NetChoice Testimony in Opposition to PA HB 2006, Artificial Intelligence in Companionship Applications Safety Act

HB 2006 is a well-intentioned but deeply flawed bill that would impose vague, unworkable mandates on AI companion operators, force the collection of sensitive personal data from all users just to identify minors and expose companies to open-ended penalties of up to $100,000 per day for violations that aren’t even clearly defined. Rather than protecting Pennsylvanians, it creates legal uncertainty that will fall hardest on smaller developers while doing little to address the real harms motivating the legislation.

Dear Chair Ciresi and Members of the Committee on Communications and Technology:

NetChoice respectfully requests your opposition to HB 2006, which requires AI companion operators to verify user ages, restrict minor access and obtain verifiable parental consent, among other provisions. We share the General Assembly’s goal of protecting Pennsylvanians, and particularly minors, from the genuine harms that have been documented in connection with AI companion products. Lawmakers are right to be concerned. But HB 2006, as amended, is unlikely to achieve that goal, and risks doing more harm than good. Our concerns center on three areas: the bill’s vague and subjective definitions, the privacy risks created by the age-assurance and parental-consent mandate in Section 5(b) and the bill’s excessive and ill-defined civil penalties. We urge the committee to oppose this bill.

HB 2006 regulates any “AI companion,” defined in Section 2 as a system that “simulates sustained human-like relationships by retaining interaction history, engaging in emotion-based interactions and maintaining ongoing dialogues about personal matters designed to mimic interpersonal relationships.” “Human-like relationship” is in turn defined as “intimate, romantic or platonic interactions or companionship.” These terms, read together, remain inherently subjective and lack the objective, technical meaning that a developer can apply with confidence or that a court can apply consistently across cases.

These terms lack any objective threshold. The bill does not specify what makes an interaction “emotion-based,” at what point retaining prior session data constitutes “retaining interaction history” within the meaning of the Act, or what distinguishes a dialogue “designed to mimic interpersonal relationships” from one that is merely conversational. These are not hypothetical line-drawing problems – they are exactly the kind of standardless terms that have drawn opposition to similar bills in other states, where industry groups have warned that comparable language sweeps in customer service tools, educational platforms, coding assistants and general-purpose AI products that have no relationship to the companion-chatbot harms the legislation is meant to address.

Section 2 of the amended bill exempts AI used solely for customer service – as long as it does not engage in emotion-based interactions or dialogues about personal matters – and AI used solely for internal business purposes. But that carve-out does not resolve the ambiguity. A tutoring app that remembers a student’s prior sessions and responds warmly to frustration; a wellness or journaling app that personalizes prompts to a user’s mood; a general-purpose assistant that recalls earlier conversations to be more helpful – all could plausibly fall within the definition as written while falling outside the narrow exemptions. Operators will not be able to predict with confidence which products are regulated, which makes good-faith compliance and consistent enforcement nearly impossible. More precise definitions with clear technical criteria and limiting principles would significantly improve the bill.

Section 5(b) of the amended bill requires operators, before granting any user in Pennsylvania access to an AI companion, to request age information and then determine whether the individual is a minor using “commercially available methods reasonably designed to ensure accuracy.” If a user is determined to be a minor, the operator must obtain verifiable parental consent before allowing access. While the bill prohibits requiring government-issued identification specifically, the permitted methods still require operators to collect and process additional personal information from every user – adult and minor alike – in order to determine who is a minor in the first place.

This directly contradicts the data-minimization principles that are foundational to U.S. and international privacy best practices. It creates a concentrated store of sensitive user data that becomes an attractive target for data breaches and identity theft. Several of the most damaging recent data breaches have been directly attributable to age-assurance systems. Smaller Pennsylvania-based operators, who lack the resources of the largest national platforms, will bear a disproportionate share of this compliance burden and security risk, and may be priced out of the market entirely as a result.

The bill’s data-retention provisions in Section 5(b)(3) – which limit retention of personally identifiable information to 24 hours following age assurance and prohibit selling or sharing the data with third parties – are a step in the right direction, but they do not eliminate the core problem: requiring the collection of that data in the first place from every Pennsylvania user. The more data a service is compelled to collect, even temporarily, the greater the risk it poses. The bill would better protect user privacy if it limited minor-specific obligations to situations where the operator has actual knowledge that a user is under 18, rather than requiring affirmative age assurance across the entire user base.

Section 7 authorizes the Attorney General to seek a civil penalty of up to $100,000 per day for each violation, plus additional equitable remedies. The bill does not define what constitutes a single “violation.” It is unclear whether liability accrues per user, per session, per missed notification or per day the underlying condition persists, and because the disclosure requirement in Section 4(a)(2)(ii) recurs at least once every hour, with a mandatory three-minute interaction pause, a single multi-day session could plausibly generate a very large number of discrete violations under some readings of the bill.

That ambiguity is not a minor drafting issue. Operators cannot reasonably price legal risk, insure against it or decide whether to continue offering a product in Pennsylvania if the penalty exposure for a single compliance lapse is undefined and potentially open-ended. The combination of subjective liability triggers with an undefined and substantial per-violation penalty creates exactly the kind of regulatory uncertainty that discourages investment and innovation in the Commonwealth, without a corresponding, demonstrated improvement in user safety.

We share the Committee’s interest in protecting Pennsylvanians, especially young people. But legislation that is vague in scope, that imposes privacy-eroding age-assurance mandates on all users and that pairs both with open-ended financial penalties will not achieve that goal. It will instead create legal uncertainty that falls hardest on smaller and Pennsylvania-based developers, while doing little to change the behavior of the products most associated with the harms motivating this bill.

Again, we respectfully ask you to oppose HB 2006. As always, we offer ourselves as a resource to discuss any of these issues with you in further detail, and we appreciate the opportunity to provide the committee with our thoughts on this important matter (The views of NetChoice expressed here do not necessarily represent the views of all NetChoice members).

Amy Bos Vice President of Government Affairs, NetChoice

NetChoice is a trade association that works to protect free expression and promote free enterprise online.