Protecting Children's Data: Virginia Passes Amendment to CDPA

On March 4, 2024, the Virginia state Senate passed HB 707, a move towards protecting children’s data. In passing this House Bill, Virginia’s consumer protection law, the Virginia Consumer Data Protection Act, known also as CDPA or VCDPA, suffers a series of changes in the form of new requirements regarding the way children’s data is processed in specific circumstances, the way geolocation data is used, and the way DPAs (data protection assessments) are conducted. The Bill stands out by prohibiting operators of websites, online services, or online mobile applications from collecting or using the personal data of data subjects that they know are younger than 18 years old without the consent of a parent or legal guardian and also prohibits the sale or disclosure of the personal data of data subjects known to be children.

HB 707 - Bill Summary

The bill aims to limit the ways in which the personal data of children can be collected and processed, by mandating that unless they obtain consent from a child’s parent or legal guardian, controllers are forbidden from processing 

any personal data collected from a known child:  For the purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; Unless such processing is reasonably necessary to provide the online service, product, or feature; For any processing purpose other than the processing purpose that the controller disclosed at the time such controller collected such personal data or that is reasonably necessary for and compatible with such disclosed purpose; or For longer than is reasonably necessary to provide the online service, product, or feature.

In addition to this, geolocation data is also restricted in that

no controller shall collect precise geolocation data from a known child unless (i) such precise geolocation data is reasonably necessary for the controller to provide an online service, product, or feature and, if such data is necessary to provide such online service, product, or feature, such controller shall only collect such data for the time necessary to provide such online service, product, or feature and (ii) the controller provides to the known child a signal indicating that such controller is collecting such precise geolocation data, which signal shall be available to such known child for the entire duration of such collection.

Finally, as regards data protection assessments, the Bill mandates that 

each controller that offers any online service, product, or feature directed to consumers whom such controller has actual knowledge are children shall conduct a data protection assessment for such online service, product, or feature that addresses (i) the purpose of such online service, product, or feature; (ii) the categories of known children's personal data that such online service, product, or feature processes; and (iii) the purposes for which such controller processes known children's personal data with respect to such online service, product, or feature.

Same as before, the enforcing authority is the Attorney General, and the effective date of the new provisions is January 1, 2025. 

The key takeaway is that as of January 1, 2025, controllers will have to follow additional requirements regarding the collection and processing of personal data with a special focus on children’s personal data. 

• Processing of personal data of children for targeted advertising, sale of personal data, or profiling in contexts that could have significant legal or similar impacts on the child will no longer be possible without the consent of a parent or legal guardian.
• Geolocation data can no longer be collected unless the child is informed of this and there is a signal about this collection throughout the entire duration of the collection that is made available to the child in question.
• Data controllers that offer online services, products, or features known to be used by children must conduct data protection assessments that are focused on the personal data of children that is being collected and processed. The DPAs have to address the purpose of the service or product being offered to children, the types of personal data of children being processed, and the reasons for the personal data processing.

By setting strict limitations on the collection and use of personal data, requiring informed consent, and introducing mandatory data protection assessments, HB 707 places the privacy and security of children first, setting a precedent for other US states to potentially follow.