Bill > SB978

Introduced Session

This bill creates requirements and restrictions related to data collection and use and product design for certain businesses that provide online services to minors. The bill defines a “covered business” as a business that 1) conducts business in this state; 2) generates a majority of its annual revenue from online services; 3) provides online services, products, or features that are reasonably likely to be accessed by an individual who is less than 18 years of age (minor); 4) collects consumers’ personal data or has consumers’ personal data collected on its behalf; and 5) alone or jointly with others determines the purposes and means of the processing of consumers’ personal data. With exceptions, a “consumer” is an individual who is a resident of this state, and a “covered minor” is a consumer who a covered business knows is a minor or labels as a minor in accordance with rules promulgated by the Department of Justice (discussed below). With exceptions, “personal data” is any information that is linked or reasonably linkable to an identified or identifiable individual or a device of such an individual or of a member of the individual’s household. “Processing” means any operation performed on personal data, including its collection, use, storage, disclosure, analysis, or other handling. With exceptions, an “online service, product, or feature” is a digital LRB-6146/1 ARG:emw&cjs 2025 - 2026 Legislature SENATE BILL 978 product that is accessible to the public by means of the Internet, including through a website or mobile application. Under the bill, a covered business generally may not 1) collect, sell, share, or retain any personal data of a covered minor that is not necessary to provide an online service, product, or feature with which the covered minor is actively and knowingly engaged; 2) use previously collected personal data of a covered minor for any purpose other than a purpose for which the personal data was collected; 3) permit any individual, including a parent, to monitor the online activity of a covered minor or to track the location of the covered minor without providing a conspicuous signal to the covered minor when the covered minor is being monitored or tracked; 4) with exceptions, use the personal data of a covered minor to select, recommend, or prioritize media for the covered minor; or 5) send push notifications to a covered minor between midnight and 6 a.m. Also under the bill, a covered business that processes a covered minor’s personal data owes a minimum duty of care to the covered minor that is not satisfied unless its use of the covered minor’s personal data and the design of its online service, product, or feature will not result in 1) reasonably foreseeable emotional distress to the covered minor; 2) reasonably foreseeable compulsive use of the online service, product, or feature by the covered minor; or 3) discrimination against the covered minor based on race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, religion, or national origin. The bill defines “age assurance” as methods used to determine, estimate, or communicate the age or age range of an online user. A “processor” is a person who processes personal data on behalf of a covered business or another processor. The bill imposes the following requirements on covered businesses and processors during the process of conducting age assurance: personal data of a user that is strictly necessary for age assurance; 2) upon determining whether a user is a covered minor, they must immediately delete any personal data about the user that they collected for age assurance, except the determination of the user’s age range; 3) they may not use any personal data about a user that they collected for age assurance for any purpose other than age assurance; 4) they may not combine the personal data about a user that they collected for age assurance with any other personal data about the user, except with respect to the determination of the user’s age range; 5) they may not disclose the personal data about a user that they collected for age assurance to a third party that is not a processor; and 6) they must implement a review procedure to allow users to appeal their age determination. The bill requires a covered business to configure all default privacy settings provided to a covered minor to the highest level of privacy, including all of the following default settings on a social media platform: existence of the covered minor’s account, or media created or posted by the covered minor, to a known adult user unless the covered minor has allowed a specific known adult user to view the account or media or has chosen to make public the account or media; 2) not permitting a known adult user to comment or provide feedback on the covered minor’s media unless the covered minor has enabled this function; 3) not LRB-6146/1 ARG:emw&cjs 1) they may collect only the 1) not displaying the 2025 - 2026 Legislature SENATE BILL 978 permitting direct messaging between the covered minor and a known adult user unless the covered minor chooses to allow direct messaging with a specific known adult user; 4) not displaying the covered minor’s location to other users unless the covered minor shares the covered minor’s location with a specific user; 5) not displaying the users connected to the covered minor unless the covered minor chooses to share the information; 6) disabling search engine indexing of the covered minor’s account profile; and 7) not sending push notifications to the covered minor. In addition, a covered business may not provide a covered minor with a single setting that makes all default privacy settings less protective at once. A covered business also may not request or prompt a covered minor to make privacy settings less protective unless the change is strictly necessary for the covered minor to access an online service, product, or feature that the covered minor has requested. The bill further requires a covered business to provide a prominent tool to allow a covered minor to request that the covered minor’s account on a social media platform be unpublished or deleted and to honor such a request no later than 15 days after receiving the request. The bill requires a covered business to prominently and clearly provide on its website or mobile application all of the following: 1) the covered business’s terms of service, privacy policies and information, and community standards; 2) for each algorithmic recommendation system used, its purpose and specified information about its inputs, including how each input uses the personal data of covered minors and influences recommendations; and 3) specified information about each feature of a service that uses the personal data of covered minors. The bill requires DOJ to promulgate rules with respect to certain matters, including identifying commercially reasonable and technically feasible methods for covered businesses and processors to determine if a user is a covered minor and providing privacy protections for age assurance data. The bill specifies that a covered business or processor that violates the bill’s provisions or rules promulgated under the bill commits an unfair trade practice. DOJ may investigate an alleged violation and may commence an action for a temporary or permanent injunction.

AI Summary

Committee Categories

Dianne Hesselbein (D)*,  Kelda Roys (D)*,  Jeff Smith (D)*,  Mark Spreitzer (D)*,  Jamie Wall (D)*,  Deb Andraca (D),  Jill Billings (D),  Ryan Clancy (D),  Karen DeSanto (D),  Ben DeSmidt (D),  Jodene Emerson (D),  Joan Fitzgerald (D),  Russell Goodwin (D),  Alex Joers (D),  Darrin Madison (D),  Renuka Mayadev (D),  Vincent Miresse (D),  Greta Neubauer (D),  Ann Roe (D),  Christine Sinicki (D),  Lee Snodgrass (D),  Shelia Stubbs (D),  Randy Udell (D), 

Representative Vining added as a cosponsor (on 02/13/2026)

Official Document