Data Privacy for Minors (S.69 / Act 63) - Overview & Analysis

The Vermont Age-Appropriate Design Code Act establishes regulations for online services and products that are likely to be accessed by minors. It emphasizes the protection of minors' data and outlines the responsibilities of businesses in handling this information.

The Summary:

The Vermont Age-Appropriate Design Code Act, introduced as bill S.69, establishes regulations for online services and products that are likely to be accessed by minors. It includes definitions for key terms such as "covered business," which refers to entities operating in Vermont that generate revenue from online services for minors, and "personal data," which pertains to information linked to identifiable individuals. The bill emphasizes the protection of minors' data and outlines the responsibilities of businesses in handling this information, including the implementation of age assurance methods to verify user age and restrict access to certain features based on age.

Furthermore, the legislation mandates that covered businesses adhere to a minimum duty of care towards minors, ensuring their online experiences do not lead to emotional distress or compulsive use. It establishes requirements for default privacy settings that prioritize high levels of privacy for minors, including limitations on visibility and interactions with adult users. The bill also imposes transparency obligations on businesses regarding their privacy practices and prohibits certain data collection practices, such as gathering unnecessary personal data from minors. The Attorney General is empowered to enforce these provisions, with the act set to take effect on July 1, 2026, aiming to safeguard the rights and freedoms of minors in the digital landscape.

The Details:

• The first 12 (out of 23) pages of the bill define the terms used such as "social media platform," "compulsive use," and "covered minor." 
  
  
• Covered Businesses
  • Any sole proprietorship, partnership, LLC, corporation, association, or other legal entity that meets the follow criteria:
    • Conducts business in the State
    • Generates a majority of its annual revenue from online services that are "reasonably likely" to be accessed by a minor
    • Collects consumers' personal data
    • Determines the purposes and means of the processing of consumers personal data
  • The bill also defines a data "processor," which is anyone who processes personal data on behalf of a covered business as defined above.
    
    
• Minimum Duty of Care requirements for minors
  • Requires covered businesses to avoid causing emotional distress, compulsive use, or discrimination against minors through data processing or service design.
    
    
    
• Prohibitions: A business may not...
  • Collect, share, or retain any data on a minor that is not strictly necessary to provide an online product or service.
  • Use an previously collected personal data on a minor for any purpose other that the one it was originally intended for.
  • Permit any customer (including a parent) to monitor the online activity of a minor or track their location without a "conspicuous signal" that they are doing so.
  • Use the personal data of a covered minor to select, recommend, or prioritize media for that user.
  • Send push notifications to a minor between midnight and 6am.
    
    
• Required Privacy Settings
  • By default, any online product or service must be set to the highest level of privacy (unless expressly consented to), including:
    • Hiding the existence of a minor's social media accounts
    • Hiding media created or posted to a social media platform by a minor
    • Disabling direct messaging on a social media platform between a minor and adult user
    • Hiding a minor's location to other users
    • Hiding users who a minor is connected with on a social media platform
    • Disabling search engine indexing of a minors account profile
    • Disabling push notifications
  • A minor may not be provided with a single setting to relax all privacy settings. Each requirement must be configured individually.
  • Minors must have the ability to request their account be unpublished or deleted within 15 days.
    
    
• Disclosure Requirements
  • Businesses must prominently and clearly display (via website or app) their:
    • Privacy and terms of service policies along with their community standards.
  • Detailed descriptions of each algorithmic recommendation system.
  • Detailed descriptions for each and every feature that uses the data of minors, including what data is collected, what it's used for, and how long it is stored.
    
    
• Rulemaking & Enforcement
  • The Attorney General (AG) may adopt rules, adding further detail to the provisions above, with the intent of preventing data processing or design practices that (in the AG's opinion) lead to compulsive use or impair user autonomy during the use of an online product or service.
  • On or before July 1, 2027, the AG is directed to adopt rules to identify commercially reasonable and technically feasible methods for businesses to determine if a user is a minor. Included in these rules will be a process for a user to appeal their age designation. The AG is direct to:
    • Prioritize user privacy and accessibility over the accuracy of age assurance methods.
    • Consider the size and capabilities of a business required to comply with this provisions.
    • The cost effectiveness of age assurance methods and their impact on user experience.
  • The AG will have the authority to bring civil actions against a business in violation of the provisions above.
    
    
•  Exemptions:
  • Government entities
  • Any health information protected by HIPAA
  • Public health research
  • News outlets
  • Financial institutions
  • Data Processors are exempt from most of these requirements, except that they may only collect personal data of a user that is strictly necessary for age assurance purposes.

Analysis:

This bill reads like its intent is to give the Attorney General ammunition to bring suits against social media companies (it also opens Vermont up to lawsuits from those same companies), but it is not limited to them. Any business who offers online services that could be accessed by a minor would be subject to the provisions of this bill; that is a pretty wide net. It is difficult to assess what the implications of this are, but everyone from a small game developer in Burlington to silicon valley giant could be subject to it.

There are some important protections in this bill, particularly the online visibility of minors to strangers. This offers protection from online predators. Unfortunately the language also goes far enough to block parents, guardians, and other trusted adults from seeing minor's online activity. This may have the opposite effect, opening minors up to cyber bullying and online predation.

The disclosure requirements for businesses may be onerous, particularly for small businesses, and the detailed descriptions of algorithms may reveal trade secrets that impact such businesses' competitiveness. This is particularly concerning for startups who are trying to compete with more established online businesses. Their proprietary code is often their sole advantage.

Tech companies and social media platforms may need to verify a user’s age to comply with the bill's "age assurance" methods, which might lead to further collection of sensitive data (including biometric data) in order to verify whether a child is using their product or service. This data could be requested regardless of whether or not it is relevant to the product or service being provided. Alternatively, they could apply the privacy and data protections to all users regardless of age.

Much like S.71 (which we also analyzed), data privacy protections seem like they should be put in place the federal level the way that Canada has done. Europe even structured theirs at the EU level with GDPR. This ensures a uniform regulatory environment for businesses where compliance requirements don't vary from one state to another. This approach would benefit our local businesses as well as startups across the country who wouldn't have to build-in compliance with 50 different regulatory schemes.

This legislation is modeled after the California Age-Appropriate Design Code Act (CAADCA), which has been blocked by federal courts since September 2023. The judge that issued the injunction found that the lawsuit brought by NetChoice (a trade association for major tech companies) was likely to succeed on the basis that the law violated the first amendment (free speech). The suit also claimed that the law:

1. Was preempted by federal law, specifically the Children's Online Privacy Protection Act (COPPA) and Section 230 of the Communications Decency Act.
2. Violated the Dormant Commerce Clause of the US Constitution.
3. The requirement to estimate age incentivizes businesses to collect data that isn't actually necessary for the services they provide.

The American Civil Liberties Union (ACLU) and others have echoed free speech worries, arguing the law could limit online expression for all users, not just children.

The only other state to pass such legislation is Maryland, and their law is also caught up in a constitutional challenge that was filed this month by NetChoice. It seems likely that S.69, if it were to be signed into law, would face a similar challenge.

Governor Scott vetoed a version of this legislation last year, saying Vermont should let California pay for the litigation and then craft legislation once we understand where the courts stand on the constitutional questions.

Current Status:

The bill was passed by the Legislature and signed by Governor Scott on June 12, 2025.

Last updated: 6/21/2025

DISCLAIMER: Generative AI used to assist in the production of this report.