SECTION 1. The General Laws are hereby further amended by inserting after chapter 93L the following chapter:-
Chapter 93M
ONLINE PROTECTION
Section 1. As used in this chapter, the following words shall have the following meanings unless the context clearly requires otherwise:
“Account”, a unique profile for a user of a social media platform.
“Addictive social media feed”, a website, online service, online application or mobile application, or a portion thereof, in which multiple pieces of content generated or shared by users of a website, online service, online application or mobile application, either concurrently or sequentially, are recommended, selected or prioritized for display to a user based, in whole or in part, on information associated with the user or the user’s device unless, for each such recommendation, selection or prioritization, any of the following conditions are met, alone or in combination with one another:
(i) the recommendation, prioritization or selection is based on information that is not persistently associated with the user or user’s device and does not concern the user’s previous interactions with content generated or shared by other users unless the content was explicitly saved by the user;
(ii) the recommendation, prioritization or selection is based on user-selected privacy or accessibility settings or technical information concerning the user’s device;
(iii) the user expressly and unambiguously: (1) requested the specific content; (2) subscribed to content by the author, creator or poster of the content; or (3) subscribed to the page or group to which the content is shared by users; provided, however, that the content is not recommended, selected or prioritized for display based, in whole or in part, on other information associated with the user or the user’s device that is not otherwise permissible under this section; provided further, that “subscribed to” shall include friending, joining or otherwise affirmatively requesting content from;
(iv) the user expressly and unambiguously requested that specific content, content by a specified author, creator or poster of content to which the user has subscribed or content shared by users to a page or group to which the user has subscribed pursuant to clause (iii) be blocked, prioritized or deprioritized for display; provided, however, that the content is not recommended, selected or prioritized for display based, in whole or in part, on other information associated with the user or the user’s device that is not otherwise permissible under this section;
(v) the content is a direct or private communication;
(vi) the content is recommended, selected or prioritized only in direct response to a specific search inquiry by the user at the time such search inquiry is made;
(vii) the content recommended, selected or prioritized for display is exclusively next in a pre-existing sequence from the same author, creator, poster or source; or
(viii) the recommendation, prioritization or selection is necessary to comply with the provisions of this chapter and any regulations promulgated pursuant to this chapter.
“Age signal”, a device-level transmission from an operating system provider or application distribution provider to a covered operator of a categorical age range applicable to the user of the device that does not require the transmission to the covered operator of such user’s date of birth, legal name, government-issued identification or biometric identifier.
“Application distribution provider”, a person, business or legal entity that owns, controls or operates a platform through which software applications are made available for download or installation by users in the commonwealth.
“Autoplay”, a feature of a social media feed or landing page where content is automatically played in a social media feed without any manual input from a user.
“Connected account”, an account on a social media platform that is directly connected to another account by an affirmative request by a user and an affirmative confirmation by another user.
“Content”, an image, video or text.
“Covered minor”, a user of a website, online service, online application or mobile
application in the commonwealth when the operator of such website, online service, online application or mobile application has actual knowledge the user is a minor.
“Covered operator”, any person, business or legal entity who operates or provides a social media platform.
“Educational technology platform”, a software application or web-based technology, including, but not limited to, a learning management system, designed to provide communication between a school and students’ parents or guardians, educational information, experiences, training or instruction to build knowledge, skills or a craft; provided, however, that, for purposes of this chapter: (i) such software application or web-based technology is approved by the school district; (ii) the school district complies with the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g, and 34 C.F.R. Part 99, in its use of any software application or web-based technology; and (iii) the school district has an executed student data privacy agreement governing the use of any software application or web-based technology that collects student data that includes a requirement that the software application or web-based technology complies with said Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g and 34 C.F.R. Part 99.
“Infinite scroll”, a feature of a social media feed or landing page that provides an automatically and continuously loading social media feed or landing page where additional content displays at the bottom of such feed or landing page without any manual input from a user.
“Minor”, an individual under the age of 18.
“Operating system provider”, a person, business or legal entity that designs, develops or distributes software that manages the hardware of an internet-enabled device, including a mobile device, tablet or computer, and allows programs and applications to run on such device.
“Parent”, a parent or legal guardian of a minor.
“Precise geolocation data”, information derived from technology, including, but not limited to, latitude and longitude coordinates from global positioning system mechanisms or other similar positional data, that reveals the past or present physical location of a user or device that identifies or is linked or reasonably linkable to 1 or more users with precision and accuracy within a radius of 1,750 feet.
“Push notification”, an automatic electronic message displayed on a user’s personal electronic device when the social media platform is not actively open or visible on the personal electronic device that prompts the user to use and interact with the social media platform.
“Social media feed”, the presentation of content to users of a social media platform that has been recommended, selected or prioritized for presentation or display to a user.
“Social media platform”, a public website, online service, online application or mobile application that primarily serves as a medium for displaying content generated by users through a social media feed and that allows users to create, share, view and interact with user-generated content; provided, however, that “social media platform” shall not include: (i) email, short message service, multimedia message service, rich communication service or similar text messaging telecommunications services; (ii) cloud storage services; (iii) online services or applications with the primary purpose to facilitate the purchase or sale of goods or services between buyers and sellers, including, but not limited to, online marketplaces that enable users to list, search for, purchase or review products or services, where any user-to-user communication or user-generated content is incidental to such commercial transactions; (iv) an educational technology platform; or (v) document viewing, sharing or collaboration services.
“User”, an individual who, through an account, accesses or uses either a social media feed or a social media platform in the commonwealth; provided, however, that “user” shall not include an individual acting as a covered operator, or agent or affiliate of the covered operator, of such social media feed or social media platform or any portion thereof.
Section 2. (a)(1) A covered operator shall use commercially reasonable and technically feasible methods to determine if a user is a covered minor unless the user opts out of such methods; provided, however, that the covered operator shall provide the user with a clear, simple and prominent opportunity to opt out of such methods prior to using them. The covered operator shall set default social media platform safety settings for a user determined to be a covered minor, or for a user that opts out of such methods, that shall:
(i) disable an addictive social media feed;
(ii) disable push notifications to a user between the hours of 12:00 a.m. and 6:00 a.m. in the commonwealth’s time zone;
(iii) disable autoplay or other auto-advance functions that continuously present content to a user;
(iv) disable infinite scroll or other endless scrolling or pagination functions; and
(v) require a clear and conspicuous reminder after the user has accessed the social media platform for more than 1 cumulative hour of use in any 24-hour period and every 30 minutes of cumulative use thereafter that the user has accessed the social media platform for any such amount of time; provided, however, that the social media platform shall require the user to acknowledge the reminder before continuing use of the social media platform.
(2) A covered operator shall not allow a user to change the default settings enabled pursuant to paragraph (1) unless the covered operator has used commercially reasonable and technically feasible methods to determine that the user is not a covered minor pursuant to section 3.
(b)(1) If a covered operator has actual knowledge that a user is a minor, the covered operator shall enable default social media platform safety settings for the covered minor’s account that shall:
(i) restrict the visibility of the content on a covered minor’s account to only connected accounts; provided, however, that information necessary for users to search for and connect to a covered minor’s account, including, but not limited to, the covered minor’s name, may be made visible;
(ii) disable the visibility or sharing of the covered minor’s precise geolocation data with other users;
(iii) limit the covered minor’s sharing of content to connected accounts; and
(iv) limit the covered minor’s direct messaging to connected accounts.
(2) A covered operator may permit a covered minor to change the default settings enabled pursuant to clauses (i), (iii) and (iv) of paragraph (1). The default settings required in clause (ii) of said paragraph (1) may only be changed with verifiable parental consent. The attorney general shall promulgate regulations identifying methods of obtaining such verifiable parental consent. Information collected for the purpose of obtaining such verifiable parental consent shall not be used for any purpose other than obtaining verifiable parental consent and shall be deleted immediately after an attempt to obtain verifiable parental consent, except where necessary for compliance with any applicable provisions of state or federal law or regulation. Nothing in this chapter shall be construed as requiring a social media platform to provide a parent any additional or special access to or control over the data or accounts of their covered minor child. The default setting provided in clause (ii) of paragraph (1) shall be adjustable with verifiable parental consent in a manner that allows the sharing of the covered minor’s precise geolocation location data with only selected individual connected accounts.
(3) A covered operator shall not: (i) provide a user with an option to change more than 1 such default setting at once; or (ii) request or prompt a user to change any such default settings, unless the change is necessary for the user to access a service or feature they have expressly and unambiguously requested.
(4) A covered operator may, but shall not be required to, use commercially reasonable and technically feasible methods to determine if a user is a covered minor for the purpose of this subsection pursuant to regulations promulgated by the attorney general pursuant to section 3.
(c) No covered operator shall withhold, degrade or lower the quality or increase the price of any product, service or feature to a user who uses the social media platform with the default settings under subsections (a) or (b) enabled.
Section 3. (a) The attorney general shall promulgate regulations identifying commercially reasonable and technically feasible methods for covered operators to determine if a user is a covered minor for the purposes of subsection (a) of section 2.
(b) The attorney general may consider among the methods identified under subsection (a), an age signal as a commercially reasonable and technically feasible method for determining whether a user is a covered minor and may, by regulation, require an operating system provider to provide covered operators with such age signal.
(c) In promulgating regulations pursuant to this section, the attorney general shall consider: (i) the size and financial resources of the social media platform; (ii) the costs and effectiveness of available age assurance methods; and (iii) the impact of the age assurance methods on users’ safety, utility and experience.
(d) Regulations promulgated pursuant to this section shall: (i) set forth multiple methods for a covered operator to determine if a user is a covered minor, including, but not limited to, at least 1 method that either does not rely solely on government issued identification or that allows a user to maintain anonymity as to the covered operator of the social media platform; (ii) limit the collection of personal data of a user to data that is strictly necessary for determining a user’s age; (iii) require the deletion of personal data collected for the purpose of determining if a user is a covered minor, other than the determination of the user’s age, immediately after making such determination; (iv) prohibit the use of any personal data collected for the purpose of determining if a user is a covered minor for any other purpose; (v) prohibit the combination of personal data collected for the purpose of determining if a user is a covered minor, except the determination of the user’s age, with any other personal data of the user; and (vi) require the implementation of a review process to allow users to appeal an age assurance determination.
(e) If a covered operator has used commercially reasonable and technically feasible age assurance methods in compliance with such regulations and has not determined that a user is a covered minor, the covered operator shall operate under the presumption that the user is not a covered minor for the purposes of this chapter, unless it obtains actual knowledge that the user is a covered minor.
(f) A covered operator that uses commercially reasonable and technically feasible age assurance methods in compliance with regulations promulgated pursuant to this section and prohibits any user it determines to be a covered minor from accessing the social media platform shall be exempt from the requirements in section 2.
Section 4. A covered operator shall provide the attorney general with de-identified aggregate data on minors’ use of the social media platform not less than quarterly. Such data shall include, but not be limited to: (i) the number of minors who use the platform, delineated by age or age range; (ii) the amount of time minors spend on the platform, delineated by age or age range; and (iii) the frequency and type of modification of default settings for minors’ social media accounts. The attorney general shall make such data available to the public on its website. The attorney general may promulgate regulations requiring the reporting of additional de-identified aggregate data about minors’ use of social media platforms.
Section 5. (a) A violation by a covered operator of this chapter shall constitute an unfair or deceptive act or practice in violation of chapter 93A. Notwithstanding sections 9 and 11 of said chapter 93A, the attorney general shall have exclusive authority to bring a civil action against a covered operator that violates this chapter.
(b) A covered operator found to be in violation of section 2 shall be punished by a civil fine of not more than $5,000 per violation; provided, however, that a covered operator shall be in violation of section 2 for each user account not in compliance with section 2.
(c) A covered operator that violates section 4 shall be liable for a civil penalty of not more than $1,000,000. Each day the violation of section 4 persists shall be a separate violation.
Section 6. Nothing in this chapter shall authorize access to a social media platform or to content on a social media platform by an individual otherwise prohibited from doing so under state or federal law.
Section 7. The attorney general may promulgate regulations to implement this chapter.
Section 8. The office of the attorney general shall maintain on its website an online submission platform to receive complaints, information or referrals from members of the public concerning a social media platform’s alleged compliance or non-compliance with this chapter.
SECTION 2. Not later than March 1, 2027, the attorney general shall promulgate regulations pursuant to chapter 93M of the General Laws.
SECTION 3. Section 1 shall take effect on August 1, 2027.
The information contained in this website is for general information purposes only. The General Court provides this information as a public service and while we endeavor to keep the data accurate and current to the best of our ability, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.