How Can Businesses Comply With Virginia's Proposal To Protect Children's Data? The Bill Doesn't Say.

A new proposal before the Virginia Legislature aims to protect the personal data of the state's children, but it doesn't say how online platforms should do that.

H.B. 1688 would amend Virginia's existing data privacy regulations to prohibit covered entities from registering minors for products or services without first obtaining "verifiable parental consent." Once the minor is "verified," his parents must give consent before his data is "collect[ed], us[ed], or disclos[ed]." The bill would also ban data controllers from knowingly processing minors' personal data for the purpose of targeted advertising, selling their data, or profiling underage users "in furtherance of decisions that produce legal or similarly significant effects concerning a consumer." In addition, it would redefine "child" from anyone 13 or younger to anyone 18 or younger.

H.B. 1688 does not, however, say how a business can or should determine the age of potential registrants. Since children can easily skirt nonintrusive verification techniques—e.g., "check the box if you're over 18"—businesses could seek to dodge liability by instituting invasive age checks, which often raise serious privacy concerns. 

"Requiring material such as a user's credit card or driver's license…creates privacy issues and new opportunities for data leaks. They also make it hard for users to browse anonymously. What's more, enterprising children will be able to find ways to defeat all but the most intrusive verification processes," according to The Wall Street Journal.

"If you have to do special protections 'for the children,' you're almost certainly leading to kids being put at even greater risk, because the whole framework forces websites to do age verification, which is a highly intrusive, privacy-diminishing effort that actually is harmful to children in and of itself," Mike Masnick of Techdirt wrote Wednesday.

Virginia's current statute, the Consumer Data Protection Act (CDPA), requires that data gatherers comply with the federal Children Online Privacy Protection Act (COPPA), which, like the CDPA, applies only to children under age 13. Moreover, COPPA regulations delineate how businesses are expected to determine the age of users.

As various states consider and enact measures to protect children's privacy, universal online age verification becomes ever more likely, at least in many jurisdictions.

California's Age-Appropriate Design Code (AADC) requires any online service "likely to be accessed by children" (i.e., almost any online service) to "estimate the age of child users with a reasonable level of certainty." The law further imposes a raft of regulatory burdens on web services' interactions with children. These burdens are so extensive—encompassing data management, default setting configuration, algorithmic behavior, and more—that without universal age verification protocols, online services will almost surely face legal problems.

In Minnesota, state legislators nearly passed a bill last year that would have barred many online platforms from recommending user-generated content to minors. The bill would have held platforms liable if they "knew or had reason to know" they were targeting content to a minor. Like the AADC, this clause would necessitate universal age verification on covered web platforms.

H.B. 1688's silence on the issue of age verification would leave businesses guessing. Ultimately, the bill would likely give judges and law enforcement officers the power to determine precisely what conduct violates its provisions, possibly on a case-by-case basis. Such regulatory ambiguity incentivizes businesses to build their policies to ensure compliance, not consumer well-being.