United States of America: Act concerning Social Media and Online Services, Products, and Features (SB 1295) including data protection regulation enters into force with grace period

On 1 July 2025, the Act Concerning Social Media Platforms and Online Services, Products and Features enters into force with a grace period. The Act requires owners of social media platforms to incorporate an online safety centre by 1 January 2026, providing resources for preventing cyberbullying, enabling access to mental health services, offering behavioural health educational resources, and explaining reporting mechanisms for harmful behaviour. A cyberbullying policy must also be established, setting forth procedures for handling reports. The Act expands the Connecticut Data Privacy Act, defining "heightened risk of harm to minors" to include risks such as anxiety disorders, compulsive use, physical violence, harassment, sexual exploitation, unlawful distribution of restricted substances, and unlawful gambling. Controllers must use reasonable care to avoid such risks, conduct data protection assessments, and implement mitigation plans. Processing of minors' personal data for targeted advertising, sales, or profiling is prohibited, and precise geolocation data collection requires safeguards. Impact assessments are mandated for profiling-based services, detailing purpose, risks, data categories, and transparency measures, with confidentiality protections under the Freedom of Information Act. The Act modifies the knowledge standard for identifying minors from "willful disregard" to "knowledge fairly implied based on objective circumstances" and removes consent provisions for certain processing activities. Educational exceptions apply for services used under an educational entity’s direction.