This year has been off to a busy start with respect to children’s and minors’ privacy legislation efforts. We wanted to take a moment to recap the latest developments across the board.
The most notable trend of the year thus far has been the widespread introduction of Age Appropriate Design Codes. Ten states have thus far introduced bills following California’s passage of legislation – Connecticut, Illinois, Maryland, Minnesota, Nevada, New Jersey, New Mexico, New York, Oregon, and Texas. Among other things, these bills would impose requirements relating to data protection impact assessments, default privacy settings, age estimation, and profiling on online services, products, and features likely to be accessed by a child. Similarly, earlier this year the Virginia legislature considered a bill (now dormant) that would amend the Virginia Consumer Data Privacy Act and require all controllers and processors subject to the VCDPA to obtain verifiable parental consent prior to registering a child under eighteen on the service or collecting, using, or disclosing the personal data of a child under eighteen.
Another notable trend has involved efforts specific to social media usage. Utah has enacted legislation requiring social media companies to verify the age of all users to determine which are under eighteen, and confirm parental consent for those users. It also restricts by default access for users under eighteen years old between the hours of 10:30 PM and 6:30 AM, which parents can modify, and allows parents to review chat and other account history upon request. Similarly, a pending bill in Texas would require social media companies to verify that all users are over eighteen. That bill and another pending bill in West Virginia would extend the reach of the Children’s Online Privacy Protection Act, the federal children’s privacy legislation that currently applies to those under thirteen, to apply to those under eighteen. Utah also has enacted a law prohibiting a social media company from using any practice it “knows, or which by the exercise of reasonable care should know, causes a Utah minor account holder to have an addiction to the social media platform.” Similarly, California has pending legislation preventing social media platforms from taking actions that the platform “knows, or which by the exercise of reasonable care should have known” cause certain specified harms.
A number of developments have also taken place at the federal level, which are summarized in our recent post. Given recent activity and hearings on the Hill focused on child protection legislation, we might see federal activity on this topic in the near future.
There have also been important developments regarding children’s privacy outside the US. On February 16, the ICO published recommendations for game designers on how to comply with the UK AADC. The recommendations mainly focus on risk assessments, age verification, child well-being, profiling and targeted advertising, and “nudge” techniques. We also await the results of a public consultation held by the ICO regarding the impact of the AADC, which concluded in November. Lastly, we are also tracking the Irish DPC’s Fundamentals for a Child-Oriented Approach to Data Processing, which largely echoes the UK AADC in substance.