Three States Pass Children’s Privacy Bills, Court Upholds Sign-In Wrap Agreement, PLUS Webinar: Legally Enforceable Online Agreements

Want to receive these privacy recaps in your inbox each week? Subscribe here.

NORTH AMERICA

THREE STATES PASS CHILDREN’S PRIVACY BILLS

The Oregon, Vermont and Nebraska legislatures all passed children’s privacy bills. The Oregon bill will prohibit the sale of personal data that the controller knows to pertain or willfully disregards that it pertains to children under 16 (the same bill would also prohibit the sale of geolocation data identifying a user’s location within a radius of 1750 feet). The Vermont and Nebraska bills are both Age Appropriate Design Codes, borrowing elements from existing Age Appropriate Design Codes in other states. Both bills apply to the personal data of minors under age 18, but the knowledge standards differ, with the Nebraska bill only applying if the controller has actual knowledge that the user is a child or minor and the Vermont bill applying if the applicable online service, product or feature is reasonably likely to be accessed by a minor, based on whether the service is directed to children under COPPA standards and whether reliable evidence or internal research reveals, or the business knew or should have known, that the audience of the service is composed of at least 2% minors. Both bills require that default privacy settings for minors be set at the highest level of protection, that certain tools be made available to enable minors to exercise their rights (although Nebraska’s list of required tools is much longer and more detailed than Vermont’s), and that the collection and use of personal data from minors is limited to what is necessary to provide the service with which the minor is knowingly engaged (and, in the case of Vermont, actively and knowingly engaged), and include restrictions and prohibitions on targeted advertising, profiling and dark patterns. The Nebraska and Vermont laws take effect on January 1, 2026 and January 1, 2027, respectively.

TAKEAWAY

Children’s privacy legislation has been a growing trend  across the U.S. California and Maryland have already passed Age Appropriate Design Codes (although both are the subject of legal challenges), Arkansas last month passed the Children and Teens Online Privacy Protection Act, which prohibits targeted advertising to minors under age 17 and requires consent for all other processing purposes, and the New York Child Data Protection Act, requiring consent for the collection, use, sharing or sale of personal data of children under age 18, will take effect June 20, 2025. This is in addition to the children’s privacy protections included in most state comprehensive privacy laws, leading to a complex and expanding patchwork of children’s privacy requirements with varying knowledge thresholds (from “willful disregard”, to “should have known”, “directed to” or “likely to be accessed by”), requirements (with various combinations of outright prohibitions and restrictions, parental or teen consent, data minimization, and transparency and tool requirements), and age thresholds (applying to children under 16, 17 or 18). 

CALIFORNIA COURT UPHOLDS SIGN-IN WRAP ARBITRATION AGREEMENT IN VPPA SUIT

A judge in the Northern District of California granted Defendant Elevate Labs’ (operator of the Balance meditation app) motion to compel arbitration in a lawsuit containing multiple privacy claims, including claims under the Video Privacy Protection Act. The Court held the arbitration clause in the app’s Terms of Service to be enforceable, finding that notice of the Terms of Service on the Balance app was reasonably conspicuous and that the Plaintiff manifested his assent to be bound by the terms, thus meeting the requirements of an enforceable sign-in-wrap agreement. Specifically, the court found that inclusion of the hyperlinked phrase “By creating your account, you agree to Balance’s Terms & Conditions and Privacy Policy” on the account creation page of the app provided sufficient notice, because the page was free from clutter, the grey text appeared clearly against a white background, and the hyperlinks were bold with the first letter capitalized, making them stand apart from the other text in the sentence. The court also found that the Plaintiff sufficiently manifested assent by proceeding to create an account after viewing the notice.

TAKEAWAY

Case law governing shrinkwrap, click-wrap, browsewrap, scroll-wrap, and sign-in wrap agreements has been steadily evolving with advancements in technology and various methods of presenting online agreements. However, this case law has recently become increasingly important in the context of privacy litigation, as class action lawsuits under state and federal privacy laws, such as the Video Privacy Protection Act and state wiretapping laws, has become more rampant and (in some cases) has seen some success in the courts. One tool many companies are turning to to help mitigate the impact of these lawsuits is the arbitration agreement, enforcement of which is dependent on the particulars of its presentation and evidence of a manifestation of assent, as shown in this case. Defendants in other similar cases have not been as successful, particularly where defendants are unable to demonstrate actual or constructive notice or acknowledgement of the terms. 

WEBINAR: PUBLISHING TERMS OF SERVICE ISN’T ENOUGH

As mentioned above, recent court decisions are making one thing crystal clear: if users can’t easily find and understand your online agreements, your arbitration clauses won’t protect you when privacy lawsuits come knocking.

Join Squire Patton Boggs Partner Kyle Fath and Sourcepoint’s General Counsel Julie Rubash and Senior Director of Client Services Pat Effinger as they break down the latest rulings that are reshaping how we think about online consent. You’ll walk away with practical design strategies to bulletproof your agreements and avoid becoming the next cautionary tale.

You can register here for the webinar.