This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Reed Smith LLP

viewpoints
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
All Posts
| 7 minute read

Another Age Appropriate Design Code bill passed in Vermont

Get in touch

Avatar
Casey Yang
Associate
Avatar
Sarah Bruno
Partner

Get in touch

Avatar
Casey Yang
Associate
Avatar
Sarah Bruno
Partner
Digital overload and its impact on the human brain, showcasing fragmented thoughts, information overload. Abstract design art collage. Social media digital addiction, mental health, stress, anxiety

On June 12, 2025, the Vermont Age Appropriate Design Code Act (VT AADC) was signed into law. The VT AADC is designed to protect minors from harmful online practices and introduces strict regulations for businesses offering online services likely to be accessed by children under the age of 18. The VT AADC will take effect on January 1, 2027, and the Vermont Attorney General (VT AG) has the authority to make rules, conduct civil investigations, and bring civil actions against businesses that violate the VT AADC. Individuals also have a private right of action for violations of the VT AADC, which are deemed unfair and deceptive acts in violation of Vermont’s consumer protection laws. Below, we provide key details about the VT AADC and what it means for businesses that may fall within the scope of the law. 

Scope 

The VT AADC applies to “covered businesses” that meet the following requirements: 

  • Conduct business in Vermont; 
  • Generate a majority of their annual revenue from online services;
  • Have online products, services, or features that are reasonably likely to be accessed by a minor;
  • Collect consumers’ personal data or have consumers’ personal data collected on their behalf by a processor; and
  • Determine the purposes and means of the processing of consumers’ personal data, either alone or jointly with others.

A “minor” is a person under the age of 18 years, and a “covered minor” is a consumer whom a covered business actually knows is a minor or labels as a minor pursuant to age assurance methods set forth in rules promulgated by the VT AG. 

The VT AADC also enumerates the following factors to consider when determining whether an online product, service, or feature is “reasonably likely to be accessed” by a minor: 

  • Whether it is directed to children, as defined by the Children’s Online Privacy Protection Act and its amended rules (COPPA); 
  • Whether the online product, service, or feature is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by an audience that is composed of at least 2% of minors between the ages of 2 and 17 years. 
  • Whether internal company research indicates that the audience of its online product, service, or feature is composed of at least 2% of minors between the ages of 2 and 17 years; or 
  • Whether the covered business knew or should have known that at least 2% of the audience of the online product, service, or feature includes minors between the ages of 2 and 17 years, provided that, in making this assessment, the covered business does not collect or process any personal data beyond what is reasonably necessary to provide an online service, product, or feature with which a minor is actively and knowingly engaged.

Key obligations and prohibitions on covered businesses

The VT AADC outlines various obligations and prohibited practices for covered businesses, including the following: 

  • Minimum duty of care: Covered businesses must use a minimum duty of care to the covered minor when processing a covered minor’s personal data and designing an online service, product, or feature. This duty includes ensuring that such processing and designs do not result in (i) reasonably foreseeable emotional distress to a covered minor; (ii) reasonably foreseeable compulsive use of the online service, product, or feature by a covered minor; or (iii) discrimination against a covered minor based on race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, religion, or national origin.
  • Default privacy settings: Covered businesses must configure all default privacy settings provided to a covered minor to the highest level of privacy, which must include the following requirements: 
    • Do not display the existence of the covered minor’s account or media created or posted by the covered minor on a social media platform to any known adult user, unless the covered minor expressly and unambiguously allows it or chooses to make their account public; 
    • Do not permit any known adult user to like, comment, or otherwise provide feedback on the covered minor’s media on a social media platform, unless the covered minor expressly and unambiguously allows it;
    • Do not permit direct messaging on a social media platform between the covered minor and any known adult user, unless the covered minor expressly and unambiguously allows it; 
    • Do not display the covered minor’s location to other users, unless the covered minor expressly and unambiguously shares their location with a specific user; 
    • Do not display the users connected to the covered minor on a social media platform, unless the covered minor expressly and unambiguously shares this information with a specific user; 
    • Disable search engine indexing of the covered minor’s account profile;
    • Do not send push notifications to the covered minor; 
    • Do not provide a covered minor with a single setting that makes all default privacy settings less protective at once; 
    • Do not request or prompt a covered minor to make their privacy settings less protective, unless the change is strictly necessary for the covered minor to access a service or feature they have expressly and unambiguously requested; and
    • Provide a prominent, accessible, and responsive tool to allow covered minors to request their accounts on a social media platform to be unpublished or deleted, and honor these requests within 15 days of the request.
  • Transparency: In addition to clear and prominent disclosure of privacy information, terms of service, policies, and community standards, covered businesses must also clearly and prominently disclose the following on their websites and mobile applications: 
    • The purpose of each “algorithmic recommendation system” (a system that uses an algorithm to select, filter, and arrange media on a covered business’s website for the purpose of selecting, recommending, or prioritizing media for a user) in use, the inputs used by the algorithmic recommendation system, and how each input (i) is measured or determined; (ii) uses the personal data of covered minors; (iii) influences the recommendations issued by the system; and (iv) is weighted relative to the other reported inputs; and 
    • For every feature of the service that uses the personal data of covered minors, descriptions of (i) the purpose for such feature; (ii) the personal data collected and used by such feature; (iii) how the personal data is used by such feature; (iv) any personal data transferred to or shared with a processor or third party by such feature, the identity of the processor or third party, and the purpose of the transfer or sharing; and (v) how long the personal data is retained. 
  • Additional prohibited data and design practices: Covered businesses are also prohibited from doing any of the following: 
    • Collecting, selling, sharing, or retaining personal data of a covered minor that is not necessary to provide an online service, product, or feature with which the covered minor is actively and knowingly engaged; 
    • Using previously collected personal data of a covered minor for any purpose other than the purpose for which it was collected; 
    • Permitting any individual, including parents and guardians, to monitor the online activity of a covered minor or to track the location of the covered minor without providing a conspicuous signal to the covered minor when they are being monitored or tracked; 
    • Using the personal data of a covered minor to select, recommend, or prioritize media for the covered minor, unless (i) expressly and unambiguously requested by the covered minor, (ii) it is a user-selected privacy or accessibility setting; or (iii) it is a search query, provided the search query is only used to select and prioritize media in response to the search; or 
    • Sending push notifications to a covered minor between midnight and 6:00 am.
  • Age assurance: When conducting age assurance, covered businesses and processors must (i) only collect personal data that is strictly necessary for age assurance; (ii) immediately delete such personal data after age assurance; and (iii) not use, combine, or disclose such personal data for any other purposes or to any other third parties. Covered businesses must also implement a review process to allow users to appeal their age determination. 

Practical implications and recommendations for covered businesses

The VT AADC was modeled in part on California’s and the UK’s Age Appropriate Design Codes. Businesses that have made efforts to comply with such laws may already have robust policies and procedures in place that address some of the obligations set forth in the VT AADC. However, these businesses should carefully review such policies and procedures to account for any gaps where the VT AADC differs from the laws of its California and UK counterparts, such as VT AADC’s age assurance requirements and transparency requirements around algorithmic recommendation systems. The VT AADC also significantly differs from the California AADC in that the VT AADC does not require covered businesses to assess or report on whether content may harm minors, which was a point of recent constitutional scrutiny. 

Like the California AADC – which was recently found by the Northern District to be categorically unconstitutional but will likely be appealed – the validity of the VT AADC may be challenged on constitutional grounds with respect to regulating protected speech. Without a final determination as to the constitutionality of these AADC laws, businesses may want to consider taking the following steps to ensure compliance with the VT AADC: 

  • Conduct a thorough review and create a data map of the business’ data collection practices to ensure data minimization; 
  • Determine what types of online services, products, or features are reasonably likely to be accessed by minors; 
  • Consider implementing age-verification tools and default privacy settings, taking into account the factors and requirements described above;
  • Determine whether algorithmic recommendation systems are used and publish/update clear policies on such uses; 
  • Amend contracts with processors and third-party vendors as necessary to ensure the same prohibitions and obligations are passed through to such entities; and 
  • Monitor legislative updates and legal challenges to the VT AADC. 

Protecting children and teenagers online continues to be an important legislative concern, and more states continue to propose and enact bills to protect them from online harms. In addition to the VT AADC, businesses will need to balance varying compliance requirements to the extent they are subject to other applicable state laws intended to protect children and teenagers online. For instance, as our team wrote previously, app store owners and software application developers who make their products available to users in Texas may have to comply with age verification obligations under the state’s App Store Accountability Act (ASAA). These obligations may differ or may be more prescriptive than what is required under the VT AADC, so businesses subject to both state laws will need to carefully consider how they will balance their compliance obligations with respect to issues such as age verification, data handling, consent, and transparency. For more information about the Texas ASAA, please read our previous post

Reed Smith’s privacy and data security teams will continue to monitor the regulatory and enforcement activity in this space.

Tags

childrens privacy, vermont

Get in touch

Avatar
Casey Yang
Associate
Avatar
Sarah Bruno
Partner

Get in touch

Avatar
Casey Yang
Associate
Avatar
Sarah Bruno
Partner

Latest Insights