If there’s one thing politicians can agree on right now, it’s that children’s data privacy is a top priority. From the FTC’s ongoing revision of COPPA rules to California’s Age-Appropriate Design Code Act, lawmakers are paying a lot of attention to how tech companies are collecting, using, and sharing kids’ personal information.
Accordingly, the Virginia General Assembly recently passed two amendments to the Consumer Data Protection Act (VCDPA) that significantly strengthen privacy protections for state residents under the age of 18.
The state legislature passed two separate bills regarding children’s data: SB 361 and HB 707. Here are the major components of both statutes.
SB 361 is the more substantial of the two bills, as it makes systemic changes to how children's data is regulated under the VCDPA. Here are the most important new rules added by the legislation:
SB 361 does not have an explicit effective date; under Virginia law, this means they should take effect on the first day of July following the adjournment of the legislative session: July 1, 2024.
This bill covers a lot of the same ground as SB 361—to the point where it’s not entirely clear why the Assembly passed them separately. That being said, here are HB 707’s major provisions:
The effective date for Virginia’s HB 707 is January 1, 2025.
All of these new provisions affect businesses that knowingly process the personal information of children. Hopefully, most of these businesses are already accustomed to complying with COPPA and the VCDPA's current rules for children's data. Implementing the new rules should be a manageable task, as it mainly consists of expanding protections to all minors under the age of 18.
However, even businesses that don’t knowingly collect data from children may someday have to comply with these restrictions. Both SB 361 and California’s proposed AB 1949 contemplate the creation of a device- or browser-level signal that would alert websites and apps to the fact that a user is under 13 or under 18, similar to how Global Privacy Control works for opt-outs.
Such a signal does not currently exist, but if and when it does, businesses will have to treat the signal as actual knowledge that a user is a child and restrict data processing accordingly. Businesses that have never even thought about children’s privacy protections will be forced to implement them, which could have major implications across the internet.
TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Designed by attorneys, TrueVault US is a software solution that guides you at every step of the way, helping you with everything from onboarding vendors to managing consent to responding to privacy requests.
To learn more about how TrueVault US can help your business, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2022 © All Rights Reserved. Privacy Policy | Terms of Use | California Privacy Notice