The proposed bill introduces CHAPTER 48.2, titled "AGE-APPROPRIATE DESIGN CODE," to Title 6 of the General Laws, which aims to enhance the protection of children's personal data in online services. It establishes definitions for key terms such as "child," "covered entity," "personal data," and "dark pattern," creating a framework for how businesses that develop and provide online services, products, or features that children are reasonably likely to access must handle data related to minors.

Covered entities are required to conduct data protection impact assessments for online services, products, or features that are likely to be accessed by children, maintain documentation of these assessments, and review and modify them as necessary. The bill emphasizes the need for covered entities to configure default privacy settings to offer a high level of privacy for known children and to provide privacy information, terms of service, and policies in clear language suited to the age of children.

The legislation outlines specific obligations for covered entities, including prohibitions against processing personal data in ways that present a heightened risk of harm to children, profiling children by default without appropriate safeguards, and using dark patterns to manipulate children into providing personal data. Additionally, covered entities must provide accessible tools for children to exercise their privacy rights and report concerns.

Enforcement will be managed by the attorney general, who may seek civil penalties for violations, with fines ranging from $2,500 for negligent violations to $7,500 for intentional violations per affected child. The bill also allows covered entities to rectify violations within a specified timeframe to avoid penalties and ensures that data protection impact assessments remain confidential. The act is scheduled to take effect on January 1, 2026.