United States of America: Act concerning Social Media and Online Services, Products, and Features (SB 1295) including data protection regulation enters into force

On 1 January 2026, the Act Concerning Social Media Platforms and Online Services, Products and Features enters fully into force. The Act, which entered into effect on 1 July 2025, established a grace period during which regulated entities were expected to prepare for compliance. The Act required owners of social media platforms to incorporate an online safety centre by 1 January 2026, providing resources for preventing cyberbullying, enabling access to mental health services, offering behavioural health educational resources, and explaining reporting mechanisms for harmful behaviour. A cyberbullying policy also had to be established, setting forth procedures for handling reports. The Act expanded the Connecticut Data Privacy Act, defining "heightened risk of harm to minors" to include risks such as anxiety disorders, compulsive use, physical violence, harassment, sexual exploitation, unlawful distribution of restricted substances, and unlawful gambling. Controllers were required to use reasonable care to avoid such risks, conduct data protection assessments, and implement mitigation plans. Processing of minors' personal data for targeted advertising, sales, or profiling was prohibited, and precise geolocation data collection required safeguards. Impact assessments were mandated for profiling-based services, detailing purpose, risks, data categories, and transparency measures, with confidentiality protections under the Freedom of Information Act. The Act modified the knowledge standard for identifying minors from "willful disregard" to "knowledge fairly implied based on objective circumstances" and removed consent provisions for certain processing activities. Educational exceptions apply for services used under an educational entity’s direction.