On March 1, 2024, the Virginia legislature passed S.B. 361 (the “Bill”), which amends the Virginia Consumer Data Protection Act to introduce new protections for children’s privacy. If signed by the Virginia Governor, the new children’s privacy protections will go into effect on January 1, 2025.
The Bill creates new requirements for “operators,” defined as “any person that operates or provides a website, online service, or online or mobile application and that: (1) [c]ollects or maintains, either directly or through another person, personal data from or about the users of such website, online service, or online or mobile application; (2) [i]ntegrates with another website, online service, or online or mobile application and directly collects personal data from the users of such other website, online service, or online or mobile application; (3) [a]llows another person to collect personal data directly from users of such website, online service, or online or mobile application; or (4) [a]llows users of such website, online service, or online or mobile application to publicly disclose personal data.”
Under the Bill, operators would have obligations with respect to a “covered user,” which means “a user of a website, online service, or online or mobile application, or portion thereof, who is (i) actually known by the operator of a website, online service, or online or mobile application to be a minor or (ii) a user of a website, online service, or online or mobile application directed to minors.” The Bill defines “directed to minors” as “a website, online service, or online or mobile application, or a portion thereof, that is created for the purpose of reaching an audience that is predominantly composed of minors and that is not intended for a more general audience composed of adults.”
An operator must treat a user as a covered user if the user’s device communicates that the user is or should be treated as a minor, including through a browser plug-in or privacy setting, device setting or other mechanism. An operator also must adhere to any clear and unambiguous communications from a covered user’s device, including through a browser plug-in or privacy setting, device setting, or other mechanism, concerning processing to which the covered user consents or declines to consent.
Among other obligations, the Bill would:
- Prohibit an operator from processing, or allowing a third party to process, the personal data of a covered user collected through the use of a website, online service, or online or mobile application unless:
- The covered user is 12 years of age or younger and processing is permitted under the Children’s Online Privacy Protection Act (“COPPA”); or
- The covered user is 13 years of age or older and processing is strictly necessary or the operator has obtained informed consent from the covered user.
- Within 14 days of determining that a user is a covered user, require an operator to:
- Dispose of, destroy or delete all personal data of the covered user that it maintains, unless processing the personal data is (1) permitted under COPPA, (2) strictly necessary, or (3) pursuant to informed consent; and
- Notify any third parties to whom it disclosed the personal data and any third parties it allowed to process the personal data that the user is a covered user.
- Prohibit an operator from disclosing the personal data of a covered user to a third party, or allow the processing of the personal data of a covered user by a third party, without a written agreement containing certain specified provisions.
- Prohibit a controller from knowingly processing personal data of a child for purposes of (1) targeted advertising, (2) the sale of the personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
Where informed consent is required by the Bill, the consent must be obtained from the covered user either through a device communication or through a request. Requests for informed consent must:
- Be made separately from any other transaction or part of a transaction;
- Be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user’s decision-making regarding authorization for the processing;
- Allow the covered user to provide or withhold consent separately for each type of processing, if requesting informed consent for multiple types of processing;
- State, clearly and conspicuously, that the processing is optional and that the covered user may decline without preventing continued use of the website, online service, or online or mobile application; and
- Present a clear option to refuse to provide consent.
Under the Bill, a covered user’s informed consent is revocable at any time by the covered user and must be as easy to revoke as it was to provide. An operator may not request informed consent for one calendar year if (1) a covered user revokes or declines to provide informed consent or (2) a covered user’s device communicates that the covered user declines to provide informed consent.
Virginia’s Governor has until April 8, 2024, to sign, amend, or veto the Bill before it becomes law by default.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code