Existing law

Under the CDPA, both personal data about a known child and precise geolocation are included in the definition of 'sensitive data.' Controllers are not allowed to process sensitive data about a known child without the consent of the child's parent or guardian - technically, the requirement is to process the data 'in accordance with the federal Children's Online Privacy Protection Act' (COPPA), the primary component of which is consent of the child's parent or legal guardian. Controllers are also required to conduct a Data Protection Assessment, equivalent to a Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA), for all processing of sensitive data. Finally, controllers must adhere to data minimization and purpose limitation principles, although there is no time limit on storing or otherwise processing personal data.

Limitations on processing children's personal data

The new legislation lays out restrictions that would apply in addition to parental consent. According to §59.1-578(F)(1) of the bill, controllers shall not process any personal data collected from a 'known child' for the purposes of:

• targeted advertising;
• the sale of such personal data; or
• profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, unless such processing is reasonably necessary to provide an online service, product, or feature.

Data minimization and purpose limitation principles continue to apply, and a storage limitation principle is added (controllers may not process personal data collected from a known child 'for longer than is reasonably necessary to provide the online service, product, or feature').

An additional restriction, described in §59.1-578(F)(2) of the bill, applies to precise geolocation. Controllers are prohibited from collecting this data from a known child unless they provide the child with a signal indicating that the controller is collecting precise geolocation data. This signal must persist through the entire duration of data collection.

Data Protection Assessment obligations

In addition to limits placed on the processing of children's data, the legislation would require controllers 'offering an online service, product, or feature directed to consumers whom such controller has actual knowledge are children' to address the following in the relevant Data Protection Assessment:

• the purpose of such online service, product, or feature;
• the categories of known children's personal data that such online service, product, or feature processes; and
• the purposes for which such controller processes known children's personal data with respect to such online service, product, or feature.

These points might have come up naturally in the assessment, but the new legislation would make it clear that they are required.

Bill remains under consideration

As of the date of this article, the legislation remains under consideration and has yet to be signed by Virginia Governor Glenn Youngkin. For context, the General Assembly sent the legislation to Governor Youngkin on March 11, 2024. On April 8, 2024, Governor Youngkin submitted 'an amendment in the form of a substitute' to the legislation. The substitute language sought to expand the scope of the bill to cover all minors under the age of 18. However, on April 17, 2024, the General Assembly rejected Governor Youngkin's recommendation and, as a result, the original version of the legislation returned to Governor Youngkin to be signed into law or vetoed.

Effective date

If signed into law, the children's privacy protections would enter into effect on January 1, 2025.

Children's data privacy in the spotlight

The issue of protecting children's personal data has garnered attention both at the state and federal levels. Virginia is one of many states where lawmakers have been focusing on children's data privacy legislation. In fact, nearly a dozen other states, including Virginia neighbors Maryland and West Virginia, are considering bills that would regulate the processing of children's personal data.

In addition to multiple state legislative proposals, the U.S. Federal Trade Commission (FTC) recently proposed changes to the Children's Online Privacy Protection Rule (the COPPA Rule). The FTC last made changes to the COPPA Rule in 2013. In December 2023, the FTC proposed new revisions aimed at clarifying and streamlining the COPPA Rule. In addition, the new proposals would address advancements in technology and strengthen regulatory protections for children's personal information. The public comment period for the proposed changes to the COPPA Rule closed on March 11, 2024, which means there is a possibility of the FTC updating and finalizing revisions to the COPPA Rule at some point in 2024 or early 2025.

Beth Burgin Waller Principal
[email protected]
Patrick Austin Of Counsel
[email protected]
John Pilch Cybersecurity/Privacy Analyst
[email protected]
Woods Rogers PLC, Richmond