On March 1, 2024, the Virginia legislature passed S.B. 361 (the “Bill”), which amends the Virginia Consumer Data Protection Act to introduce new protections for children’s privacy. If signed by the Virginia Governor, the new children’s privacy protections will go into effect on January 1, 2025.

The Bill creates new requirements for “operators,” defined as “any person that operates or provides a website, online service, or online or mobile application and that: (1) [c]ollects or maintains, either directly or through another person, personal data from or about the users of such website, online service, or online or mobile application; (2) [i]ntegrates with another website, online service, or online or mobile application and directly collects personal data from the users of such other website, online service, or online or mobile application; (3) [a]llows another person to collect personal data directly from users of such website, online service, or online or mobile application; or (4) [a]llows users of such website, online service, or online or mobile application to publicly disclose personal data.”

Under the Bill, operators would have obligations with respect to a “covered user,” which means “a user of a website, online service, or online or mobile application, or portion thereof, who is (i) actually known by the operator of a website, online service, or online or mobile application to be a minor or (ii) a user of a website, online service, or online or mobile application directed to minors.” The Bill defines “directed to minors” as “a website, online service, or online or mobile application, or a portion thereof, that is created for the purpose of reaching an audience that is predominantly composed of minors and that is not intended for a more general audience composed of adults.”

An operator must treat a user as a covered user if the user’s device communicates that the user is or should be treated as a minor, including through a browser plug-in or privacy setting, device setting or other mechanism. An operator also must adhere to any clear and unambiguous communications from a covered user’s device, including through a browser plug-in or privacy setting, device setting, or other mechanism, concerning processing to which the covered user consents or declines to consent.

Among other obligations, the Bill would:

• Prohibit an operator from processing, or allowing a third party to process, the personal data of a covered user collected through the use of a website, online service, or online or mobile application unless:
  • The covered user is 12 years of age or younger and processing is permitted under the Children’s Online Privacy Protection Act (“COPPA”); or
  • The covered user is 13 years of age or older and processing is strictly necessary or the operator has obtained informed consent from the covered user.
• Within 14 days of determining that a user is a covered user, require an operator to:
  • Dispose of, destroy or delete all personal data of the covered user that it maintains, unless processing the personal data is (1) permitted under COPPA, (2) strictly necessary, or (3) pursuant to informed consent; and
  • Notify any third parties to whom it disclosed the personal data and any third parties it allowed to process the personal data that the user is a covered user.
• Prohibit an operator from disclosing the personal data of a covered user to a third party, or allow the processing of the personal data of a covered user by a third party, without a written agreement containing certain specified provisions.
• Prohibit a controller from knowingly processing personal data of a child for purposes of (1) targeted advertising, (2) the sale of the personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

Where informed consent is required by the Bill, the consent must be obtained from the covered user either through a device communication or through a request. Requests for informed consent must:

• Be made separately from any other transaction or part of a transaction;
• Be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user’s decision-making regarding authorization for the processing;
• Allow the covered user to provide or withhold consent separately for each type of processing, if requesting informed consent for multiple types of processing;
• State, clearly and conspicuously, that the processing is optional and that the covered user may decline without preventing continued use of the website, online service, or online or mobile application; and
• Present a clear option to refuse to provide consent.

Under the Bill, a covered user’s informed consent is revocable at any time by the covered user and must be as easy to revoke as it was to provide. An operator may not request informed consent for one calendar year if (1) a covered user revokes or declines to provide informed consent or (2) a covered user’s device communicates that the covered user declines to provide informed consent.

Virginia’s Governor has until April 8, 2024, to sign, amend, or veto the Bill before it becomes law by default.