On May 17, 2024, Virginia Governor Glenn Youngkin signed SB 361/HB 707 amending the Virginia Consumer Data Protection Act ("VCDPA") to provide heightened protections to consumers under 18 years of age, not just those under 13, as the law provides currently. Specifically, the amendment requires controllers to obtain parental consent before processing any minors' personal data for certain purposes, and it requires controllers that provide online services, products, or features to children known to be under 18 to take additional measures. The amendment, which is described in detail below, will become effective on January 1, 2025.

"Child" Means a Natural Person Under 18 Years of Age

Following a growing trend in state legislatures to protect minors' personal data, the amendment expands the definition of "children" in the VCDPA from natural persons under 13 years of age to include all who are under 18 years of age. Unlike the Children's Online Privacy Protection Act ("COPPA"), which regulates companies that either provide online services "directed to" children or that have "actual knowledge" users are children, the VCDPA—with one exception, discussed below—imposes obligations on controllers who "know" that consumers they interact with are children. For example, a company that collects website users' birthdates will be deemed to "know" which users are minors, but a company that provides an online service that is popular with teenagers will not be deemed to "know" which users are "children" based on the general knowledge that minors use the service, without more. This should limit the impact of the amendment somewhat, although as explained below, a data protection assessment would be required without knowing which users are children if the online service is directed to consumers that the controller knows include children.

Parental Consent Required for Certain Processing Activities

Unless the controller first obtains parental consent, controllers are prohibited from processing personal data collected from a "known child" for the following purposes:

• targeted advertising,
• selling personal data, and
• profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

The amendment also prohibits controllers from processing personal data of known children:

• that is not reasonably necessary to provide the online service, product, or feature;
• for purposes other than those disclosed at the time the controller collected the personal data or that are reasonably necessary for and compatible with such disclosed purposes; and
• for longer than reasonably necessary to provide the online product, service, or feature.

The amendment also prohibits controllers from collecting a known child's precise geolocation data unless (1) such data is reasonably necessary to provide an online service, product, or feature, and then only for the time necessary to do so; and (2) the controller provides to the known child a signal—for the duration of collection—indicating that the controller is collecting precise geolocation data.

Controllers and processors will be deemed compliant with the consent requirement if they adhere to COPPA regulations regarding consent, thus using COPPA's "under 13" regime for Virginia children who are at least 13 but under 18 years of age.

Obligations for Controllers That Provide "Online Services, Products, or Features"

Several of the new obligations related to children's personal data apply to controllers that provide an "online service, product, or feature," which means simply "any service, product, or feature that is provided online." The amendment expressly carves out from the definition any telecommunications services, as defined in 47 U.S.C. § 153; broadband internet access services, as defined in 47 C.F.R. § 54.400; and delivery or use of a physical product.

In addition to imposing the above-mentioned restrictions on the scope and duration of processing of children's personal data and the collection of children's precise geolocation data, the amendment requires data protection assessments for any online services, products, or features that are "directed to consumers whom such controller has actual knowledge are children." Unlike other provisions in the amendment that apply to personal data collected from a "known child," this obligation applies to online services, products, and features "directed to" consumers whom the controller knows include children. Read broadly, this could mean that a controller must conduct a data protection assessment for any online service, product, or feature that it knows is being used by children, even if it does not know precisely which users are children, so long as the controller directs the online service, product, or feature to users the controller knows are under 18 years of age. Such data protection assessments must address the purpose of the online service, product, or feature; the categories of known children's personal data processed; and the purposes for which the controller processes known children's personal data with respect to the online service, product, or feature.

+++

DWT's privacy and security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations. For assistance with state privacy laws, please contact the author of this alert or the Davis Wright Tremaine attorney with whom you work.