This year has been off to a busy start with respect to children’s and minors’ privacy legislation efforts. We wanted to take a moment to recap the latest developments across the board.

The most notable trend of the year thus far has been the widespread introduction of Age Appropriate Design Codes. Ten states have thus far introduced bills following California’s passage of legislation –  Connecticut, Illinois, Maryland, Minnesota, Nevada, New Jersey, New Mexico, New York, Oregon, and Texas. Among other things, these bills would impose requirements relating to data protection impact assessments, default privacy settings, age estimation, and profiling on online services, products, and features likely to be accessed by a child. Similarly, earlier this year the Virginia legislature considered a bill (now dormant) that would amend the Virginia Consumer Data Privacy Act and require all controllers and processors subject to the VCDPA to obtain verifiable parental consent prior to registering a child under eighteen on the service or collecting, using, or disclosing the personal data of a child under eighteen.

Another notable trend has involved efforts specific to social media usage. Utah has enacted legislation requiring social media companies to verify the age of all users to determine which are under eighteen, and confirm parental consent for those users. It also restricts by default access for users under eighteen years old between the hours of 10:30 PM and 6:30 AM, which parents can modify, and allows parents to review chat and other account history upon request. Similarly, a pending bill in Texas would require social media companies to verify that all users are over eighteen. That bill and another pending bill in West Virginia would extend the reach of the Children’s Online Privacy Protection Act, the federal children’s privacy legislation that currently applies to those under thirteen, to apply to those under eighteen. Utah also has enacted a law prohibiting a social media company from using any practice it “knows, or which by the exercise of reasonable care should know, causes a Utah minor account holder to have an addiction to the social media platform.” Similarly, California has pending legislation preventing social media platforms from taking actions that the platform “knows, or which by the exercise of reasonable care should have known” cause certain specified harms.

A number of developments have also taken place at the federal level, which are summarized in our recent post. Given recent activity and hearings on the Hill focused on child protection legislation, we might see federal activity on this topic in the near future.

There have also been important developments regarding children’s privacy outside the US. On February 16, the ICO published recommendations for game designers on how to comply with the UK AADC. The recommendations mainly focus on risk assessments, age verification, child well-being, profiling and targeted advertising, and “nudge” techniques. We also await the results of a public consultation held by the ICO regarding the impact of the AADC, which concluded in November. Lastly, we are also tracking the Irish DPC’s Fundamentals for a Child-Oriented Approach to Data Processing, which largely echoes the UK AADC in substance. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jenna Zhang Jenna Zhang

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to…

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to regulatory inquiries. She also maintains an active pro bono practice with a focus on immigration.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Diana Lee Diana Lee

Diana Lee is an associate in the firm’s London office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory, enforcement, and litigation matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy…

Diana Lee is an associate in the firm’s London office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory, enforcement, and litigation matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy and cybersecurity. Before rejoining the firm, she clerked for Judge Victor A. Bolden, United States District Judge for the District of Connecticut.

Diana is a member of the Bars of New York and the District of Columbia.

Photo of Madeline Salinas Madeline Salinas

Madeline Salinas counsels national and multinational companies across industries on data privacy, content moderation, and advertising issues.

Madeline advises clients on compliance with federal and state privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. She regularly assists clients in…

Madeline Salinas counsels national and multinational companies across industries on data privacy, content moderation, and advertising issues.

Madeline advises clients on compliance with federal and state privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. She regularly assists clients in designing cutting-edge products and services, developing privacy notices and consent forms, strategically engaging with state legislatures, and participating in rulemaking proceedings of state and federal agencies. In particular, Madeline has experience advising clients on compliance with laws implicating children’s privacy.

Madeline also partners with clients in developing content moderation policies and designing products and services that facilitate sharing of user-generated content, analyzing the evolving legal landscape and public policy considerations related to content moderation.

As part of her practice, Madeline represents clients in consumer protection enforcement actions brought by the Federal Trade Commission on topics related to data privacy and advertising.

Photo of Priya Leeds Priya Leeds

Priya Sundaresan Leeds is an associate in the firm’s San Francisco office. She is a member of the Privacy and Cybersecurity Practice Group. She also maintains an active pro bono practice with a focus on gun control and criminal justice.