This year has been off to a busy start with respect to children’s and minors’ privacy legislation efforts. We wanted to take a moment to recap the latest developments across the board.

The most notable trend of the year thus far has been the widespread introduction of Age Appropriate Design Codes. Ten states have thus far introduced bills following California’s passage of legislation –  Connecticut, Illinois, Maryland, Minnesota, Nevada, New Jersey, New Mexico, New York, Oregon, and Texas. Among other things, these bills would impose requirements relating to data protection impact assessments, default privacy settings, age estimation, and profiling on online services, products, and features likely to be accessed by a child. Similarly, earlier this year the Virginia legislature considered a bill (now dormant) that would amend the Virginia Consumer Data Privacy Act and require all controllers and processors subject to the VCDPA to obtain verifiable parental consent prior to registering a child under eighteen on the service or collecting, using, or disclosing the personal data of a child under eighteen.

Another notable trend has involved efforts specific to social media usage. Utah has enacted legislation requiring social media companies to verify the age of all users to determine which are under eighteen, and confirm parental consent for those users. It also restricts by default access for users under eighteen years old between the hours of 10:30 PM and 6:30 AM, which parents can modify, and allows parents to review chat and other account history upon request. Similarly, a pending bill in Texas would require social media companies to verify that all users are over eighteen. That bill and another pending bill in West Virginia would extend the reach of the Children’s Online Privacy Protection Act, the federal children’s privacy legislation that currently applies to those under thirteen, to apply to those under eighteen. Utah also has enacted a law prohibiting a social media company from using any practice it “knows, or which by the exercise of reasonable care should know, causes a Utah minor account holder to have an addiction to the social media platform.” Similarly, California has pending legislation preventing social media platforms from taking actions that the platform “knows, or which by the exercise of reasonable care should have known” cause certain specified harms.

A number of developments have also taken place at the federal level, which are summarized in our recent post. Given recent activity and hearings on the Hill focused on child protection legislation, we might see federal activity on this topic in the near future.

There have also been important developments regarding children’s privacy outside the US. On February 16, the ICO published recommendations for game designers on how to comply with the UK AADC. The recommendations mainly focus on risk assessments, age verification, child well-being, profiling and targeted advertising, and “nudge” techniques. We also await the results of a public consultation held by the ICO regarding the impact of the AADC, which concluded in November. Lastly, we are also tracking the Irish DPC’s Fundamentals for a Child-Oriented Approach to Data Processing, which largely echoes the UK AADC in substance. 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jenna Zhang Jenna Zhang

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to…

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to regulatory inquiries. She also maintains an active pro bono practice with a focus on immigration.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.

Photo of Diana Lee Diana Lee

Diana Lee is an associate in the firm’s London office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory, enforcement, and litigation matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy…

Diana Lee is an associate in the firm’s London office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory, enforcement, and litigation matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy and cybersecurity. Before rejoining the firm, she clerked for Judge Victor A. Bolden, United States District Judge for the District of Connecticut.

Diana is a member of the Bars of New York and the District of Columbia.

Photo of Madeline Salinas Madeline Salinas

Madeline Salinas counsels national and multinational companies across industries on data privacy, content moderation, and advertising issues.

Madeline advises clients on compliance with federal and state privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. She regularly assists clients in…

Madeline Salinas counsels national and multinational companies across industries on data privacy, content moderation, and advertising issues.

Madeline advises clients on compliance with federal and state privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. She regularly assists clients in designing cutting-edge products and services, developing privacy notices and consent forms, strategically engaging with state legislatures, and participating in rulemaking proceedings of state and federal agencies. In particular, Madeline has experience advising clients on compliance with laws implicating children’s privacy.

Madeline also partners with clients in developing content moderation policies and designing products and services that facilitate sharing of user-generated content, analyzing the evolving legal landscape and public policy considerations related to content moderation.

As part of her practice, Madeline represents clients in consumer protection enforcement actions brought by the Federal Trade Commission on topics related to data privacy and advertising.

Photo of Priya Leeds Priya Leeds

Priya Sundaresan Leeds is an associate in the firm’s San Francisco office. She is a member of the Privacy and Cybersecurity Practice Group. She also maintains an active pro bono practice with a focus on gun control and criminal justice.