Over the last few years, there has been a growing interest by states in children’s privacy. The Children’s Online Privacy Protection Act (COPPA) gives the Federal Trade Commission the ability to enforce privacy violations involving children. However, many states have not enacted similar state legislation to protect the privacy of children residing in their states.
Last year, Governor Glenn Youngkin signed Senate Bill 361/House Bill 707, which amended the Virginia Consumer Data Protection Act to include new requirements for how controllers process the data of users 13 years of age and under. While the VCDPA went into effect on January 1, 2023, this new update regarding children’s data went into effect January 1, 2025.
Covered Users
These new updates to the VCDPA apply specifically to users of a website, online service, or application who are either actually known by the website or app operator to be minors. Similarly, the new updates apply to users of a website or app that is directed to minors. The law defines “directed to minors” as a “website, online service, or online or mobile application, or a portion thereof, that is created for the purpose of reaching an audience that is predominantly composed of minors and that is not intended for a more general audience composed of adults.” This would include
Parental Consent Required
Unless the controller first obtains parental consent, they cannot process personal data collected from known children for targeted advertising, selling personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. Controllers that comply with the consent requirements of COPPA will be deemed to be compliant with the parental consent requirement of the VCDPA.
Moreover, the amendment limits the types of personal data of known children that controllers are allowed to process. Now, controllers cannot process personal data that is not reasonably necessary to provide the online service, product, or feature; and they cannot process personal date for purposes other than those disclosed at the time the controller collected the personal date or that are reasonably necessary for and compatible with such disclosed purposes; and for longer than reasonably necessary to provide the online product, service, or feature. This data minimization feature of the new updates limits the types of data businesses can collect, and even limits how businesses can use data they do collect.
Impacts on Businesses
Businesses covered under the VCDPA that collect and process the data of children, as well as business with websites or apps that specifically target children, should be aware of the changes to the Virginia Consumer Data Protection Act. These updates require that covered businesses obtain parental consent before processing personal data belonging to children and limit the types of data that can be collected and used. Our data and privacy attorneys can assist you and your business develop privacy compliance programs and policies, review your current plans, and help manage risk to your business.
