Vermont Passes New Privacy Law Providing Safety Measures for Children Online

Written By Luke Schaetzel

Vermont’s new Kids Code hopes to improve children’s safety online through regulating the privacy, design, and data use of certain entities providing online services and collecting data about minors.

Authors: Luke Schaetzel; Philip Cramer

On June 12, 2025, Governor Phil Scott signed Senate Bill 69, the Age-Appropriate Design Code, into law.  The new law, being referred to as the Vermont Kids Code (“Kids Code”), establishes protections around the design and data processing of online platforms accessed by minors to improve children’s safety online.  While the law becomes effective January 1, 2027,

Setting a higher bar than many existing U.S. privacy laws, the Vermont Kids Code sets the define of “minor” to cover those under the age of 18. Federal law, through the Children’s Online Privacy Protection Act, only imposes requirements on the collection and use of personal data about children under the age of 13. And while some states have also introduced the concept of “minors” under the age of 18, most still align to federal law or only further protect data about those under the age of 16. 

The Vermont Kids Code sets forth a minimum duty of care when businesses provide online services, products and platforms to minors, default privacy setting requirements applicable to such online services, products and platforms, and transparency requirements. Additionally, the Vermont Kids Code sets forth certain prohibited practices applicable to covered businesses.

There are a growing number of data protection laws being implemented in states across the U.S.  with more coming into effect across 2025 and 2026 and being discussed by state legislatures. It is vital that businesses keep track of the constant shift and development of data protection laws to understand how they may be impacted state-by-state.  See below for details on the specific provisions in the Vermont Kids Code.

Covered Businesses and Cover Minors

The Vermont Kids Code applies to covered businesses, which are defined as any legal entity that (1) conducts business in Vermont, (2) generates a majority of revenue from online services, (3) offers online products, services, or features that minors are “reasonably likely” to access, (4) collects data or permits collection by others of Vermont consumers, and (5) decides—on its own or with others—why and how consumers’ personal data is processed. 

The children that the Vermont Kids Code is meant to protect are covered minors—those who the covered business actually know are minors or have labeled as minors.  “Minors” under the new law includes any individual under the age of 18, a much higher age than federal law sets under the Children’s Online Privacy Protection Act. The Vermont Kids Code provides specific privacy protections for the data used as part of a covered business or processor’s age assurance methodology (discussed below).  These protections are to be reviewed periodically by the Vermont Attorney General to ensure emerging technologies do not make the law moot.  As part of future reviews, the Vermont Attorney General is directed to prioritize user privacy over accuracy of the age assurance methods, indicating that covered businesses should design processes that are overcautious.

Minimum Duty of Care

Under the Vermont Kids Code, covered businesses must uphold a minimum duty of care when processing a covered minor’s personal data.  This duty requires that the design of an online service, product, or feature will not result in reasonably foreseeable emotional distress, reasonably foreseeable compulsive use (i.e., designs resulting in addictive use that “materially disrupts” a minor’s major life activities), or discrimination of a protected class (e.g., race, gender, sexual orientation, disability).

Default Privacy Settings

The Vermont Kids Code requires covered businesses to design—or redesign—the default privacy settings for the online services, products, or features provided to minors to “the highest level of privacy” to protect minors from certain harms that would breach the law’s minimum duty of care.  As enacted, the default settings required by covered businesses include:

  • Hiding a covered minor’s social media platform account and any of the content they have created or posted to the social media platform from any “known adult user”;

  • Restricting known adult users from engaging with a covered minor’s account (i.e., liking, commenting, direct messaging);

  • Not displaying media created or posted by covered minors on a social media platform to any known adult user;

  • Not displaying a covered minor’s location or other user connections;

  • Disabling search engine indexing of the covered minor’s account profile; and

  • Not sending push notifications to covered minors.

Exceptions to each of the default privacy settings may generally be made if and when the covered minor either (a) “expressly and unambiguously” allows the adult to view their account or (b) chooses to make their account’s existence public.

Those exceptions, however, do not apply to or cover the last two prohibitions listed above related to search engine indexing and push notifications. Those restrictions apply in all instances.

To ensure that the increased privacy settings are effective, covered businesses are prohibited from offering a single setting that lessens all of the default privacy settings at once, or prompt a covered minor to make their privacy settings less protective without their express and unambiguous request.  Additionally, covered businesses must design an accessible way for covered minors to request that their social media account is unpublished or deleted and honor the request within 15 days.

Transparency

It is common practice in highly regulated industries for entities to be required to prominently display their privacy policies on their website and ensure it is plain language.  The Vermont Kids Code now requires that covered businesses also include the purpose of each algorithmic recommendation system, the inputs being used by such systems, and the specifics of how each input is used.  Covered businesses must also describe every feature that uses the personal data of covered minors.

Prohibited Data and Design Practices

The Vermont Kids Code sets out specific prohibitions for covered businesses.  These prohibited practices are to be reviewed and updated by the Attorney General every two years to ensure that the law keeps pace with emerging technologies.

For example, the law prohibits covered businesses from collecting, selling, sharing, or retaining any covered minor’s personal data that is “not necessary” to the covered business in providing an online service, product, or feature.  Moreover, covered businesses may not use a covered minor’s personal data for secondary purposes without permission—mirroring and building upon the concept of data minimization found in many data protection laws such as California Consumer Privacy Act’s (“CCPA”) and the General Data Protection Regulation’s (“GDPR”).

Additionally, all individuals, including the parents and guardians of covered minors, are prohibited from tracking a covered minor’s online activity or location “without providing a conspicuous signal” when the covered minor is being monitored.  However, “conspicuous” is not clearly defined. 

The Vermont Kids Code also prohibits covered businesses from using the covered minor’s personal data “to select, recommend, or prioritize” certain media to the covered minor.  Exceptions to this prohibition exist in specific circumstances, such as the covered minor expressly and unambiguously requesting to receive the media from a specific account or user or for a specific category of media (e.g., breaking news).  Exceptions are also made when the personal data being used to select, recommend or prioritize media for the covered minor was in response to user-selected privacy settings or a search query. 

Lastly, the new law prohibits data and design practices that send push notifications to covered minors between 12:00 midnight and 6:00 a.m.  A similar provision was proposed by the Federal Trade Commission (“FTC”) in January 2024 as an update to the Children’s Online Privacy Protection Rule (“COPPA rule”), which had not been updated since 2013.  In the FTC’s January 2025 Press Release, the proposed requirement was framed as “intended to limit the use of push notifications directed to children without parental consent and changes relating to the requirements applicable to educational technology companies operating in a school environment.”  Although this particular provision was not included in the final rule, the FTC “remains concerned about the use of push notifications and other engagement techniques to keep kids online in ways that could harm their mental health,” and may make further updates as more states, like Vermont, enforce restrictions on push notifications.

Age Assurance Requirements

Lastly, the Vermont Kids Code outlines privacy protections for covered minors as covered businesses and processors perform age assurance processes.  “Processors” are defined as people processing personal data for a covered business, another processor, or certain government entities.  The concept is similar to the “data processor” concept found under many U.S. state omnibus data protection laws.

If a business or processor is engaging in age assurance activities, the Vermont Kids Code requires covered business and processors to:

  • Limit personal data collection to what is strictly necessary for age assurance;

  • Delete the collected personal data immediately upon determining whether a user is a covered minor;

  • Not use the personal data collected for age assurance for any other purpose;

  • Not combine the personal data collected for age assurance purposes with any of the user’s other personal data;

  • Not disclose the personal data collected for age assurance purposes unless the third party is a processor; and

  • Implement a review process for users to appeal age determinations.

The Vermont Kids Code directs the Vermont Attorney General to adopt rules—by January 1, 2027—identifying commercially reasonable and technically feasible age assurance methods that covered businesses and their processes should undertake.

Takeaways

A renewed focus from regulators and consumers on data privacy—specifically as it relates to personal data relating to children—reminds businesses to review the broad range of U.S. state data protection laws that may impact their data collection and design practices.  In light of new state laws such as the Vermont Kids Code as well as the FTC’s finalized updates to COPPA, its clear lawmakers and regulators are focused on what they deem “sensitive” personal data.

A comprehensive review of state laws, such as any changes that are made to the Vermont Kids Code between now and January 1, 2027, will help to ensure privacy and security compliance.

The Benesch Data Protection team is committed to staying at the forefront of these recent developments to assist our clients in compliance efforts. We are available to assist you with any compliance needs.

Luke Schaetzel is a Managing Associate in Benesch’s Data Protection Group. He can be reached at 312.212.4977 or lschaetzel@beneschlaw.com.

Philip Cramer is a Summer Associate at Benesch.

 

 

Luke Schaetzel
Next

Montana Amends Consumer Data Privacy Act to Broaden Applicability and Enhance Protections for Minors