If there’s one thing politicians can agree on right now, it’s that children’s data privacy is a top priority. From the FTC’s ongoing revision of COPPA rules to California’s Age-Appropriate Design Code Act, lawmakers are paying a lot of attention to how tech companies are collecting, using, and sharing kids’ personal information.

Accordingly, the Virginia General Assembly recently passed amendments to the Consumer Data Protection Act (VCDPA) that significantly strengthen privacy protections for state residents under the age of 13.

What Are the New Rules?

The state legislature passed two identical bills regarding children’s data: SB 361 and HB 707. Here are the major components of the new rules. Bear in mind, these requirements are in addition to obtaining consent for any processing of children's data.

• Businesses may not process children’s personal data:
  • Unless the processing is necessary to provide an online service, product, or feature;
  • For any purpose other than what was disclosed to the consumer, or another purpose that is reasonably necessary for and compatible with that purpose; OR
  • For longer than is necessary to provide an online service, product, or feature
• Businesses may not process children's data for purposes of targeted advertising, selling the data, or profiling in furtherance of decisions that produce legal or similarly significant effects;
• Businesses may not process the precise geolocation of children unless:
  • It is necessary to provide an online service, product, or feature; AND
  • The business provides a signal to alert the child that it is tracking their location
• A data protection assessment is required for any online service, product, or feature that is directed to known children.

The effective date for new provisions is January 1, 2025.

‍