On September 23, 2024, House Bill 1879 for the Online Safety Protection Act was re-reported as committed and laid on the table. This follows its first consideration by the House of Representatives Children and Youth Committee and recommission to the Rules Committee on June 11, 2024.

The bill applies to any business or organization knowingly processing a child's personal information and does not apply to an online service, product, or feature that is not offered to the public.

Definitions

The bill outlines several definitions, including 'data protection impact assessment' defined as a 'systematic survey to assess compliance with the duty to act in the best interests of a child.'

Requirements of covered entities

Under the bill, covered entities are required, among other things:

• complete a Data Protection Impact Assessment (DPIA) within two years before any new online service, product, or feature is offered to the public on or after the effective date of this paragraph while considering the type of processing and nature, scope, context, and purpose of the processing;

• maintain the documentation of the DPIAs;
• review DPIAs as necessary to account for any significant change;
• make the DPIAs available to the Attorney General (AG) upon request; and
• configure default privacy settings provided to a child by an online service, product, or feature to settings that offer a high level of privacy.

Data Protection Impact Assessments

The bill outlines that the DPIAs, among other things:

• must include the information outlined in the bill, such as the purpose of the online service, the manner of using the personal information of a child, and the determination of whether the service is consistent with the best interest of a child;
• are confidential and not accessible under the Right-to-Know Law; and
• that are conducted for the purpose of compliance with any other law of Pennsylvania will be deemed compliant under the bill.

Prohibited actions

Under the bill, the covered entities are prohibited from, among other things:

• using the personal information of a child in a way that is likely to result in high risk to the child;
• profiling a child by default if the profiling has been identified as high risk to the child on the basis of a DPIA, unless one of the exceptions outlined in the bill applies, such as the existence of appropriate safeguards or settings controls;
• collecting, retaining, processing, or disclosing the personal information of a child in a manner identified as high risk based on the DPIA;
• using personal information for any other reason than for which it was collected;
• collecting, selling, processing, or retaining the precise geolocation information of a child by default unless one of the exceptions outlined by the bill apply;
• tracking precise geolocation without providing a notice; and
• using dark patterns to knowingly lead or encourage a child to perform certain actions outlined by the bill.

Penalties

The bill outlines that the AG may bring a civil action in a competent court, and the court may:

• grant injunctive relief; or
• impose a civil penalty of no more than $2,500 per affected child for each negligent violation or no more than $7,500 per affected child.

Effective date

In case of enactment, the bill will enter into force on December 31, 2025.

You can read the bill here and track its progress here.