California

It is not an addictive feed if the recommendation, prioritization or selection of content is based on information:

• not persistently associated with the device or the user’s previous interactions;
• consists of search terms not persistently associated with the user or device;
• consists of user-selected privacy or accessibility settings, technical device information or signals indicating the user is a minor;
• selected because the user requests the specific media or media by the author, creator or poster of the media, or the blocking, prioritization or de-prioritization of such media, provided the information isn’t associated with the user or device and the media is not automatically played;
• the media is exclusively the next media in a preexisting sequence from the same author, creator, poster or source and is not automatically played;
• the media consists of direct, private communications between users.

Prior to January 1, 2027, requires actual knowledge.

After January 1, 2027, the operator must reasonably determine the user is not a minor, pursuant to regulations to be promulgated by the Attorney General.

Prohibited from:

• Providing an addictive feed to a minor <18 without verifiable parental consent
• [Preliminarily Enjoined] Sending notifications to a minor between the hours of 12-6 AM and between the hours of 8 am-3 pm from Mon-Fri from Sept-May, without parental consent

Establish the following default settings which can be adjusted by parent:

• [Preliminarily Enjoined] No overnight (12-6 am) notifications;
• Length-of-time limited to 1 hour/day;
• [Preliminarily Enjoined] Limit child’s ability to access likes or other forms of feedback;
• Prioritization or recommendation feed shall be based on no information other than user’s age or status as a minor;
• Private mode where only users to whom child is connected can view or respond to content posted by child;
• Establish mechanism to allow parent to change the above settings.

• Enforced solely in a civil action by the AG

A parent’s provision of consent does not waive, release, otherwise limit, or serve as a defense to any claim that the parent might have against the operator regarding any harm to the mental health or well-being of the user.

“Covered platform” does not mean a website, online service, or app whose primary function is: (1) The sale of goods or services; (2) Cloud storage; (3) email; (4) Direct messaging, in which communications are viewable only by the sender and an intended recipient, that does not allow public content dissemination, interaction, or access; (5) Communication internal to an organization; or (6) Internal organizational collaboration services that are not offered to the general public or consumers outside the organization.

None, but the Covered Platform is not required to display the black box warning if it has reasonably determined the user is over 17 years of age.

Display the black box warning on each calendar day a user accesses the covered platform:

1. When user initially accesses the platform, taking up at least 25% of screen, for duration of at least 10 sec. unless the user affirmatively dismisses the warning; and
2. After 3 hours of cumulative use and thereafter at least once per hour, taking up 75% of the screen, for a duration of at least 30 seconds with no option to bypass or click through the warning.

Black box warning: In black text on white background: “The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users.”

Enforced by A.G.

No private right of action.

Does not waive, release or otherwise limit, or serve as a defense to, any claim, including claims premised on a failure to warn.

A service or application that provides email or direct messaging services shall not be considered to meet this criterion on the basis of that function alone.

N/A

Must provide a clear and conspicuous “Delete Account” button is immediately visible in the platform’s settings menu and is available in the app, on a browser or any other format a user can use to access the platform. When clicked, the Social Media Platform must delete the account, including all of the user’s personal information. A request shall constitute a request under CCPA § 1798.105.

May seek verification in a cost-effective, and easy-to-use manner through pre-established two-factor authentication, email, text message or telephone call or message.

Self-reported. The operating system provider must provide an interface to require an account holder to indicate the birthdate, age, or both, of the user of that device

The Operating system provider must collect the birthdate, age or both of the user of the device and provide the user’s age bracket to the Developer of apps available in an app store.

Pre-existing users: for devices for which account setup was completed before 1/1/2027, the Operating system provider must obtain the user’s birthdate or age by July 1, 2027.

The Developer shall request a signal from the Operating system provider or the App Store when the application is downloaded and launched.

Pre-existing accounts: For apps that were downloaded and launched prior to 1/1/2027, the Developer must request the age bracket by July 1, 2027.

The Developer shall treat the age signal as the “primary indicator” of the user’s age unless the developer has clear and convincing information that the user’s age is different.

The Developer is deemed to have “actual knowledge” of the user’s age, even if the Developer willfully disregards the age signal.

Enforcement by CA AG.

Civil penalties available up to $2,500 per affected child for negligent violations and up to $7500 per child for intentional violations.

This title does not impose liability on an operating system provider, a covered application store, or a developer that arises from the use of a device or application by a person who is not the user to whom the signal pertains.

• Cannot sell or share for cross-contextual advertising without consent of minor (if age 13-16) or the minor’s parent (if < 13)
• Parent can exercise rights on behalf of child
• Notice in Privacy Policy

Draft regulations on risk assessments could require risk assessments for processing PI from minors less than 16 years of age.

Civil penalty increases to $7,500 for each violation involving personal information from a consumer the business has actual knowledge is under 16.