Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Virginia: Bill for minors data protection introduced to Senate
On January 9, 2024, Senate Bill 361 to amend and reenact §§59.1-575 and 59.1-578 of the Code of Virginia by adding sections relating to the Consumer Data Protection Act; protections for children, was prefiled with the Virginia State Senate. In particular, the bill would, among other things, prohibit operators of websites, online services, or online or mobile applications from collecting or using the personal data of users they know are younger than the age of 18 years without consent and would also prohibit the sale or disclosure of the personal data of such users.
What is the scope of the bill?
More specifically, the bill defines 'operator' as any person that operates or provides a website, online service, or online or mobile application and that:
- collects or maintains, either directly or through another person, personal data from or about the users of such website, online service, or online or mobile application;
- integrates with another website, online service, or online or mobile application and directly collects personal data from the users of such other website, online service, or online or mobile application;
- allows another person to collect personal data directly from users of such website, online service, or online or mobile application; or
- allows users of such website, online service, or online or mobile application to publicly disclose personal data.
The bill defines other important terms, including, among others, 'covered user,' 'controller,' 'processor,', 'child,' 'targeted advertisement,' 'precise geolocation,' 'pseudonymous data,' and 'sale of personal data.'
Responsibilities
The bill also lays down certain responsibilities for controllers and processors stipulating that, among others:
an operator shall not process, or allow a third party to process, the personal data of a covered user collected through the use of a website, online service, or online or mobile application unless the covered user is 12 years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations or the covered user is 13 years of age or older and processing is strictly necessary or informed consent has been obtained;
an operator shall treat a user as a covered user if the user's device communicates that the user is or should be treated as a minor, including through a browser plug-in or privacy setting, device setting, or other mechanism. An operator shall adhere to any clear and unambiguous communications from a covered user's device, including through a browser plug-in or privacy setting, device setting, or other mechanism, concerning processing that the covered user consents to or declines to consent to;
within 14 days of determining that a user is a covered user, an operator must:
- dispose of, destroy, or delete all personal data of such covered user that it maintains, unless processing such personal data is permitted under 15 U.S.C. § 6502 and its implementing regulations, is strictly necessary under the bill, or informed consent is obtained; and
- notify any third parties to whom it disclosed the personal data and any third parties it allowed to process the personal data that the user is a covered user; and
a controller must not knowingly process the personal data of a child for purposes of targeted advertising, the sale of such personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
The bill further outlines certain transparency responsibilities of the controller and also provides a list of processing activities of a covered user's personal data which would be permitted when it is strictly necessary for the purposes provided in the bill.
You can read the bill here and track its progress here.
Update: February 5, 2024
Bill referred to the Senate General Laws and Technology Committee
On January 29, 2024, the bill was referred to the Senate General Laws and Technology Committee.
You can read the bill here and track its progress here.
Update: February 8, 2024
Bill approved by the Senate General Laws and Technology Committee
On February 7, 2024, the bill was approved by the Senate General Laws and Technology Committee with substitute.
You can read the bill here and track its progress here.
Update: February 12, 2024
Senate passes Bill
On February 9, 2024, the bill was read for the second time and on the same date was passed by the Senate.
You can read the bill here and track its progress here.
Update: February 15, 2024
Bill referred to House Committee on Communications, Technology, and Innovation
On February 15, 2024, the bill was read for the first time in the House and referred to the House Committee on Communications, Technology, and Innovation.
You can read the bill here and track its progress here.
Update: February 28, 2024
Bill approved by House Committee on Labor and Commerce
On February 27, 2024, the bill was approved by the House Committee on Labor and Commerce. The bill was referred from the House Committee on Communications, Technology, and Innovation on February 26, 2024.
You can read the bill here and track its progress here.
Update: March 4, 2024
Bill passes both houses
On March 1, 2024, the bill was read for the third time and passed by the House. The bill was passed by the Senate on February 9, 2024.
You can read the bill here and track its progress here.
Update: March 8, 2024
Bill signed by House Speaker and Senate President
On March 7, 2024, the bill was signed by the President of the Senate after it was signed by the Speaker of the House on March 6, 2024.
You can read the bill here and track its progress here.
Update: March 12, 2024
Bill sent to Governor for action
On March 11, 2024, the bill was enrolled and sent to the Governor of Virginia for action.
You can read the bill here and track its progress here.
Update: April 9, 2024
Governor submits amendments to the bill
On April 8, 2024, the Governor submitted amendments to the bill to the Senate. In particular, the Governor proposed 'an amendment in the form of a substitute' to the bill which would expand the scope of the bill to cover all minors under the age of 18.
You can read the substitute bill here, the bill here, and track its progress here.
Update: April 18, 2024
Senate rejects Governor's amendments to the bill
On April 17, 2024, the Senate rejected the Governor's amendments to the bill. On the same day, the bill was sent back to the Governor.
You can read the bill here and track its progress here.
Update: May 20, 2024
Governor approves bill
On May 17, 2024, the Governor approved the bill. The Act now takes effect on January 1, 2025.
You can read the Act here and view its legislative history here.