Virginia Passes New Privacy Protections for Minors

In January 2024, the Virginia General Assembly recently passed two amendments to the Consumer Data Protection Act (VCDPA) that significantly strengthen privacy protections for state residents under the age of 18.

What Are the New Rules?

The state legislature passed two separate bills regarding children’s data: SB 361 and HB 707. Here are the major components of both statutes.


Senate Bill 361

SB 361 is the more substantial of the two bills, as it makes systemic changes to how children's data is regulated under the VCDPA. Here are the most important new rules added by the legislation:


  • The definition of “child” is changed to include anyone under the age of 18 (instead of under 13)
  • Introduces some new terminology: “Covered users” and “operators”
    • An operator is anyone who operates a website, online service, or online or mobile application which processes users' personal data (directly or indirectly)
    • A covered user is anyone:
      • Who the operator actually knows to be a minor, or
      • Who uses an website, online service, or online or mobile application directed to minors
  • If a covered user is 13 or older, the operator can only process their personal data if:
    • They have the covered user’s informed consent, or
    • The processing is strictly necessary (the statute also provides an exhaustive list of situations in which processing may be considered strictly necessary
  • Once a business learns that a consumer is a minor, it must delete all of their personal data unless the data is either strictly necessary or the consumer has consented to its processing.
  • If a device, browser, or some other privacy setting sends a signal indicating that a user is a minor, operators must treat this signal as providing actual knowledge of the user’s age
  • A prohibition on processing children’s personal data for:
    • Targeted advertising
    • The sale of personal data
    • Profiling in furtherance of decisions that produce legal or similarly significant effects
  • Businesses may only disclose the personal data of minors to third parties if they have contracts in place that contain certain privacy provisions.

SB 361 does not have an explicit effective date; under Virginia law, this means they should take effect on the first day of July following the adjournment of the legislative session: July 1, 2024.


House Bill 707

This bill covers a lot of the same ground as SB 361—to the point where it’s not entirely clear why the Assembly passed them separately. That being said, here are HB 707’s major provisions:


  • Businesses may not process children’s personal data:
    • For purposes of targeted advertising, selling the data, or profiling in furtherance of decisions that produce legal or similarly significant effects;
    • Unless the processing is necessary to provide an online service, product, or feature;
    • For any purpose other than what was disclosed to the consumer, or another purpose that is reasonably necessary for and compatible with that purpose; OR
    • For longer than is necessary to provide an online service, product, or feature
  • Businesses may not process the precise geolocation of children unless:
    • It is necessary to provide an online service, product, or feature; AND
    • The business provides a signal to alert the child that it is tracking their location
  • A data protection assessment is required for any online service, product, or feature that is directed to known children.

The effective date for Virginia’s HB 707 is January 1, 2025.

Analysis

All of these new provisions affect businesses that knowingly process the personal information of children. Hopefully, most of these businesses  are already accustomed to complying with COPPA and the VCDPA's current rules for children's data. Implementing the new rules should be a manageable task, as it mainly consists of expanding protections to all minors under the age of 18.

However, even businesses that don’t knowingly collect data from children may someday have to comply with these restrictions. Both SB 361 and California’s proposed AB 1949 contemplate the creation of a device- or browser-level signal that would alert websites and apps to the fact that a user is under 13 or under 18, similar to how Global Privacy Control works for opt-outs. 

Such a signal does not currently exist, but if and when it does, businesses will have to treat the signal as actual knowledge that a user is a child and restrict data processing accordingly. Businesses that have never even thought about children’s privacy protections will be forced to implement them, which could have major implications across the internet.