The bill introduces CHAPTER 48.2, titled "AGE-APPROPRIATE DESIGN CODE," to Title 6 of the General Laws, which aims to enhance the protection of children's personal data in online services. It defines essential terms such as "child," "covered entity," and "personal data," and outlines the responsibilities of covered entities that develop and provide online services, products, or features that children are reasonably likely to access. These entities are required to consider the best interest of children when designing and developing such online services, products, or features.

Covered entities must conduct data protection impact assessments to identify and mitigate risks to children's safety, maintain documentation of these assessments for as long as the online service, product, or feature is known to be used by children, and review and modify these assessments as necessary. The bill mandates that default privacy settings for known children must offer a high level of privacy, and privacy information must be communicated clearly and concisely in language suited to the age of children accessing the service.

The legislation prohibits practices such as processing personal data in a way that heightens the risk of harm to children, profiling children by default without appropriate safeguards, and using dark patterns to manipulate children into providing personal data. It also requires covered entities to provide tools that assist children in exercising their privacy rights and reporting concerns.

Enforcement will be managed by the attorney general, who may seek civil penalties of up to $2,500 per affected child for negligent violations and up to $7,500 per affected child for intentional violations. The bill ensures that data protection impact assessments conducted under its provisions are exempt from public disclosure. It is set to take effect on January 1, 2027.