LCO 1 of 13
General Assembly Substitute Bill No. 1295
January Session, 2025
AN ACT CONCERNING SOCIAL MEDIA PLATFORMS AND ONLINE
SERVICES, PRODUCTS AND FEATURES.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:
Section 1. (NEW) (Effective October 1, 2025) (a) As used in this section: 1
(1) "Consumer" means an individual who is a resident of this state 2
and a user of a social media platform; 3
(2) "Cyberbullying" means any unwanted and aggressive behavior on 4
a social media platform; 5
(3) "Mental health services" has the same meaning as provided in 6
section 19a-498c of the general statutes; 7
(4) "Owner" means the person who owns a social media platform; 8
(5) "Person" means an individual, association, corporation, limited 9
liability company, partnership, trust or other legal entity; and 10
(6) "Social media platform" has the same meaning as provided in 11
section 42-528 of the general statutes. 12
(b) Not later than January 1, 2026, each owner of a social media 13
platform shall incorporate an online safety center into the social media 14
platform. Each online safety center shall, at a minimum, provide the 15 Substitute Bill No. 1295
LCO 2 of 13
consumers who use such social media platform with: 16
(1) Resources for the purposes of (A) preventing cyberbullying on 17
such social media platform, and (B) enabling any consumer to identify 18
any means available to such consumer to obtain mental health services, 19
including, but not limited to, an Internet web site address or telephone 20
number where such consumer may obtain mental health services for the 21
treatment of an anxiety disorder or the prevention of suicide; 22
(2) Access to online behavioral health educational resources; 23
(3) An explanation of such social media platform's mechanism for 24
reporting harmful or unwanted behavior, including, but not limited to, 25
cyberbullying, on such social media platform; and 26
(4) Educational information concerning the impact that social media 27
platforms have on users' mental health. 28
(c) Not later than January 1, 2026, each owner of a social media 29
platform shall establish a cyberbullying policy for the social media 30
platform. Such policy shall, at a minimum, set forth the manner in which 31
such owner handles reports of cyberbullying on such social media 32
platform. 33
Sec. 2. Section 42-529 of the general statutes is repealed and the 34
following is substituted in lieu thereof (Effective October 1, 2025): 35
For the purposes of this section and sections 42-529a to 42-529e, 36
inclusive, as amended by this act: 37
(1) "Adult" means any individual who is at least eighteen years of age; 38
(2) "Consent" has the same meaning as provided in section 42-515; 39
(3) "Consumer" has the same meaning as provided in section 42-515; 40
(4) "Controller" has the same meaning as provided in section 42-515; 41
(5) "Heightened risk of harm to minors" means processing minors' 42 Substitute Bill No. 1295
LCO 3 of 13
personal data in a manner that presents any reasonably foreseeable risk 43
of (A) any unfair or deceptive treatment of, or any unlawful disparate 44
impact on, minors, (B) any financial, physical or reputational injury to 45
minors, [or] (C) any physical or other intrusion upon the solitude or 46
seclusion, or the private affairs or concerns, of minors if such intrusion 47
would be offensive to a reasonable person, (D) any anxiety or depressive 48
disorder in minors, which disorder has objectively verifiable and 49
clinically diagnosable symptoms and is related to compulsive use of any 50
online service, product or feature by minors, (E) any compulsive use of 51
any online service, product or feature by minors, (F) any physical 52
violence against minors, (G) any harassment of minors on any online 53
service, product or feature, which harassment is so severe, pervasive or 54
objectively offensive as to impact one or more major life activities of 55
minors, (H) any sexual abuse or sexual exploitation of minors, (I) any 56
unlawful distribution or sale to minors of, or any consumption or use 57
by minors of, any alcoholic beverage, as defined in section 30-1, 58
cannabis, as defined in section 21a-420, cigarette, as defined in section 59
12-285, electronic nicotine delivery system, as defined in section 21a-415, 60
infused beverage, as defined in section 21a-425, moderate-THC hemp 61
product, as defined in section 21a-426, narcotic substance, as defined in 62
section 21a-240, tobacco product, as defined in section 12-330a, or vapor 63
product, as defined in section 21a-415, or (J) any unlawful gambling by 64
minors; 65
(6) "HIPAA" has the same meaning as provided in section 42-515; 66
(7) "Minor" means any consumer who is younger than eighteen years 67
of age; 68
(8) "Online service, product or feature" means any service, product or 69
feature that is provided online. "Online service, product or feature" does 70
not include any (A) telecommunications service, as defined in 47 USC 71
153, as amended from time to time, (B) broadband Internet access 72
service, as defined in 47 CFR 54.400, as amended from time to time, or 73
(C) delivery or use of a physical product; 74 Substitute Bill No. 1295
LCO 4 of 13
(9) "Person" has the same meaning as provided in section 42-515; 75
(10) "Personal data" has the same meaning as provided in section 42-76
515; 77
(11) "Precise geolocation data" has the same meaning as provided in 78
section 42-515; 79
(12) "Process" and "processing" have the same meaning as provided 80
in section 42-515; 81
(13) "Processor" has the same meaning as provided in section 42-515; 82
(14) "Profiling" has the same meaning as provided in section 42-515; 83
(15) "Protected health information" has the same meaning as 84
provided in section 42-515; 85
(16) "Sale of personal data" has the same meaning as provided in 86
section 42-515; 87
(17) "Targeted advertising" has the same meaning as provided in 88
section 42-515; and 89
(18) "Third party" has the same meaning as provided in section 42-90
515. 91
Sec. 3. Section 42-529a of the general statutes is repealed and the 92
following is substituted in lieu thereof (Effective October 1, 2025): 93
(a) Each controller that offers any online service, product or feature 94
to consumers whom such controller has actual knowledge, or [wilfully 95
disregards] knowledge fairly implied based on objective circumstances, 96
are minors shall use reasonable care to avoid any heightened risk of 97
harm to minors caused by such online service, product or feature. In any 98
enforcement action brought by the Attorney General pursuant to section 99
42-529e, there shall be a rebuttable presumption that a controller used 100
reasonable care as required under this section if the controller complied 101
with the provisions of section 42-529b, as amended by this act, 102 Substitute Bill No. 1295
LCO 5 of 13
concerning data protection assessments and impact assessments. 103
(b) (1) [Subject to the consent requirement established in subdivision 104
(3) of this subsection, no] No controller that offers any online service, 105
product or feature to consumers whom such controller has actual 106
knowledge, or [wilfully disregards] knowledge fairly implied based on 107
objective circumstances, are minors shall [: (A) Process] process any 108
minor's personal data: [(i) for] (A) For the purposes of [(I)] (i) targeted 109
advertising, [(II)] (ii) any sale of personal data, or [(III)] (iii) profiling in 110
furtherance of any [fully] automated decision made by such controller 111
that produces any legal or similarly significant effect concerning the 112
provision or denial by such controller of any financial or lending 113
services, housing, insurance, education enrollment or opportunity, 114
criminal justice, employment opportunity, health care services or access 115
to essential goods or services; [, (ii)] (B) unless such processing is 116
reasonably necessary to provide such online service, product or feature; 117
[, (iii)] (C) for any processing purpose [(I)] (i) other than the processing 118
purpose that the controller disclosed at the time such controller 119
collected such personal data, or [(II)] (ii) that is reasonably necessary for, 120
and compatible with, the processing purpose described in 121
subparagraph [(A)(iii)(I)] (C)(i) of this subdivision; [,] or [(iv)] (D) for 122
longer than is reasonably necessary to provide such online service, 123
product or feature. [; or (B) use any system design feature to 124
significantly increase, sustain or extend any minor's use of such online 125
service, product or feature.] The provisions of this subdivision shall not 126
apply to any service or application that is used by and under the 127
direction of an educational entity, including, but not limited to, a 128
learning management system or a student engagement program. 129
(2) [Subject to the consent requirement established in subdivision (3) 130
of this subsection, no] No controller that offers an online service, 131
product or feature to consumers whom such controller has actual 132
knowledge, or [wilfully disregards] knowledge fairly implied based on 133
objective circumstances, are minors shall collect a minor's precise 134
geolocation data unless: (A) Such precise geolocation data is reasonably 135
necessary for the controller to provide such online service, product or 136 Substitute Bill No. 1295
LCO 6 of 13
feature and, if such data is necessary to provide such online service, 137
product or feature, such controller may only collect such data for the 138
time necessary to provide such online service, product or feature; and 139
(B) the controller provides to the minor a signal indicating that such 140
controller is collecting such precise geolocation data, which signal shall 141
be available to such minor for the entire duration of such collection. 142
[(3) No controller shall engage in the activities described in 143
subdivisions (1) and (2) of this subsection unless the controller obtains 144
the minor's consent or, if the minor is younger than thirteen years of age, 145
the consent of such minor's parent or legal guardian. A controller that 146
complies with the verifiable parental consent requirements established 147
in the Children's Online Privacy Protection Act of 1998, 15 USC 6501 et 148
seq., and the regulations, rules, guidance and exemptions adopted 149
pursuant to said act, as said act and such regulations, rules, guidance 150
and exemptions may be amended from time to time, shall be deemed to 151
have satisfied any requirement to obtain parental consent under this 152
subdivision.] 153
(c) (1) No controller that offers any online service, product or feature 154
to consumers whom such controller has actual knowledge, or [wilfully 155
disregards] knowledge fairly implied based on objective circumstances, 156
are minors shall: (A) Provide any consent mechanism that is designed 157
to substantially subvert or impair, or is manipulated with the effect of 158
substantially subverting or impairing, user autonomy, decision-making 159
or choice; [or] (B) except as provided in subdivision (2) of this 160
subsection, offer any direct messaging apparatus for use by minors 161
[without providing] unless (i) such controller provides readily 162
accessible and easy-to-use safeguards to [limit the ability of adults to 163
send] enable any minor, or any minor's parent or legal guardian, to 164
prevent any adult from sending any unsolicited [communications to 165
minors with whom they are not connected] communication to such 166
minor unless such minor and adult are already connected on such online 167
service, product or feature, and (ii) the safeguards required under 168
subparagraph (B)(i) of this subdivision, as a default setting, prevent any 169
adult from sending any unsolicited communication to any minor unless 170 Substitute Bill No. 1295
LCO 7 of 13
such minor and adult are already connected on such online service, 171
product or feature; or (C) except as provided in subdivision (3) of this 172
subsection, use any system design feature to significantly increase, 173
sustain or extend any minor's use of such online service, product or 174
feature. 175
(2) The provisions of subparagraph (B) of subdivision (1) of this 176
subsection shall not apply to services where the predominant or 177
exclusive function is: (A) Electronic mail; or (B) direct messaging 178
consisting of text, photos or videos that are sent between devices by 179
electronic means, where messages are (i) shared between the sender and 180
the recipient, (ii) only visible to the sender and the recipient, and (iii) not 181
posted publicly. 182
(3) The provisions of subparagraph (C) of subdivision (1) of this 183
subsection shall not apply to any service or application that is used by 184
and under the direction of an educational entity, including, but not 185
limited to, a learning management system or a student engagement 186
program. 187
Sec. 4. Section 42-529b of the general statutes is repealed and the 188
following is substituted in lieu thereof (Effective October 1, 2025): 189
(a) Each controller that [, on or after October 1, 2024,] offers any online 190
service, product or feature to consumers whom such controller has 191
actual knowledge, or [wilfully disregards] knowledge fairly implied 192
based on objective circumstances, are minors shall conduct a data 193
protection assessment for such online service, product or feature: (1) In 194
a manner that is consistent with the requirements established in section 195
42-522; and (2) that addresses (A) the purpose of such online service, 196
product or feature, (B) the categories of minors' personal data that such 197
online service, product or feature processes, (C) the purposes for which 198
such controller processes minors' personal data with respect to such 199
online service, product or feature, and (D) any heightened risk of harm 200
to minors that is a reasonably foreseeable result of offering such online 201
service, product or feature to minors. 202 Substitute Bill No. 1295
LCO 8 of 13
(b) Each controller that offers any online service, product or feature 203
to consumers whom such controller has actual knowledge, or 204
knowledge fairly implied based on objective circumstances, are minors 205
shall, if such online service, product or feature engages in any profiling 206
based on such consumers' personal data, conduct an impact assessment 207
for such online service, product or feature. Such impact assessment shall 208
include, to the extent reasonably known by or available to the controller, 209
as applicable: (1) A statement by the controller disclosing the purpose, 210
intended use cases and deployment context of, and benefits afforded by, 211
such online service, product or feature, if such online service, product 212
or feature engages in any profiling for the purpose of making decisions 213
that produce legal or similarly significant effects concerning such 214
consumers; (2) an analysis of whether such profiling poses any known 215
or reasonably foreseeable heightened risk of harm to minors and, if so, 216
(A) the nature of such heightened risk of harm to minors, and (B) the 217
steps that have been taken to mitigate such heightened risk of harm to 218
minors; (3) a description of (A) the categories of personal data such 219
online service, product or feature processes as inputs for the purposes 220
of such profiling, and (B) the outputs such online service, product or 221
feature produces for the purposes of such profiling; (4) an overview of 222
the categories of personal data the controller used to customize such 223
online service, product or feature for the purposes of such profiling, if 224
the controller used data to customize such online service, product or 225
feature for the purposes of such profiling; (5) any metrics used to 226
evaluate the performance and known limitations of such online service, 227
product or feature for the purposes of such profiling; (6) a description 228
of any transparency measures taken concerning such online service, 229
product or feature with respect to such profiling, including, but not 230
limited to, any measures taken to disclose to consumers that such online 231
service, product or feature is being used for such profiling while such 232
online service, product or feature is being used for such profiling; and 233
(7) a description of the post-deployment monitoring and user 234
safeguards provided concerning such online service, product or feature 235
for the purposes of such profiling, including, but not limited to, the 236
oversight, use and learning processes established by the controller to 237 Substitute Bill No. 1295
LCO 9 of 13
address issues arising from deployment of such online service, product 238
or feature for the purposes of such profiling. 239
[(b)] (c) Each controller that conducts a data protection assessment 240
pursuant to subsection (a) of this section, or an impact assessment 241
pursuant to subsection (b) of this section, shall: (1) Review such data 242
protection assessment or impact assessment as necessary to account for 243
any material change to the processing or profiling operations of the 244
online service, product or feature that is the subject of such data 245
protection assessment or impact assessment; and (2) maintain 246
documentation concerning such data protection assessment or impact 247
assessment for the longer of (A) the three-year period beginning on the 248
date on which such processing or profiling operations cease, or (B) as 249
long as such controller offers such online service, product or feature. 250
[(c)] (d) A single data protection assessment or impact assessment 251
may address a comparable set of processing or profiling operations that 252
include similar activities. 253
[(d)] (e) If a controller conducts a data protection assessment or 254
impact assessment for the purpose of complying with another 255
applicable law or regulation, the data protection assessment or impact 256
assessment shall be deemed to satisfy the requirements established in 257
this section if such data protection assessment or impact assessment is 258
reasonably similar in scope and effect to the data protection assessment 259
or impact assessment that would otherwise be conducted pursuant to 260
this section. 261
[(e)] (f) If any controller conducts a data protection assessment 262
pursuant to subsection (a) of this section, or an impact assessment 263
pursuant to subsection (b) of this section, and determines that the online 264
service, product or feature that is the subject of such assessment poses a 265
heightened risk of harm to minors, such controller shall establish and 266
implement a plan to mitigate or eliminate such risk. The Attorney 267
General may require a controller to disclose to the Attorney General a 268
plan established and implemented pursuant to this subsection if the 269 Substitute Bill No. 1295
LCO 10 of 13
plan is relevant to an investigation conducted by the Attorney General. 270
[(f)] (g) Data protection assessments and impact assessments shall be 271
confidential and shall be exempt from disclosure under the Freedom of 272
Information Act, as defined in section 1-200. To the extent any 273
information contained in a data protection assessment or impact 274
assessment disclosed to the Attorney General includes information 275
subject to the attorney-client privilege or work product protection, such 276
disclosure shall not constitute a waiver of such privilege or protection. 277
Sec. 5. Section 42-529c of the general statutes is repealed and the 278
following is substituted in lieu thereof (Effective October 1, 2025): 279
(a) A processor shall adhere to the instructions of a controller, and 280
shall: (1) Assist the controller in meeting the controller's obligations 281
under sections 42-529 to 42-529e, inclusive, as amended by this act, 282
taking into account (A) the nature of the processing, (B) the information 283
available to the processor by appropriate technical and organizational 284
measures, and (C) whether such assistance is reasonably practicable and 285
necessary to assist the controller in meeting such obligations; and (2) 286
provide any information that is necessary to enable the controller to 287
conduct and document data protection assessments and impact 288
assessments pursuant to section 42-529b, as amended by this act. 289
(b) Each processor that offers any online service, product or feature 290
to consumers whom such processor has actual knowledge, or 291
knowledge fairly implied based on objective circumstances, are minors 292
shall, if such online service, product or feature engages in any profiling 293
based on such consumers' personal data, conduct an impact assessment 294
for such online service, product or feature. Such impact assessment shall 295
include, to the extent reasonably known by or available to the processor, 296
as applicable: (1) A statement by the processor disclosing the purpose, 297
intended use cases and deployment context of, and benefits afforded by, 298
such online service, product or feature, if such online service, product 299
or feature engages in any profiling for the purpose of making decisions 300
that produce legal or similarly significant effects concerning such 301 Substitute Bill No. 1295
LCO 11 of 13
consumers; (2) an analysis of whether such profiling poses any known 302
or reasonably foreseeable heightened risk of harm to minors and, if so, 303
(A) the nature of such heightened risk of harm to minors, and (B) the 304
steps that have been taken to mitigate such heightened risk of harm to 305
minors; (3) a description of (A) the categories of personal data such 306
online service, product or feature processes as inputs for the purposes 307
of such profiling, and (B) the outputs such online service, product or 308
feature produces for the purposes of such profiling; (4) an overview of 309
the categories of personal data the processor used to customize such 310
online service, product or feature for the purposes of such profiling, if 311
the processor used data to customize such online service, product or 312
feature for the purposes of such profiling; (5) any metrics used to 313
evaluate the performance and known limitations of such online service, 314
product or feature for the purposes of such profiling; (6) a description 315
of any transparency measures taken concerning such online service, 316
product or feature with respect to such profiling, including, but not 317
limited to, any measures taken to disclose to consumers that such online 318
service, product or feature is being used for such profiling while such 319
online service, product or feature is being used for such profiling; and 320
(7) a description of the post-deployment monitoring and user 321
safeguards provided concerning such online service, product or feature 322
for the purposes of such profiling, including, but not limited to, the 323
oversight, use and learning processes established by the processor to 324
address issues arising from deployment of such online service, product 325
or feature for the purposes of such profiling. 326
(c) Each processor that conducts an impact assessment pursuant to 327
subsection (b) of this section shall: (1) Review such impact assessment 328
as necessary to account for any material change to the profiling 329
operations of the online service, product or feature that is the subject of 330
such impact assessment; and (2) maintain documentation concerning 331
such impact assessment for the longer of (A) the three-year period 332
beginning on the date on which such profiling operations cease, or (B) 333
as long as such processor offers such online service, product or feature. 334
(d) A single impact assessment may address a comparable set of 335 Substitute Bill No. 1295
LCO 12 of 13
profiling operations that include similar activities. 336
(e) If a processor conducts an impact assessment for the purpose of 337
complying with another applicable law or regulation, the impact 338
assessment shall be deemed to satisfy the requirements established in 339
this section if such impact assessment is reasonably similar in scope and 340
effect to the impact assessment that would otherwise be conducted 341
pursuant to this section. 342
(f) If any processor conducts an impact assessment pursuant to 343
subsection (b) of this section and determines that the online service, 344
product or feature that is the subject of such assessment poses a 345
heightened risk of harm to minors, such processor shall establish and 346
implement a plan to mitigate or eliminate such risk. The Attorney 347
General may require a processor to disclose to the Attorney General a 348
plan established and implemented pursuant to this subsection if the 349
plan is relevant to an investigation conducted by the Attorney General. 350
(g) Impact assessments shall be confidential and shall be exempt from 351
disclosure under the Freedom of Information Act, as defined in section 352
1-200. To the extent any information contained in an impact assessment 353
disclosed to the Attorney General includes information subject to the 354
attorney-client privilege or work product protection, such disclosure 355
shall not constitute a waiver of such privilege or protection. 356
[(b)] (h) A contract between a controller and a processor shall satisfy 357
the requirements established in subsection (b) of section 42-521. 358
[(c)] (i) Nothing in this section shall be construed to relieve a 359
controller or processor from the liabilities imposed on the controller or 360
processor by virtue of such controller's or processor's role in the 361
processing relationship, as described in sections 42-529 to 42-529e, 362
inclusive, as amended by this act. 363
[(d)] (j) Determining whether a person is acting as a controller or 364
processor with respect to a specific processing of data is a fact-based 365
determination that depends upon the context in which personal data is 366 Substitute Bill No. 1295
LCO 13 of 13
to be processed. A person who is not limited in such person's processing 367
of personal data pursuant to a controller's instructions, or who fails to 368
adhere to such instructions, is a controller and not a processor with 369
respect to a specific processing of data. A processor that continues to 370
adhere to a controller's instructions with respect to a specific processing 371
of personal data remains a processor. If a processor begins, alone or 372
jointly with others, determining the purposes and means of the 373
processing of personal data, the processor is a controller with respect to 374
such processing and may be subject to an enforcement action under 375
section 42-529e. 376
This act shall take effect as follows and shall amend the following
sections:
Section 1 October 1, 2025 New section
Sec. 2 October 1, 2025 42-529
Sec. 3 October 1, 2025 42-529a
Sec. 4 October 1, 2025 42-529b
Sec. 5 October 1, 2025 42-529c
GL Joint Favorable Subst.