Privacy & Information Security Law Blog

On May 2, 2025, Virginia Governor Glenn Youngkin signed into law a bill that amends the Virginia Consumer Data Protection Act (“VCDPA”) to impose significant restrictions on minors’ use of social media. The bill comes on the heels of recent children’s privacy amendments to the VCDPA that took effect on January 1, 2025.

The bill amends the VCDPA to require social media platform operators to (1) use commercially reasonable methods (such as a neutral age screen) to determine whether a user is a minor under the age of 16 and (2) limit a minor’s use of the social media platform to one hour per day, unless a parent consents to increase the daily limit.

The bill prohibits social media platform operators from using the information collected to determine a user’s age for any other purpose. Notably, the bill also requires controllers and processors to treat a user as a minor under 16 if the user’s device “communicates or signals that the user is or shall be treated as a minor,” including through “a browser plug-in or privacy setting, device setting, or other mechanism.” The bill also prohibits social media platforms from altering the quality or price of any social media service due to the law’s time use restrictions.

The bill defines “social media platform” as a “public or semipublic Internet-based service or application” with users in Virginia that:

• connects users in order to allow users to interact socially with each other within such service or application; and
• allows users to do all of the following:
  • construct a public or semipublic profile for purposes of signing into and using such service or application;
  • populate a public list of other users with whom such user shares a social connection within such service or application; and
  • create or post content viewable by other users, including content on message boards, in chat rooms, or through a landing page or main feed that presents the user with content generated by other users.

The bill exempts from the definition of “social media platform” a service or application that (1) exclusively provides email or direct messaging services or (2) consists primarily of news, sports, entertainment, ecommerce, or content preselected by the provider and not generated by users, and for which any chat, comments, or interactive functionality is incidental to, directly related to, or dependent on the provision of such content.

The Virginia legislature declined to adopt recommendations by the Governor that would have strengthened the bill’s children’s privacy protections.

These amendments to the VCDPA take effect on January 1, 2026.