How Can Businesses Comply With Virginia’s Proposal To Protect Children’s Data? The Bill Doesn’t Say.

A new proposal before the Virginia Legislature aims to protect the personal data of the state’s children, but it doesn’t say how online platforms should do that.

H.B. 1688 would amend Virginia’s existing data privacy regulations to prohibit covered entities from registering minors for products or services without first obtaining “verifiable parental consent.” Once the minor is “verified,” his parents must give consent before his data is “collect[ed], us[ed], or disclos[ed].” The bill would also ban data controllers from knowingly processing minors’ personal data for the purpose of targeted advertising, selling their data, or profiling underage users “in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” In addition, it would redefine “child” from anyone 13 or younger to anyone 18 or younger.

H.B. 1688 does not, however, say how a business can or should determine the age of potential registrants. Since children can easily skirt nonintrusive verification techniques—e.g., “check the box if you’re over 18″—businesses could seek to dodge liability by instituting invasive age checks, which often raise serious privacy concerns. 

“Requiring material such as a user’s credit card or driver’s license…creates privacy issues and new opportunities for data leaks. They also make it hard for users to browse anonymously. What’s more, enterprising children will be able to find ways to defeat all but the most intrusive verification processes,” according to The Wall Street Journal.

“If you have to do special protections ‘for the children,’ you’re almost certainly leading to kids being put at even greater risk, because the whole framework forc