WeVote

Bill

Bill

AB 2246

Online service, product, or feature: access by children.

2025-2026 Regular Session Introduced by Cecilia Aguiar-Curry and 5 co-sponsors

AB 2246 requires online services likely used by under-18s to enforce strong default privacy, restrict profiling and excessive data collection, and face penalties for violations.

From committee: Do pass and re-refer to Com. on APPR. (Ayes 13. Noes 0.) (June 30). Re-referred to Com. on APPR.
0
WeVote Research Nonpartisan
Bill Summary · AB 2246

Summary of AB 2246 (2025-2026) – Online service, product, or feature: access by children

Commissioned: California Legislature

  • Jurisdiction: California
  • Bill number: AB 2246
  • Session: 2025-2026
  • Primary sponsor: Assembly Member Buffy Wicks
  • Co-sponsors: Rebecca Bauer-Kahan, Cecilia Aguiar-Curry, Cottie Petrie-Norris
  • Status notes: Introduced Feb 19, 2026; amended and moved through committee steps in Apr 2026; action history shows multiple passes in committees and adjustments

1) Main purpose and intent

AB 2246 creates a new framework, the Youth Social Media Protection Act, to regulate online services, products, or features that are likely to be accessed by children (under 18). The core aim is to:

  • Establish explicit privacy and safety requirements for services likely used by minors.
  • Prohibit certain practices that could harm children (e.g., default profiling, excessive data collection, geolocation by default, “dark patterns” to solicit more data, and age estimation for other purposes).
  • Impose civil penalties for violations, enforceable by the Attorney General, with funds directed to offset enforcement costs.
  • Require a future AG-initiated report to assess children’s safety features on social media platforms.

The bill aligns with the broader California policy focus on age-appropriate design and child privacy protections, expanding prior California law (e.g., the Age-Appropriate Design Code Act) by tightening exceptions and penalties.

2) Key provisions and changes

Sections added to the Business and Professions Code (Chapter 22.1.5) with detailed requirements:

  • Definitions (22583)

    • Child: under 18
    • Online service/product/feature: includes digital offerings likely to be accessed by children (with specific non-applicability to broadband/infrastructure and physical products)
    • Likely to be accessed by children: defined via indicators such as targeting children, audience composition, child-focused ads, design elements appealing to children, etc.
    • Default: preselected option
    • Profiling: automated processing to evaluate or predict attributes
  • Obligations for businesses likely to be accessed by children (22583.1)

    • Age estimation: estimate child age with reasonable certainty or apply child-focused protections to all users.
    • Default privacy settings: configure defaults to high privacy for children, unless a compelling reason exists.
    • Clear disclosures: provide privacy information, terms, and community standards in clear, age-appropriate language.
    • Monitoring signals: if monitoring or location tracking is available to parents/guardians, provide an obvious signal to the child when monitored or tracked.
    • Privacy controls: provide accessible tools to exercise privacy rights and report concerns.
  • Prohibited or restricted practices (22583.1(b))

    • Prohibit using a child’s personal information in ways that could cause significant mental distress or discrimination.
    • Prohibit default profiling of children.
    • Prohibit collecting, selling, sharing, or retaining extraneous personal information beyond what is necessary to provide the service to a child.
    • Prohibit using a child’s information for purposes other than the reason it was collected.
    • Prohibit collecting precise geolocation by default unless strictly necessary, limit duration of collection, and require clear signaling during collection.
    • Prohibit dark patterns to induce extra data collection.
    • Prohibit using collected information to estimate age for other purposes or retaining beyond necessary for age estimation.
    • Age-appropriate protections must be proportionate to risks.
  • Limitation on scope (22583.0/22583.3)

    • The chapter clarifies it does not apply to certain types of information or entities (consistent with Civil Code references).
  • Civil penalties and enforcement (22583.2)

    • Injunctions permitted.
    • Civil penalties: up to $2,500 per affected child for negligent violations; up to $7,500 per affected child for intentional violations.
    • Penalties deposited into the Consumer Privacy Fund to offset AG costs.
    • No private right of action created by this chapter.
    • AG may issue regulations and seek broad public participation to clarify requirements.
  • Reporting requirement (22588.3.5)

    • The Attorney General must submit a report to the Legislature on children’s safety features on social media platforms.
  • Severability (22583.4) and general advisory notes

    • Provisions are severable; invalid provisions do not invalidate others.

3) Who or what would be affected

  • Primary impact: Online services, products, or features that are likely to be accessed by children (under 18) in California.
  • Affected entities: Businesses providing such online services/products/features, including social media platforms and other digital services with child-facing interfaces or audiences.
  • Enforcement: California Attorney General (civil actions for violations; no private right of action).
  • Penalty beneficiaries: Civil penalties go to the Consumer Privacy Fund to offset AG costs.
  • Public accountability: AG-reporting obligation to Legislature regarding children’s safety features on social platforms.

4) Procedural and timeline aspects

  • Introduction and amendments occurred early 2026 with multiple committee referrals:
    • Referred to committees (P. & C.P., JUD, APPR) and amended.
    • Passed amendments and re-refer to appropriate committees; second-reading actions noted in April 2026.
  • Effective date: The text does not specify an explicit effective date in the excerpt; typically, California bills become operative upon enactment or a specified later date in the statute.
  • Oversight and updates: AG is authorized to adopt regulations and solicit public input to clarify requirements.

5) Practical implications and considerations

  • Stronger privacy defaults and explicit prohibitions on profiling and excessive data retention for minors could reduce risk of harm from child-directed digital services.
  • The penalties provide a deterrent but are structured to fund enforcement costs rather than private litigation.
  • The requirement for clear, age-appropriate disclosures and signals when monitoring occurs may improve transparency for children and guardians.
  • The report requirement to the Legislature could influence future policy with ongoing evaluation of child safety features in the digital ecosystem.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.