| Insights | Blog

State Legislatures Tackle Children’s Online Privacy, Continue to Introduce Comprehensive Consumer Privacy Bills

As the FTC signals an intention of cracking down on children’s privacy, and as several comprehensive consumer privacy laws take effect in 2023 (with more on the way in legislatures across the country), some states have chosen to tackle children’s privacy more specifically at the state level. So far, only California’s has been enacted, most of the others have either been introduced or referred to committee.

In addition, as further detailed below, several state legislatures continue to introduce comprehensive consumer privacy laws similar to the ones passed in California, Colorado, Utah, and Virginia.

  • Texas (HB 896). This bill would appear to prohibit companies from knowingly allowing anyone under 18 years of age from using a social media platform, and requiring a mechanism for parents to request removal of accounts. The bill was introduced on December 7, 2022, but has not yet seen further movement.  
  • California (AB 2273).  Beginning on July 1, 2024, the California Age-Appropriate Design Code Act —  which was signed by the Governor and enacted on Sept 15, 2022 – will require businesses that provide an online service, product or feature likely to be accessed by children to comply with specified requirements including strict default privacy settings (absent a compelling reason), clear communication of privacy information, and preemptive data protection impact assessments prior to introduce any new such online services, products, or features. Such assessments must be made available to the Attorney general within 5 business days.  The bill creates the Children’s Data Protection Working Group to report to the legislature on best practices. For violations, the Attorney General may seek injunctive relieve or civil penalties of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected children for each intentional violation.
  • New Jersey (A4919/S3493).  Similar to California’s law, these two identical companion bills would require a social media platform business, before offering a new online service, product, or feature likely to be accessed by children, to: (a) complete a data protection impact assessment (to be provided to the Attorney General upon request within 3 business days); (b) document any risk of material detriment to children arising from the data management practices of the social media platform identified in the assessment and create a mitigation plan; (c) estimate the appropriate age for use of the service, product or feature based on the risks; (d) configure default privacy settings to a high level of privacy (absent a compelling reason); (e) provide clear and prominent privacy information suited to the age of the children likely to have access; (f) if the service, product or feature allows the children’s parent, guardian or any other consumer to monitor the child’s online activity or track their location, provide an obvious signal to the children when it is being monitored or tracked; (g) enforce published terms, policies and community standards established by the platform, including privacy policies and those concerning children; and (h) provide prominent, accessible, and responsible tools to help children, or their parents / guardians, to exercise privacy rights and report concerns. The bill also creates the New Jersey Children’s Data Protection Commission to take input from stakeholders and make recommendations regarding best practices to the legislature. Enforcement by the Attorney General shall include injunctive relief as well as penalties of not more than $2,500 per child for negligent violations and $7500 per children for intentional violations. A4919 was introduces on December 5, 2022 and referred to committee. S3493 was introduced in the Senate and referred to committee on January 19, 2023.
  • Oregon (SB 196).  Oregon introduces a bill similar to the ones in California and New Jersey, including the requirement of data protection impact assessments, identification and mitigation of risks, authorization of Attorney General to bring injunctive relief and civil penalties, and the establishment of a task force on age-appropriate design to study effects on children and mitigation methods.  The bill’s requirements and restrictions would become operative on July 1, 2024, and the task force would sunset on January 2, 2025. In this bill, the assessment would be due within 3 business days upon request from the Attorney General.  In addition to injunctive relief and civil penalties, the Attorney General would also be able to recover attorneys’ fees and other enforcement costs and disbursements. SB 196 was introduced on January 9 and referred to the Senate judiciary committee on January 13, 2023.
  • Virginia (HB 1688/SB 1026). These two companion bills would amend the recently enacted Consumer Data Protection Act to add a section that would require an operator to obtain verifiable parental consent prior to registering a child with the operator’s product or service or before collecting, using, or disclosing such child’s personal data that has been verified by such parent or guardian.  (An “operator” is defined as any natural or legal entity that conducts business or produces products or services targeted to consumers and that collects or maintains personal data from or about such consumers.) The operator shall give the parent/guardian the option to consent to the collection and use of the child’s personal data without consenting to the disclosure of such data to third parties.  Verifiable parental consent may be obtained by: (a) providing a signed consent form; (b) using a credit/debit card or other online payment system that provides notification of any transaction with the operator to the primary account holder or (c) providing a form of government -issued identification to the operators.  In addition, a controller shall not knowingly process personal data of a child for purposes of: (i) targeted advertising; (ii) the sale of such personal data or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. SB 1026 was prefiled and referred to the Committee on General Laws and Technology on January 7, 2023.  It passed through the committee on January 25, 2023 on a 9 to 6 vote. HB 1688 was prefiled and referred to the Committee on Communications, Technology and Innovation on January 9, 2023.
  • West Virginia (HB2460).  This bill would make it unlawful for an operator of a   website or online service directed to children – or any operator that has actual knowledge that is collecting personal information from a child – to collect personal information from a child in a manner that violates the restrictions in the bill. The bill requires the Attorney General to propose rules no later than March 1, 2023 that would require such an operator to: (i) provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children. It would require the operator to provide, upon parental request, a description of the specific types of personal information collected from the children and the opportunity at any time to refuse to permit further use or maintenance, or future collection, of personal information from that child. The operator must provide reasonable means for the parent to obtain any collected information.  They must not conditions a child’s participation in a game, offering of a prize, or another activity on disclosing more personal information than is reasonably necessary to participate in such activity.  And they must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

The bill also lays out certain enumerated circumstances where parental consent is not required, such as one-time responses to requests from the parent or child, to obtain parental consent, for the protection of the child or where necessary for  security or legal reasons, and where such information is not maintained in retrievable form afterwards.  The bill would enforced by the Attorney General, whose powers would be consistent with the West Virginia Consumer Credit and Protection Act, which authorizes injunctive relief as well as civil penalties, up to $5,000 for each violation in the event of repeated and willful violations. This bill was introduced and referred to the Judiciary Committee on January 11, 2023.

Comprehensive State Consumer Privacy Bills:

  • Indiana (SB 5).  This bill, similar to the ones enacted last year in CO, VA, UT, and CT, which introduced comprehensive consumer privacy rights, advanced out of the Indiana Senate Committee on Commerce and Technology on an 11-0 vote on January 19, 2023.  The committee added an amendment to add a sunset on the right to cure in 2028.   The bill would be effective January 1, 2026.   
  • Mississippi (SB 2080).  This bill, introduced on January 9, 2023, is identical to the bill introduced in the 2022 session, and attempts to create the same types of rights created in the other state bills, including the right to access, delete, and opt out of sales. (“Sales” is undefined in the introduced version, as is “consumer”.)  It also includes an opt-in provision for minors (under 16), a notice/transparency requirement, and a prohibition on discrimination for opt out. There is a limited right of private action for both statutory and actual damages, with a right to cure period and other limitations for individuals seeking statutory damages.  It also includes AG authority to bring civil penalties of up to $7,500 for each violation.  The bill would take effect on July 1, 2024.
  • New Hampshire (SB255).  This bill was introduced on January 19, and referred to judiciary committee. This is a comprehensive consumer privacy bill much like those enacted last year in CO, VA, UT, and CT.  Unlike several of those state laws, however, this bill carried no exemption for B2B personal information. (California’s B2B exemption expired effective 1/1/2023; the other laws define “consumer” as limited to their individual and household context, thus exempting B2B information.) It also contains no right to cure.
  • Washington (HB1616).  This bill was reintroduced and referred to the Civil Rights and Judiciary Committee on January 26, 2023. Entitled the “People’s Privacy Act”,  the bill offers an opt-in model similar to Brazil’s General Data Protection Law (“LGPD”), which in turn is closely aligned with Europe’s GDPR. Importantly, this bill includes a private right of action.   Entities covered by the bill would include non-governmental entities conducting business in the state which process captured personal information and (a) have earned or received $10M or more of annual revenue through 300 or more transactions or (b) process or maintain the captured personal information of 1,000 or more unique individuals during the course of a calendar year. “conducting business in Washington” means producing, soliciting or offering for use or sale any information, product or service in a manner that intentionally targets Washington residents or may be reasonably be expected to contact Washington residents, whether or not such business is for-profit or nonprofit.

Covered entities must make both a long-form and short-form privacy policy “persistently and conspicuously available” at or prior to the point of sale of a product or service.  For continuing interactions, opt-in consent must be renewed not less than annually, or it will be deemed withdrawn. The state department of commerce must adopt regulations within six months of enactment. It also calls for the development of standard of care for the security of captured personal information. The bill also contains individual rights similar to the others – right to know, access, correct, delete, and refuse consent for processing not essential to the primary transaction, as well as portability – and covered entities must comply with such requests not later than 30 days after receiving a verifiable request.