WeVote

Bill

Bill

H 3400

Child Data Privacy and Protection Act

2025-2026 Regular Session Introduced by Brandon Guffey and 3 co-sponsors

The bill confines how child data is collected, stored, and used by online products, requiring privacy-by-default, DPIAs, and a private right of action to enforce protections for un

Referred to Committee on Judiciary
0
WeVote Research Nonpartisan
Bill Summary · H 3400

Summary — Child Data Privacy and Protection Act (as provided)

Note on documents: The materials you provided include two distinct legislative texts that appear to be combined in the file. One is a Massachusetts House docket (H.3400) concerning prohibitions on recovering certain utility expenditures from ratepayers. The other is a separate South Carolina bill titled the "Child Data Privacy and Protection Act" (prefiled 12/05/2024). This summary focuses on the Child Data Privacy and Protection Act language and descriptive summary you supplied. Where available I note legislative timing shown in your materials.

Purpose and intent

The Child Data Privacy and Protection Act aims to strengthen protections for children (persons under 18) who use online products by limiting what personal data may be collected, retained, processed or sold; requiring privacy-by-default design; mandating risk assessments; improving transparency and account access; and establishing enforcement and private rights of action. The Office of the Attorney General plays an oversight role.

Key provisions (high-level)

  • Definitions: Broad definitions covering “child,” “child user,” “online product,” “data controller/processor,” “sale,” “targeted digital advertising,” and an extensive list of “personal data” (e.g., name, address, SSN, device identifiers, IP, e‑mail, account names, biometric data, medical/educational records, real‑time geolocation, browsing/search history, family member identifiers, and inferences/profile data).
  • Data Protection Impact Assessments (DPIAs): Entities offering online products targeted to child users in the state must complete DPIAs analyzing risks of their collection/retention/processing/sale of child data and documenting mitigation.
  • Prohibitions on data practices: The bill bars certain entities from collecting, retaining, processing, or selling specified personal data of child users (text supplied is truncated but the bill description lists these prohibitions as central).
  • Privacy by default: Online products must ship with the strictest privacy settings enabled for child users and retain child personal data only as long as necessary to provide the product.
  • Account access: Child users (or guardians) must have access to their accounts and associated data (allowing review, correction, deletion as specified in the bill).
  • Targeted advertising limitations: Restricts targeted digital advertising to children based on the enumerated personal data and device identifiers.
  • Transparency & notices: Requires prominently displayed privacy policies, specified notification methods, and likely obligations around breach notifications (details truncated).
  • Expedited legal process: Civil and criminal subpoenas and warrants described in the bill must be processed on an expedited basis when they implicate child data (per summary).
  • Public awareness and reporting: Directs a public awareness campaign and requires a report (details not included in excerpt).
  • Enforcement & cause of action: Grants the Office of the Attorney General enforcement authority and provides a private cause of action for violations (per summary).

Who is affected

  • Data controllers/processors that operate online products “targeted towards child users” in the state — including websites, apps, platforms, and services that collect or monetize child data.
  • Advertisers and ad networks that rely on child targeting or sell access to child data.
  • Parents, guardians, and child users (under 18) — who gain more privacy protections and account rights.
  • Developers and companies will face compliance obligations (DPIAs, privacy‑by‑default, policy disclosures).

Procedural / timeline notes

  • The SC bill was prefiled 12/05/2024 (per the materials). Portions of the text you provided are truncated; the bill description lists required assessments, notice rules, public campaigns, expedited warrants/subpoenas, and a private right of action.
  • Because the supplied packet also contains Massachusetts House docket material (H.3400) about utility ratepayer funds, verify which jurisdiction and bill number you intend to track. If you want a summary of the Massachusetts H.3400 (utility expenditures / ratepayer recovery restrictions), I can produce that separately.

Practical impact and considerations

  • Expected compliance costs for platforms (DPIAs, developer changes for privacy‑by‑default, policy updates).
  • Likely reduction in targeted advertising revenues tied to child audiences and stricter limits on data commercialization.
  • Increased consumer/guardian control and potential for litigation under the private right of action.
  • Enforcement will rely on guidance and actions by the Attorney General; the full bill text should be consulted for penalty amounts, timelines for remediation, and exact procedural mechanisms.

If you want, I can:
- Produce a short summary of the Massachusetts H.3400 utilities text included in your packet; or
- Pull and summarize the full Child Data Privacy bill text if you provide the remaining truncated sections.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.