It states that a controller, namely any entity that is processing personal data, may not process the sensitive data of a teen without obtaining verifiable parental consent. The problem is that the bill defines sensitive data to include personal data collected from a teen, meaning almost any interaction involving a known user between 13 and 15 years old could trigger the requirement.
“If you operate a website, an app, a service, and there are users you know who are between 13 and 15, it’s going to break everything,” Butler said. “You’re going to have to get verifiable parental consent every time you touch the data—collect it, transfer it, store it, process it, anything.”
To comply, companies would need not only age awareness, which many already have through account creation or app stores, but also a system for verifying parent-child relationships. That would likely require collecting additional sensitive identity documents and personal records, the exact kind of information most organizations should try to avoid storing.