The SC AADC Audit Blueprint: From “Likely Accessed” to Defensible Compliance

The SC AADC Audit Blueprint

Under the South Carolina Age‑Appropriate Design Code (SC AADC), compliance is not complete at launch or even at remediation. Beginning July 1, 2026,* covered companies must submit an annual, independent third‑party audit to the South Carolina Attorney General assessing whether their services comply with the law’s youth‑protective design obligations.

Annual means the auditor is assessing whether controls operated consistently throughout a defined review period, not merely whether they were well designed on paper.

Independent means the assessment must be performed by a third party with no role in designing, owning, or executing the controls under review.

This audit is not a formalistic certification. It is a structured evaluation of how an organization:

• Identifies youth‑specific risks
• Implements age‑appropriate design safeguards
• Documents its reasoning and tradeoffs
• Maintains accountability over time

In practice, the SC AADC audit functions as both a compliance mechanism and an enforcement lens. Companies that treat it as a checkbox exercise are likely to fail it and miss the opportunity to leverage as a value-add.

What follows is a practical blueprint for structuring an audit that is defensible under the SC AADC’s statutory requirements.

What the SC AADC Audit Is (and Is Not)

• Not a certification or safe harbor
• Not a point‑in‑time snapshot
• Not limited to children‑only products

Instead, it is a structured, evidence‑based assessment of how youth risk is identified, mitigated, governed, and maintained over time.

Step 1: Define the SC AADC Audit Scope

Under the SC AADC, the audit scope is not limited to “children’s products.”

Auditors will expect companies to assess any online service, product, or feature that is likely to be accessed by a minor under 18, including:

• General‑audience platforms with known or foreseeable youth usage
• Core user journeys (onboarding, feeds, search, messaging)
• Engagement‑driven features (recommendations, notifications, streaks)
• Monetization systems (ads, in‑app purchases, tipping mechanisms)
• AI‑driven personalization, ranking, and content amplification

Audit risk principle:

If a feature shapes attention, behavior, or data collection—and a minor could access it—it is in scope unless the company can credibly document otherwise.

Auditors may infer “likely to be accessed” where:

• The product has known teen usage metrics
• Design patterns mirror youth‑popular platforms
• Features are optimized for engagement over deliberation
• Marketing, creators, or content ecosystems skew youth‑adjacent

Step 2: Conduct Feature‑Level Youth Risk Identification

The SC AADC audit must demonstrate that the company has systematically identified risks to minors arising from product design, not merely complied with isolated prohibitions.

For each in‑scope feature, auditors will look for documented analysis of risks such as:

• Addictive or compulsive usage patterns
• Behavioral manipulation through ranking, rewards, or feedback loops
• Excessive data collection or profiling of minors
• Exposure to harmful, age‑inappropriate, or exploitative content
• Dark patterns that impair minor decision‑making

Audit strategy approach:

The goal is not to have zero risk, an impossible standard, but to show good‑faith identification and assessment of foreseeable harms, mitigating activities, and risk acceptance.

Step 3: Evaluate Design Defaults and Engagement Controls

A central focus of the SC AADC is how products behave by default.

Auditors will evaluate whether:

• Engagement‑maximizing features (e.g., autoplay, infinite scroll, algorithmic amplification) are limited or modified for minors
• Protective settings are enabled automatically for known or likely minors
• Algorithmic systems account for heightened sensitivity and reduced autonomy of youth users

The law does not mandate universal age verification. However, it expects companies to implement age‑responsive design choices rather than treating minors and adults identically.

Audit red flag:

If safeguards exist only as optional settings, the auditor may conclude the company has not met the statute’s intent.

Step 4: Review Parental Control Implementation

For “known minors,” the SC AADC requires parental monitoring and safety tools to be enabled by default.

The audit should assess:

• How the organization defines and operationalizes “known minor” status
• Whether parental controls are meaningfully effective, not merely nominal
• How defaults are enforced across devices, sessions, and updates
• How teen autonomy considerations are balanced and documented

Audit risk principle:

Auditors should not dictate product design—but they expect clear, documented reasoning for how parental safeguards are implemented.

Step 5: Document Mitigation Decisions and Tradeoffs

This is the most critical and most frequently underdeveloped, portion of an SC AADC audit.

For each identified risk, companies should be able to show:

• Which mitigation options were considered
• Which were implemented and which were rejected
• The technical, usability, or business constraints influencing those decisions

The SC AADC audit is designed to assess process maturity, not perfection. Regulators are far more likely to penalize undocumented decisions than imperfect ones.

In enforcement scenarios, this documentation is often the difference between a defensible compliance posture and an adverse inference.

Audit risk principle:

If your rationale only exists in internal discussion or institutional memory, it effectively does not exist for audit purposes. If it is not documented, it does not exist.

Step 6: Assemble Audit‑Ready Evidence

An SC AADC audit submission should include structured, reviewable evidence, such as:

• Feature inventories and data‑flow diagrams
• Design decision logs tied to statutory requirements
• Risk assessments and mitigation summaries
• Records of updates, regressions, and new feature launches
• Internal accountability and governance documentation

Audit risk principle:

The audit must demonstrate that youth safety is continuously governed, not assessed once and forgotten. The expectation is continuous existence of control implementations for the period under audit.

What “Good‑Faith Compliance” Looks Like Under the SC AADC

Organizations well‑positioned to pass an SC AADC audit share five characteristics:

1. Clear ownership across legal, product, engineering, and design
2. Routine assessment of youth risk, not one‑time reviews
3. Documented rationale for all known tradeoffs
4. Age‑responsive defaults, not blunt access restrictions
5. Audit artifacts integrated into product development workflows

Under South Carolina’s enforcement posture, the absence of documentation can quickly be interpreted as the absence of care.

In Part 3, we look at how organizations are embedding SC AADC audit artifacts directly into Privacy by Design, AI governance, and product development lifecycles, so compliance effort compounds over time instead of resetting every year.

**Although the SC AADC is currently being challenged in federal court by NetChoice, and enforcement timelines could ultimately be affected by judicial rulings, the law remains in effect unless and until a court enjoins it.