Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Virginia: Bill for minors data protection introduced to Senate

On January 9, 2024, Senate Bill 361 to amend and reenact §§59.1-575 and 59.1-578 of the Code of Virginia by adding sections relating to the Consumer Data Protection Act; protections for children, was prefiled with the Virginia State Senate. In particular, the bill would, among other things, prohibit 'operators' of websites, online services, or online or mobile applications from collecting or using the personal data of users they know are younger than the age of 18 years without consent and would also prohibit the sale or disclosure of the personal data of such users.

What is the scope of the bill?

More specifically, the bill defines 'operator' as any person that operates or provides a website, online service, or online or mobile application and that:

  • collects or maintains, either directly or through another person, personal data from or about the users of such website, online service, or online or mobile application;
  • integrates with another website, online service, or online or mobile application and directly collects personal data from the users of such other website, online service, or online or mobile application;
  • allows another person to collect personal data directly from users of such website, online service, or online or mobile application; or
  • allows users of such website, online service, or online or mobile application to publicly disclose personal data.

The bill defines other important terms, including, among others, 'covered user,' 'controller,' 'processor,', 'child,' 'targeted advertisement,' 'precise geolocation,' 'pseudonymous data,' and 'sale of personal data.'

Responsibilities

The bill also lays down certain responsibilities for controllers and processors stipulating that, among others: 

  • an operator shall not process, or allow a third party to process, the personal data of a covered user collected through the use of a website, online service, or online or mobile application unless the covered user is 12 years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations or the covered user is 13 years of age or older and processing is strictly necessary or informed consent has been obtained; 

  • an operator shall treat a user as a covered user if the user's device communicates that the user is or should be treated as a minor, including through a browser plug-in or privacy setting, device setting, or other mechanism. An operator shall adhere to any clear and unambiguous communications from a covered user's device, including through a browser plug-in or privacy setting, device setting, or other mechanism, concerning processing that the covered user consents to or declines to consent to;

  • within 14 days of determining that a user is a covered user, an operator must:

    • dispose of, destroy, or delete all personal data of such covered user that it maintains, unless processing such personal data is permitted under 15 U.S.C. § 6502 and its implementing regulations, is strictly necessary under the bill, or informed consent is obtained; and
    • notify any third parties to whom it disclosed the personal data and any third parties it allowed to process the personal data that the user is a covered user; and
  • a controller must not knowingly process the personal data of a child for purposes of targeted advertising, the sale of such personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

The bill further outlines certain transparency responsibilities of the controller and also provides a list of processing activities of a covered user's personal data which would be permitted when it is strictly necessary for the purposes provided in the bill.

You can read the bill here and track its progress here.

Update: February 5, 2024

Bill referred to the Senate General Laws and Technology Committee

On January 29, 2024, the bill was referred to the Senate General Laws and Technology Committee.

You can read the bill here and track its progress here.

Update: February 8, 2024

Bill approved by the Senate General Laws and Technology Committee

On February 7, 2024, the bill was approved by the Senate General Laws and Technology Committee with substitute.

You can read the bill here and track its progress here.

Update: February 12, 2024

Senate passes Bill

On February 9, 2024, the bill was read for the second time and on the same date was passed by the Senate.

You can read the bill here and track its progress here.

Update: February 15, 2024

Bill referred to House Committee on Communications, Technology, and Innovation

On February 15, 2024, the bill was read for the first time in the House and referred to the House Committee on Communications, Technology, and Innovation.

You can read the bill here and track its progress here.

Feedback