The bill introduces a new chapter, CHAPTER 48.2, titled "AGE-APPROPRIATE DESIGN CODE," to Title 6 of the General Laws, which focuses on safeguarding children's personal data in online services. It defines essential terms such as "child," "covered entity," and "personal data," and establishes criteria for identifying covered entities based on their revenue and data handling practices. A covered entity is required to exercise reasonable care to avoid any heightened risk of harm to children when processing their data, particularly when they have actual knowledge that a consumer is a child.

The legislation imposes specific obligations on covered entities, including the requirement to complete a data protection impact assessment for any online service, product, or feature that is reasonably likely to be accessed by children. Covered entities must maintain documentation of these assessments for as long as the online service, product, or feature is known to be used by children. Additionally, they must configure default privacy settings to prioritize children's privacy, provide privacy information and terms of service in clear and age-appropriate language, and offer accessible tools for children to exercise their privacy rights.

The attorney general is authorized to enforce these provisions, with civil penalties for violations ranging from $2,500 for negligent violations to $7,500 for intentional violations per affected child. The bill also includes a provision for a 90-day compliance period for covered entities to remedy violations after receiving notice from the attorney general. The act is scheduled to take effect on January 1, 2026.