§ 2449g. Age assurance privacy [Effective January 1, 2027]
[Subsection (a) effective January 1, 2027.]
(a) Privacy protections for age assurance data. During the process of conducting age assurance, covered businesses and processors
shall:
(1) only collect personal data of a user that is strictly necessary for age assurance;
(2) immediately upon determining whether a user is a covered minor, delete any personal
data collected of that user for age assurance, except the determination of the user’s
age range;
(3) not use any personal data of a user collected for age assurance for any other purpose;
(4) not combine personal data of a user collected for age assurance, except the determination
of the user’s age range, with any other personal data of the user;
(5) not disclose personal data of a user collected for age assurance to a third party
that is not a processor; and
(6) implement a review process to allow users to appeal their age determination.
(b) Rulemaking.
(1) Subject to subdivision (2) of this subsection, the Attorney General shall, on or before
January 1, 2027, adopt rules identifying commercially reasonable and technically feasible
methods for covered businesses and processors to determine if a user is a covered
minor, describing appropriate review processes for users appealing their age designations,
and providing any additional privacy protections for age assurance data. The Attorney
General shall periodically review and update these rules as necessary to keep pace
with emerging technology.
(2) In adopting these rules, the Attorney General shall:
(A) prioritize user privacy and accessibility over the accuracy of age assurance methods;
and
(B) consider:
(i) the size, financial resources, and technical capabilities of covered businesses and
processors;
(ii) the costs and effectiveness of available age assurance methods;
(iii) the impact of age assurance methods on users’ safety, utility, and experience;
(iv) whether and to what extent transparency measures would increase consumer trust in
an age assurance method; and
(v) the efficacy of requiring covered businesses and processors to:
(I) use previously collected data to determine user age;
(II) adopt interoperable age assurance methods; and
(III) provide users with multiple options for age assurance. (Added 2025, No. 63, § 1, eff. January 1, 2027.)