Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Pennsylvania: Bill relating to children's online safety protection introduced to General Assembly

On December 5, 2023, the Pennsylvania General Assembly reported that House Bill No. 1879, for the Online Safety Protection Act, was introduced to the General Assembly and referred to the Children and Youth Committee on the same date. In particular, the bill provides, among other things, the duties of 'covered entities' to protect the best interests of children who use online services, products, or features.

What is the scope of the bill?

The bill would apply to 'covered entities,' defined as businesses or organizations that knowingly process a child's personal information. The bill states, among other things that, if a conflict arises between commercial interests and the best interests of children, covered entities that develop online products, services, and features likely to be accessed by children must prioritize the privacy, safety, and well-being of children over their commercial interests.

What are the key provisions of the bill?

The bill defines 'child' as 'a consumer who a covered entity has actual knowledge is younger than 18 years of age. For the purpose of this definition, if a covered entity chooses to conduct age estimation to determine which user is a consumer younger than 18 years of age, the covered entity shall not be considered to have actual knowledge of data processing undertaken during the period when the covered entity is estimating age or for an erroneous estimation or for data processing in the absence of reasonable evidence that a user is a consumer younger than 18 years of age.'

The bill further defines, among others, 'best interest of child,' 'deidentified data,' 'dark patterns,' and 'data protection impact assessment.'

The bill also provides for duties and prohibitions of the covered entities including, among others:

  • requirement to complete a DPIA within two years before any new online service, product, or feature is offered to the public on or after the effective date of this paragraph, in accordance with Section 5 of the bill;
  • to configure default privacy settings provided to a child by an online service, product, or feature to settings that offer a high level of privacy, unless the underlying processing enhances the child's experience of the online service, product, or feature and the covered entity offers settings to control the use of the child's data for the purpose of enhancing the child's experience. If default privacy settings meet the criteria specified in this paragraph, the default privacy settings shall not be considered a dark pattern;
  • not use the personal information of a child likely to access the online service, product, or feature in a way that the covered entity knows is likely to result in a high risk to the child based on the DPIA, if the high risk has not been suitably mitigated; and
  • not profile a child by default if the profiling has been identified as high risk to the child on the basis of the DPIA if the high risk has not been suitably mitigated. The bill further provides certain exceptions to this rule.

Finally, the bill would give the Office of the Attorney General of Pennsylvania authority to initiate a civil action in a court of competent jurisdiction seeking injunctive relief or a civil penalty against a covered entity that violates the provisions of the bill.

You can read the bill here and track its progress here.

Feedback