HB 2108 — An Act providing for duties of covered entities to protect the best interests of children that use online services, products or features and for data protection impact assessments; prohibiting certain actions by covered entities; and imposing penalties.

PRINTER'S NO.    2727

                   THE GENERAL ASSEMBLY OF PENNSYLVANIA



                       HOUSE BILL
                       No. 2108
                                               Session of
                                                 2025

     INTRODUCED BY McNEILL, STEELE, WAXMAN, FREEMAN, SANCHEZ,
        McANDREW, RIVERA, D. WILLIAMS, HILL-EVANS AND PARKER,
        DECEMBER 18, 2025

     REFERRED TO COMMITTEE ON CHILDREN AND YOUTH, DECEMBER 18, 2025


                                   AN ACT
 1   Providing for duties of covered entities to protect the best
 2      interests of children that use online services, products or
 3      features and for data protection impact assessments;
 4      prohibiting certain actions by covered entities; and imposing
 5      penalties.
 6      The General Assembly of the Commonwealth of Pennsylvania
 7   hereby enacts as follows:
 8   Section 1.   Short title.
 9      This act shall be known and may be cited as the Online Safety
10   Protection Act.
11   Section 2.   Findings and declarations.
12      The General Assembly finds and declares as follows:
13          (1)   Covered entities that develop and provide online
14      services, products or features that children are likely to
15      access should consider the best interests of children when
16      designing, developing and providing that online service,
17      product or feature.
18          (2)   If a conflict arises between commercial interests
19      and the best interests of children, covered entities that
 1      develop online products, services or features likely to be
 2      accessed by children should prioritize the privacy, safety
 3      and well-being of children over commercial interests.
 4   Section 3.   Definitions.
 5      The following words and phrases when used in this act shall
 6   have the meanings given to them in this section unless the
 7   context clearly indicates otherwise:
 8      "Actual knowledge."      In relation to a covered entity that
 9   chooses to conduct age estimation to determine whether a user is
10   a consumer under 18 years of age. The term does not include:
11          (1)   data processing undertaken during the period when
12      the covered entity is estimating age;
13          (2)   an erroneous estimation; or
14          (3)   data processing in the absence of reasonable
15      evidence that a user is a consumer under 18 years of age.
16      "Best interests of children."         The use, by a covered entity
17   that provides an online product reasonably likely to be accessed
18   by children, of the personal data of children or the design of
19   the online product in a way that will not infringe on children's
20   access to information and will not prioritize the covered
21   entity's commercial interests over children's interests in a way
22   that would cause:
23          (1)   reasonably foreseeable and material physical or
24      financial harm to children;
25          (2)   severe and reasonably foreseeable psychological or
26      emotional harm to children;
27          (3)   a reasonably foreseeable and highly offensive
28      intrusion on children's reasonable expectation of privacy and
29      the risk of foregoing such harms was known to the covered
30      entity on the basis of a data protection impact assessment

20250HB2108PN2727                     - 2 -
 1      for the online product under this act; or
 2          (4)    unlawful discrimination against children based on
 3      race, color, religion, national origin, disability, gender
 4      identity, sex or sexual orientation.
 5      "Child."     A consumer who is under 18 years of age.
 6      "Collect."     The act of buying, renting, gathering, obtaining,
 7   receiving or accessing personal information pertaining to a
 8   consumer by any means. The term includes receiving information
 9   from a consumer, either actively or passively, or by observing
10   the consumer's behavior.
11      "Consumer."     An individual who is a resident of this
12   Commonwealth. The term does not include an individual acting in
13   a commercial or employment context or as an employee, owner,
14   director, officer or contractor of a company, partnership, sole
15   proprietorship, nonprofit entity or State agency whose
16   communications or transactions with a covered entity occur
17   solely within the context of the individual's role with the
18   company, partnership, sole proprietorship, nonprofit entity or
19   State agency.
20      "Covered entity."     A business or organization that knowingly
21   processes a child's personal information.
22      "Dark pattern."     A user interface knowingly designed with the
23   intended purpose of subverting or impairing user decision making
24   or choice.
25      "Data protection impact assessment."     A systematic survey to
26   assess compliance with the duty to act in the best interests of
27   a child.
28      "Default."     A preselected option adopted by a covered entity
29   for the online service, product or feature.
30      "Deidentified data."     Data that meets all of the following

20250HB2108PN2727                    - 3 -
 1   criteria:
 2          (1)   The data cannot reasonably be linked to an
 3      individual or a device linked to the individual.
 4          (2)   The data is in the possession of a covered entity
 5      that:
 6                (i)    takes reasonable technical and administrative
 7          measures to prevent the data from being reidentified;
 8                (ii)    does not attempt to reidentify the data and
 9          publicly commits not to attempt to reidentify the data;
10          and
11                (iii)    contractually obligates a person to which the
12          covered entity transfers the data to comply with the
13          requirements of this paragraph.
14      "Likely to be accessed by a child."     Reasonable expectation
15   that an online service, product or feature would be accessed by
16   a child, based on the following indicators:
17          (1)   The online service, product or feature is directed
18      to a child as defined in 15 U.S.C. § 6501 (relating to
19      definitions).
20          (2)   The online service, product or feature is
21      determined, based on competent and reliable evidence
22      regarding audience composition, to be routinely accessed by a
23      significant number of children.
24      "Online service, product or feature."     The term does not
25   include any of the following:
26          (1)   A telecommunications service as defined in 47 U.S.C.
27      § 153(53) (relating to definitions).
28          (2)   The delivery or use of a physical product.
29          (3)   Broadband Internet access service as defined in 47
30      CFR 54.400 (relating to terms and definitions).

20250HB2108PN2727                     - 4 -
 1      "Personal information."   Information that is linked or
 2   reasonably linkable to an identified or identifiable individual.
 3   The term does not include deidentified data or publicly
 4   available information.
 5      "Precise geolocation information."    Data that is derived from
 6   a device and used or intended to be used to locate a consumer
 7   within a geographic area that is equal to or less than the area
 8   of a circle with a radius of 1,850 feet.
 9      "Process."   To perform an operation or set of operations by
10   manual or automated means on personal data, including
11   collecting, using, storing, disclosing, analyzing, deleting or
12   modifying personal data.
13      "Processor."   A natural or legal entity that processes
14   personal data on behalf of a controller of personal data.
15      "Profile."   A form of automated processing of personal
16   information that uses personal information to evaluate certain
17   aspects relating to an individual, including analyzing or
18   predicting aspects concerning an individual's performance at
19   work, economic situation, health, personal preferences,
20   interests, reliability, behavior, location or movements. The
21   term does not include processing that does not result in some
22   assessment or judgment about an individual.
23      "Publicly available information."    Any of the following:
24          (1)   Information that is lawfully made available through
25      Federal, State or local government records.
26          (2)   Information that a business or organization has a
27      reasonable basis to believe is lawfully made available to the
28      general public through widely distributed media by a consumer
29      or by a person to whom the consumer has disclosed the
30      information, unless the consumer has restricted the

20250HB2108PN2727                  - 5 -
 1      information to a specific audience.
 2   Section 4.   Duties of covered entities.
 3      A covered entity that provides an online service, product or
 4   feature likely to be accessed by a consumer for whom the covered
 5   entity has actual knowledge is a child has the following duties:
 6          (1)   Within two years before any new online service,
 7      product or feature is offered to the public on or after the
 8      effective date of this paragraph, complete a data protection
 9      impact assessment in accordance with section 5 for an online
10      service, product or feature likely to be accessed by the
11      child. In completing the data protection impact assessment,
12      the covered entity shall consider the type of processing used
13      in the online service, product or feature, including new
14      technology, and take into account the nature, scope, context
15      and purpose of the processing that is likely to result in
16      high risk to the child.
17          (2)   Maintain documentation of each data protection
18      impact assessment completed under paragraph (1) during the
19      time period when the online service, product or feature is
20      reasonably likely to be accessed by the child and uses
21      processing that is likely to result in high risk to the
22      child.
23          (3)   Review each data protection impact assessment
24      completed under paragraph (1) as necessary to account for any
25      significant change to the processing operations of an online
26      service, product or feature.
27          (4)   Make each data protection impact assessment
28      completed under paragraph (1) available, within a reasonable
29      time period, to the Office of Attorney General upon written
30      request. Nothing in this paragraph shall be construed to

20250HB2108PN2727                  - 6 -
 1      require the covered entity to disclose information to the
 2      Office of Attorney General in a manner that would disclose
 3      the covered entity's trade secrets.
 4            (5)   Configure default privacy settings provided to the
 5      child by an online service, product or feature to settings
 6      that offer a high level of privacy, unless the underlying
 7      processing enhances the child's experience of the online
 8      service, product or feature and the covered entity offers
 9      settings to control the use of the child's data for the
10      purpose of enhancing the child's experience. If default
11      privacy settings meet the criteria specified under this
12      paragraph, the default privacy settings are not considered a
13      dark pattern.
14   Section 5.     Data protection impact assessments.
15      (a)   Information.--A covered entity shall include all of the
16   following information in a data protection impact assessment
17   required under section 4(1):
18            (1)   The purpose of an online service, product or feature
19      provided by the covered entity.
20            (2)   The manner in which the online service, product or
21      feature uses a child's personal information.
22            (3)   A determination whether the online service, product
23      or feature is designed and offered in a manner consistent
24      with the best interests of a child who is reasonably likely
25      to access the online service, product or feature. In making
26      the determination under this paragraph, the covered entity
27      shall include all of the following information:
28                  (i)    A systematic description of the anticipated
29            processing operations and the purpose of the processing.
30                  (ii)    An assessment of the necessity and

20250HB2108PN2727                       - 7 -
 1            proportionality of the processing operations in relation
 2            to the purpose of the processing. For the purpose of this
 3            subparagraph, a single assessment may address a set of
 4            similar processing operations that present similar risks.
 5                (iii)   An assessment of the risks to the rights and
 6            freedoms of a child.
 7                (iv)    The measures anticipated to address the risks,
 8            including safeguards, security measures and mechanisms,
 9            to ensure the protection of personal information and to
10            demonstrate compliance with this act, taking into account
11            the rights and freedoms of a child.
12      (b)   Accessibility.--A data protection impact assessment
13   required under section 4(1) shall be protected as confidential
14   and is not subject to inspection and duplication under the act
15   of February 14, 2008 (P.L.6, No.3), known as the Right-to-Know
16   Law.
17      (c)   Attorney-client privilege.--To the extent information
18   contained in a data protection impact assessment required under
19   section 4(1) and disclosed to the Office of Attorney General
20   under section 4(4) includes information subject to attorney-
21   client privilege or work product protection, the disclosure does
22   not constitute a waiver of attorney-client privilege or work
23   product protection.
24      (d)   Compliance.--A data protection impact assessment
25   conducted by a covered entity for the purpose of compliance with
26   any other law of this Commonwealth shall be deemed to comply
27   with the requirements of this act.
28   Section 6.   Prohibition on certain actions by covered entities.
29      A covered entity that provides an online service, product or
30   feature reasonably likely to be accessed by a consumer for whom

20250HB2108PN2727                     - 8 -
 1   the covered entity has actual knowledge is a child may not take
 2   any of the following actions:
 3          (1)   Use the personal information of the child likely to
 4      access the online service, product or feature in a way that
 5      the covered entity knows is likely to result in high risk to
 6      the child on the basis of a data protection impact assessment
 7      required under section 4(1) if the high risk has not been
 8      suitably mitigated through measures identified in the data
 9      protection impact assessment.
10          (2)   Profile the child by default if the profiling has
11      been identified as high risk to the child on the basis of a
12      data protection impact assessment required under section 4(1)
13      if the high risk has not been suitably mitigated through
14      measures identified in the data protection impact assessment.
15      If the covered entity profiles by default, there is a
16      presumption that the profiling does not violate this
17      paragraph if any of the following apply:
18                (i)    The covered entity can demonstrate that the
19          covered entity has appropriate safeguards in place to
20          protect the child.
21                (ii)    The profiling is necessary to provide the
22          online service, product or feature requested and only
23          used regarding the aspects of the online service, product
24          or feature with which the child is actively and knowingly
25          engaged.
26                (iii)    The profiling enhances the child's experience
27          on the online service, product or feature and the covered
28          entity offers settings to control the use of the child's
29          data for the purpose of enhancing the child's experience.
30          (3)   Collect, retain, process or disclose the personal

20250HB2108PN2727                     - 9 -
 1    information of the child in a manner that has been identified
 2    as high risk to the child on the basis of a data protection
 3    impact assessment required under section 4(1) if the high
 4    risk has not been suitably mitigated through measures
 5    identified in the data protection impact assessment.
 6        (4)   Use personal information for any reason other than a
 7    reason for which that personal information was collected,
 8    unless the covered entity can demonstrate a compelling reason
 9    that use of the personal information is in the best interests
10    of the child.
11        (5)   Collect, sell, process or retain the precise
12    geolocation information of the child by default unless any of
13    the following apply:
14              (i)    The covered entity can demonstrate a compelling
15        reason that the processing is in the best interests of
16        the child.
17              (ii)   The processing enhances the child's experience
18        of the online service, product or feature and the covered
19        entity offers settings to control the use of the child's
20        data for the purposes of enhancing the child's
21        experience.
22        (6)   Track the precise geolocation information of the
23    child without providing notice regarding the tracking of the
24    child's precise geolocation information.
25        (7)   Use dark patterns to knowingly lead or encourage the
26    child to do any of the following:
27              (i)    Provide personal information in excess of what
28        is reasonably expected to furnish an online service,
29        product or feature.
30              (ii)   Forego privacy protections.

20250HB2108PN2727                   - 10 -
 1                  (iii)   Take any action that the covered entity knows
 2            is not in the best interests of a child reasonably likely
 3            to access the online service, product or feature.
 4   Section 7.     Penalties.
 5      (a)   Actions.--The Office of Attorney General may initiate a
 6   civil action in a court of competent jurisdiction seeking
 7   injunctive relief or a civil penalty against a covered entity
 8   that violates this act in accordance with this section. Upon a
 9   covered entity being found liable for a violation of this act by
10   a court of competent jurisdiction, the court may issue an order:
11            (1)   granting injunctive relief; or
12            (2)   imposing a civil penalty of no more than $2,500 per
13      affected child for each negligent violation or no more than
14      $7,500 per affected child for each intentional violation.
15      (b)   Remittance.--Civil penalties awarded under subsection
16   (a) shall be remitted to the Office of Attorney General to
17   offset the costs incurred by the Office of Attorney General in
18   enforcing this act.
19      (c)   Notice.--If a covered entity has made a good faith
20   effort to comply with the requirements under section 4, the
21   Office of Attorney General shall provide written notice to the
22   covered entity before initiating a civil action under subsection
23   (a). The Office of Attorney General shall, in the written
24   notice, identify the specific provisions of this act that the
25   Office of Attorney General alleges to have been or are being
26   violated.
27      (d)   Cured violation.--If, no later than 90 days after
28   receipt of the written notice required under subsection (c), the
29   covered entity cures an alleged violation specified in the
30   written notice and provides the Office of Attorney General with

20250HB2108PN2727                      - 11 -
 1   written evidence that the alleged violation has been cured and
 2   the covered entity has taken sufficient measures to prevent a
 3   future violation of this act, the covered entity is not civilly
 4   liable for the alleged violation.
 5      (e)   Compliance with Federal law.--Compliance by a covered
 6   entity with 15 U.S.C. Ch. 91 (relating to children's online
 7   privacy protection) shall constitute compliance with this act
 8   for an individual under 13 years of age.
 9   Section 8.     Construction.
10      Nothing in this act shall be construed to:
11            (1)   provide a private right of action under this act or
12      any other law of this Commonwealth;
13            (2)   impose liability in a manner that is inconsistent
14      with 47 U.S.C. § 230 (relating to protection for private
15      blocking and screening of offensive material); or
16            (3)   infringe on the existing rights and freedoms of a
17      child.
18   Section 9.     Applicability.
19      (a)   Nonapplicability.--This act shall not apply to any of
20   the following:
21            (1)   An online service, product or feature that is not
22      offered to the public.
23            (2)   Protected health information that is collected by a
24      covered entity or a covered entity's associate governed by
25      the privacy, security and breach notification rules issued by
26      the United States Department of Health and Human Services
27      under 45 CFR Subt. A Subch. C Pts. 160 (relating to general
28      administrative requirements) and 164 (relating to security
29      and privacy) in accordance with the Health Insurance
30      Portability and Accountability Act of 1996 (Public Law 104-

20250HB2108PN2727                    - 12 -
 1    191, 110 Stat. 1936) and the Health Information Technology
 2    for Economic and Clinical Health Act (Public Law 111-5, 123
 3    Stat. 226-279 and 467-496).
 4          (3)   A covered entity governed by the privacy, security
 5    and breach notification rules issued by the United States
 6    Department of Health and Human Services under 45 CFR Subt. A
 7    Subch. C Pts. 160 and 164 in accordance with the Health
 8    Insurance Portability and Accountability Act of 1996 to the
 9    extent the covered entity maintains patient information in
10    the same manner as protected health information under
11    paragraph (2).
12          (4)   Information collected as part of a clinical trial
13    subject to the Federal Policy for the Protection of Human
14    Subjects, also known as the Common Rule, in accordance with
15    good clinical practice guidelines issued by the International
16    Council for Harmonisation of Technical Requirements for
17    Pharmaceuticals for Human Use or in accordance with the human
18    subject protection requirements of the United States Food and
19    Drug Administration.
20    (b)   Conflicting Federal laws.--
21          (1)   This act shall not apply upon the effective date of
22    a Federal law, regulation or rule or an amendment or
23    modification to a Federal law, regulation or rule, including
24    an amendment to 15 U.S.C. Ch. 91 (relating to children's
25    online privacy protection), relating to any of the following:
26                (i)    A covered entity's collection, use, retention or
27          disclosure of personal information of an individual under
28          18 years of age.
29                (ii)   Consent requirements for the collection, use,
30          retention or disclosure of personal information of an

20250HB2108PN2727                     - 13 -
 1          individual under 18 years of age, including consent
 2          requirements to register for or maintain an account with
 3          an online service.
 4                 (iii)   Requirements to ascertain or verify the age of
 5          an individual.
 6                 (iv)    Parental settings, controls or other oversight
 7          or monitoring mechanisms.
 8          (2)    The Office of Attorney General shall submit a notice
 9      to the Legislative Reference Bureau for publication in the
10      next available issue of the Pennsylvania Bulletin of the
11      effective date of a Federal law, regulation or rule or an
12      amendment or modification to a Federal law, regulation or
13      rule specified under paragraph (1).
14   Section 10.    Effective date.
15      This act shall take effect December 31, 2027.




20250HB2108PN2727                      - 14 -