Little Users, Big Protections: Colorado and Virginia pass laws focused on kids privacy

‘Don’t call me kid, don’t call me baby’ – unless you are a child residing in either Colorado or Virginia, where children will soon have increased privacy protections due to recent advances in youth privacy legislation. Virginia and Colorado both have broad-based privacy laws already in effect. During the 2024 state legislative sessions, both states amended those laws to add specific online privacy protections for kids’ data. In Virginia, HB 707/SB 361 passed the state legislature. It moved on to Governor Youngkin’s desk on March 8th, and after some procedural hurdles, it finally passed into law on May 17 as a modest approach for additional youth-tailored protections. In Colorado, SB 41 passed the legislature on May 14th with near-unanimous votes in both chambers, introducing a more expansive youth privacy framework than Virginia. SB 41 is expected to be signed into law by Governor Polis as passed by the Colorado legislature. Following Connecticut’s lead last year, these developments signal a growing trend toward states building off of existing privacy frameworks to strengthen protections for children’s data online. 

Colorado

Although Colorado SB 41 is more expansive than what Virginia passed, the requirements in this law are familiar. SB 41 is almost an exact copy of the youth privacy amendment to Connecticut’s comprehensive privacy bill SB 3, which we covered in a blog post in 2023 As a result, there is a general compliance model for the requirements of this bill. However, it is still worth noting that there are some differences between Colorado SB 41 and Connecticut SB 3 which should be given special attention, especially where the impact of these differences remains to be seen.

What’s familiar about SB 41? 

1. The scope of SB 41 is nearly identical to SB 3. 

As an amendment to a comprehensive state privacy law, SB 41 will work within the existing Colorado Privacy Act (“CPA”) to provide additional heightened protections for kids and teens up to 18. The compliance requirements of SB 41 rely on the existing definition of controller in the CPA. The obligations under both Colorado and Connecticut apply to controllers who offer any online service, product, or feature to consumers whom the controller has actual knowledge, or willfully disregards, are minors. Most importantly, the text of the bill makes clear that, while some child-focused provisions of Colorado and Connecticut’s laws only apply to controllers that meet specified revenue or user thresholds, the duty of care provisions apply to all controllers.

2. Both states create a duty of care owed to minors. 

SB 41 creates a duty to use reasonable care to avoid any heightened risk of harm to minors and creates additional risk assessment requirements for minors’ data. This duty to use reasonable care applies where the controller has actual knowledge or willfully disregards that a user is under 18 years of age. If controllers comply with the bill’s risk assessment requirements, there is a rebuttable presumption in any enforcement action brought by the State Attorney General that a controller used the reasonable care required to avoid heightened risk of harm to minors. Therefore, a strong incentive exists for controllers to conduct risk assessments, since doing so could potentially save controllers from enforcement in cases of unforeseeable harm to minors as a result of their online service, product, or feature. 

3. Both states have requirements that draw on the California AADC, with differences.

The substantive requirements under Colorado are nearly identical to those in Connecticut. Both SB 41 and SB 3 have restrictions on processing minors’ data similar to those originally seen in the enjoined California Age-Appropriate Design Code. For example, SB 41 limits controllers’ ability to profile, process geolocation data, or display targeted ads to a minor’s account without prior consent. However, unlike the California AADC, neither Colorado nor Connecticut requires a controller to estimate the age of users or assess harms related to content. 

What’s different about SB 41? 

1. An additional harm must be considered in Colorado. 

SB 41 goes a step further than Connecticut SB 3 in the categories that must be included in data protection impact assessments (“DPIAs”) and introduces a fourth type of harm that must be considered – which is the ‘heightened risk of harm’ for any “unauthorized disclosure of the personal data of minors as a result of a security breach.” It is unclear at this time what the magnitude of this impact will be on controllers’ compliance efforts, but it does indicate a strong interest in the security of minor’s data collected through online services, products, and features. Along with the addition of this fourth kind of harm, SB 41 includes three of the same harms that are also seen in SB 3’s “heightened risk of harm to minors” definition: (1) unfair, deceptive treatment or unlawful disparate impact on minors, (2) any financial, physical, or reputational injury to minors, and (3) any physical or other intrusion on the seclusion, solitude, or privacy of minors that would be offensive to the reasonable person. Aside from the general duty of care to avoid these types of harm to minors, under both Connecticut and Colorado, controllers must assess for these harms in DPIAs. 

2. No ‘unpublishing’ requirement. 

SB 3 had a standalone section focused specifically on obligations for social media platforms. SB 41 lacks SB 3’s requirement that a controller ‘unpublish’ a minor’s social media account. All requirements in SB 41 apply generally to covered services. 

Virginia

Compared to Colorado and Connecticut’s youth privacy amendments, Virginia passed a more modest set of requirements for controllers in the state. Despite this moderate approach, Virginia’s method of heightening child privacy protections online is still worth watching. The Governor’s proposed amendments, which the legislature ultimately rejected, would have been much more expansive, such as raising the age for needing parental consent up to 17. As indicated by the bill sponsors during floor hearings, the smaller step in what was passed is only a starting point for the state. Virginia lawmakers indicated an intent to continue building upon this foundation of privacy protections and raising the age threshold in the law, but first want to get something attainable “on the books… versus [being] stuck in court” with constitutional challenges. 

Scope

Like Colorado SB 41, Virginia HB 707 would work within the state’s existing comprehensive privacy law, taking on the established controller definition. Unlike Colorado, small businesses are exempt from the Virginia Consumer Data Protection Act. HB 707 does not amend the scope or application threshold of the VCDPA to the child privacy provisions of the bill – the application of the child privacy provisions is the same as the application of the other privacy requirements in the VCDPA. The protections afforded under HB 707 apply to known children under 13. 

Controller obligations

Unlike Colorado SB 41 and Connecticut SB 3, Virginia HB 707 does not create a duty of reasonable care. Instead, HB 707 simply limits the processing of minor data, establishes requirements for obtaining consent to process minor data, and expands DPIA requirements. The limits on processing and obtaining consent generally align with what is required by COPPA, though COPPA technically only applies to collecting rather than processing. While HB 707 creates marginally more specific DPIA requirements, existing requirements under the VCDPA already required conducting DPIAs for sensitive data, including children under 13. Additionally, like Colorado and Connecticut, Virginia HB 707 places default limits on collecting a child’s precise geolocation and requires a signal to the child while this geolocation information is collected. 

Conclusion

Despite seeing some variation in the approach to enacting youth-focused amendments to comprehensive privacy laws, starting with Connecticut’s SB 3 in 2023, a trend is developing among state legislators to continue building upon pre-established privacy frameworks. It is worth acknowledging that under state privacy laws, children and teens are part of the definition of “consumers” these laws are scoped to protect. Any broad-based state privacy law will naturally apply to residents of that state, both young and old. However, conceptually, it may be easier for lawmakers to envision what additional protections children and teens need once a baseline privacy framework is in place.

Although this is a new and noteworthy privacy development to watch moving forward, it is not the only approach lawmakers are taking to regulate youth online experiences. Another avenue during the 2024 session was the new Age-Appropriate Design Code framework (“AADC 2.0”). While the AADC 2.0 passed in Maryland and Vermont this year, there are several differences between these two states, as well as some uncertainties about how the AADC 2.0 will hold up to Constitutional scrutiny. Compare this with Connecticut and Colorado, which have nearly identical frameworks for youth protections. Over the last few years, several laws intended to address child privacy and safety online have passed in different states. Still, many, such as the California Age-Appropriate Design Code, have had their implementation delayed by courts over Constitutional challenges.  Given that SB 3 will not come into force until October 2024, it may be too soon to call Connecticut and Colorado’s amendments a pattern. Still, there is potential for lawmakers to converge around this approach to protecting children online where it faces a lower risk of legal hurdles than alternative approaches.