 2026, and NetChoice’s constitutional challenge landed within days. No court has interpreted the key terms yet, so most of the above is prudent prediction rather than settled law. But it is the prudent reading of a statute the legislature plainly meant to be sweeping, one that carries treble damages and personal liability and that a consumer-protection-minded Attorney General can enforce. The era of treating “just upload it to AI” as a free productivity move is over for anyone whose documents carry regulated data. South Carolina has now folded information about minors into that category, in a form that touches every AI provider in the state. Adjust the habit before a regulator adjusts it for you.
Sources: South Carolina Bill 3431 (text); Wilson Sonsini, “South Carolina Becomes Fifth State to Enact Age-Appropriate Design Code”; Troutman Pepper Locke; Hogan Lovells; Perkins Coie; DLA Piper; Hunton Andrews Kurth (NetChoice suit); United States v. Heppner, S.D.N.Y. (Feb. 17, 2026).
This piece is for general informational purposes and is not legal advice. Consult qualified counsel for any specific matter.