§ 2449d. Required default privacy settings and tools [Effective January 1, 2027]
(a) Default privacy settings.
(1) A covered business shall configure all default privacy settings provided to a covered
minor through the online service, product, or feature to the highest level of privacy,
including the following default settings:
(A) not displaying the existence of the covered minor’s account on a social media platform
to any known adult user unless the covered minor has expressly and unambiguously allowed
a specific known adult user to view their account or has expressly and unambiguously
chosen to make their account’s existence public;
(B) not displaying media created or posted by the covered minor on a social media platform
to any known adult user unless the covered minor has expressly and unambiguously allowed
a specific known adult user to view their media or has expressly and unambiguously
chosen to make their media publicly available;
(C) not permitting any known adult users to like, comment on, or otherwise provide feedback
on the covered minor’s media on a social media platform unless the covered minor has
expressly and unambiguously allowed a specific known adult user to do so;
(D) not permitting direct messaging on a social media platform between the covered minor
and any known adult user unless the covered minor has expressly and unambiguously
decided to allow direct messaging with a specific known adult user;
(E) not displaying the covered minor’s location to other users, unless the covered minor
expressly and unambiguously shares their location with a specific user;
(F) not displaying the users connected to the covered minor on a social media platform
unless the covered minor expressly and unambiguously chooses to share the information
with a specific user;
(G) disabling search engine indexing of the covered minor’s account profile; and
(H) not sending push notifications to the covered minors.
(2) A covered business shall not:
(A) provide a covered minor with a single setting that makes all of the default privacy
settings less protective at once; or
(B) request or prompt a covered minor to make their privacy settings less protective,
unless the change is strictly necessary for the covered minor to access a service
or feature they have expressly and unambiguously requested.
(b) Timely deletion of account. A covered business shall:
(1) provide a prominent, accessible, and responsive tool to allow a covered minor to request
the covered minor’s account on a social media platform be unpublished or deleted;
and
(2) honor that request not later than 15 days after a covered business receives the request. (Added 2025, No. 63, § 1, eff. January 1, 2027.)