The bill introduces a new chapter, CHAPTER 48.2, titled "AGE-APPROPRIATE DESIGN CODE," to Title 6 of the General Laws, which focuses on safeguarding children's personal data in online services. It establishes definitions for key terms such as "child," "covered entity," "personal data," and "dark pattern," creating a framework for how entities collecting personal data from children must operate. Covered entities are required to conduct data protection impact assessments for online services, products, or features that are reasonably likely to be accessed by children, maintain documentation of these assessments, and review and modify them as necessary.

The bill mandates that covered entities configure all default privacy settings for known children to offer a high level of privacy unless a compelling reason is demonstrated for a different setting. Additionally, it requires that privacy information, terms of service, and community standards be provided in clear language suitable for children. Covered entities must also provide accessible tools for children to exercise their privacy rights and report concerns.

The act emphasizes that covered entities must use reasonable care to avoid any heightened risk of harm to children when processing their data. It defines "heightened risk of harm" and outlines specific prohibitions on processing children's personal data in ways that could lead to harm, including the use of dark patterns.

Enforcement of the provisions will be managed by the attorney general, who can impose civil penalties for violations, with fines up to $2,500 for negligent violations and $7,500 for intentional violations per affected child. The bill outlines a notification process for covered entities regarding violations, allowing them a 90-day period to address issues before penalties are applied. The act is set to take effect on January 1, 2027, and aims to enhance the protection of children's privacy in the digital landscape while ensuring that existing obligations under related laws remain unaffected.