Data Subject Rights Under the GDPR [Explained]

As a mom in San Diego, and someone who works at the intersection of technology, safety, and ethics, I was encouraged to see Governor Gavin Newsom sign Senate Bill 243, California’s first-in-the-nation law regulating companion chatbots. Authored by San Diego’s own Senator Steve Padilla, SB 243 is a landmark step toward ensuring that AI systems interacting with our children are held to basic standards of transparency, responsibility, and care.

This law matters deeply for families like mine. AI is no longer an abstract technological concept; it’s becoming woven into daily life, shaping how young people learn, socialize, ask questions, and seek comfort. And while many AI tools can provide meaningful support, recent tragedies - including the heartbreaking case of a 14-year-old boy whose AI “companion” failed to recognize or respond to signs of suicidal distress - make clear that these systems are not yet equipped to handle emotional vulnerability.

SB 243 sets the first layer of guardrails for a rapidly evolving landscape. But it is only the beginning of a broader shift, one that every parent, policymaker, and technology developer needs to understand.

Why Chatbots Captured Lawmakers’ Attention

AI “companions” are not simple customer-service bots. They simulate empathy, develop personalities, and sustain ongoing conversations that can resemble friendships or even relationships. And they are widely used: nearly 72% of teens have engaged with an AI companion. Early research, including a Stanford study finding that 3% of young adults credited chatbot interactions with interrupting suicidal thoughts, shows their complexity.

But the darker side has generated national attention. Multiple high-profile cases - including lawsuits involving minors who died by suicide after chatbot interactions - prompted congressional hearings, FTC investigations, and testimony from parents who had lost their children. Many of these parents later appeared before state legislatures, including California’s, urging lawmakers to put protections in place.

This context shaped 2025 as the first year in which multiple states introduced or enacted laws specifically targeting companion chatbots, including Utah, Maine, New York, and California. The Future of Privacy Forum’s analysis of these trends can be found in their State AI Report (2025).

SB 243 stands out among these efforts because it explicitly focuses on youth safety, reflecting growing recognition that minors engage with conversational AI in ways that can blur boundaries and amplify emotional risks.

SB 243 Explained: What California Now Requires

SB 243 introduces a framework of disclosures, safety protocols, and youth-focused safeguards. It also grants individuals a private right of action, which has drawn significant attention from technologists and legal experts.

1. What Counts as a “Companion Chatbot”

SB 243 defines a companion chatbot as an AI system designed to:

• provide adaptive, human-like responses
  
• meet social or emotional needs
  
• exhibit anthropomorphic features
  
• sustain a relationship across multiple interactions

Excluded from the definition are bots used solely for:

• customer service
  
• internal operations
  
• research
  
• video games that do not discuss mental health, self-harm, or explicit content
  
• standalone consumer devices like voice-activated assistants

But even with exclusions, interpretation will be tricky. Does a bot that repeatedly interacts with a customer constitute a “relationship”? What about general-purpose AI systems used for entertainment? SB 243 will require careful legal interpretation as it rolls out.

2. Key Requirements Under SB 243

A. Disclosure Requirements

Operators must provide:

• Clear and conspicuous notice that the user is interacting with AI
  
• Notice that companion chatbots may not be suitable for minors

Disclosure is required when a reasonable person might think they’re talking to a human.

B. Crisis-Response Safety Protocols

Operators must:

• Prevent generation of content related to suicidal ideation or self-harm
  
• Redirect users to crisis helplines
  
• Publicly publish their safety protocols
  
• Submit annual, non-identifiable reports on crisis referrals to the California Office of Suicide Prevention

C. Minor-Specific Safeguards

When an operator knows a user is a minor, SB 243 requires:

• AI disclosure at the start of the interaction
  
• A reminder every 3 hours for the minor to take a break
  
• “Reasonable steps” to prevent sexual or sexually suggestive content

This intersects with California’s new age assurance bill, AB 1043, and creates questions about how operators will determine who is a minor without violating privacy or collecting unnecessary personal information.

D. Private Right of Action

Individuals may sue for:

• At least $1,000 in damages
• Injunctive relief
  
• Attorney’s fees
  

This provision gives SB 243 real teeth, and real risks for companies that fail to comply.

How SB 243 Fits Into the Broader U.S. Landscape

While California is the first state to enact youth-focused chatbot protections, it is part of a larger legislative wave.

1. Disclosure Requirements Across States

In 2025, six of seven major chatbot bills across the U.S. required disclosure. But states differ in timing and frequency:

• New York (Artificial Intelligence Companion Models law): disclosure at the start of every session and every 3 hours
  
• California (SB 243): 3-hour reminders only when the operator knows the user is a minor
  
• Maine (LD 1727): disclosure required but not time-specified
  
• Utah (H.B. 452): disclosure before chatbot features are accessed or upon user request
  

Disclosure has emerged as the baseline governance mechanism: relatively easy to implement, highly visible, and minimally disruptive to innovation.

Of note, Governor Newsom previously vetoed AB 1064, a more restrictive bill that might have functionally banned companion chatbots for minors. His message? The goal is safety, not prohibition.

Taken together, these actions show that California prefers:

• transparency
  
• crisis protocols
  
• youth notifications…rather than outright bans.
  

This philosophy will likely shape legislative debates in 2026.

2. Safety Protocols & Suicide-Risk Mitigation

Only companion chatbot bills - not broader chatbot regulations - include self-harm detection and crisis-response requirements.

However, these provisions raise issues:

• Operators may need to analyze or retain chat logs, increasing privacy risk
  
• The law requires “evidence-based” detection methods, but without defining the term
  
• Developers must decide what constitutes a crisis trigger
  

Ambiguity means compliance could differ dramatically across companies.

The Central Problem: AI That Protects Platforms, Not People

As both a parent and an AI policy advocate, I see SB 243 as progress – but also as a reflection of a deeper issue.

Laws like SB 243 are written to protect people, especially kids and vulnerable users. But the reality is that the AI systems being regulated were never designed around the needs, values, and boundaries of individual families. They were designed around the needs of platforms.

Companion chatbots today are largely engagement engines: systems optimized to keep users talking, coming back, and sharing more. A new report from Common Sense Media, Talk, Trust, and Trade-Offs: How and Why Teens Use AI Companions, found that of the 72% of U.S. teens that have used an AI companion, over half (52%) qualify as regular users - interacting a few times a month or more. A third use them specifically for social interaction and relationships, including emotional support, role-play, friendship, or romantic chats. For many teens, these systems are not a novelty; they are part of their social and emotional landscape.

That wouldn’t be inherently bad if these tools were designed with youth development and family values at the center. But they’re not. Common Sense’s risk assessment of popular AI companions like Character.AI, Nomi, and Replika concluded that these platforms pose “unacceptable risks” to users under 18, easily producing sexual content, stereotypes, and “dangerous advice that, if followed, could have life-threatening or deadly real-world impacts.” Their own terms of service often grant themselves broad, long-term rights over teens’ most intimate conversations, turning vulnerability into data.

This is where we have to be honest: disclosures and warnings alone don’t solve that mismatch. SB 243 and similar laws require “clear and conspicuous” notices that users are talking to AI, reminders every few hours to take a break, and disclaimers that chatbots may not be suitable for minors. Those are important: transparency matters. But, for a 13- or 15-year-old, a disclosure is often just another pop-up to tap through. It doesn’t change the fact that the AI is designed to be endlessly available, validating, and emotionally sticky.

The Common Sense survey shows why that matters. Among teens who use AI companions:

• 33% have chosen to talk to an AI companion instead of a real person about something important or serious.
  
• 24% have shared personal or private information, like their real name, location, or personal secrets.
  
• About one-third report feeling uncomfortable with something an AI companion has said or done.

At the same time, the survey indicates that a majority still spend more time with real friends than with AI, and most say human conversations are more satisfying. That nuance is important: teens are not abandoning human relationships wholesale. But, a meaningful minority are using AI as a substitute for real support in moments that matter most.

These same dynamics appear outside the world of chatbots. In our earlier analysis of Roblox’s AI moderation and youth safety challenges, we explored how large-scale platform AI struggles to distinguish between playful behavior, harmful content, and predatory intent, even as parents assume the system “will catch it.” 

This is where “AI that protects platforms, not people” comes into focus. When parents and policymakers rely on platform-run AI to “detect” risk, it can create a false sense of security – as if the system will always recognize distress, always escalate appropriately, and always act in the child’s best interest. In practice, these models are tuned to generic safety rules and engagement metrics, not to the lived context of a specific child in a specific family. They don’t know whether your teen is already in therapy, whether your family has certain cultural values, or whether a particular topic is especially triggering.

Put differently: we are asking centralized models to perform a deeply relational role they were never built to handle. And every time a disclosure banner pops up or a three-hour reminder fires, it can look like “safety” without actually addressing the core problem - that the AI has quietly slipped into the space where a parent, counselor, or trusted adult should be.

The result is a structural misalignment:

• Platforms carry legal duties and add compliance layers.
  
• Teens continue to use AI companions for connection, support, and secrets.
  
• Parents assume “there must be safeguards” because laws now require them.

But no law can turn a platform-centric system into a family-centric one on its own. That requires a different architecture entirely: one where AI is owned by, aligned to, and accountable to the individual or family it serves, rather than the platform that hosts it.

The Next Phase: Personal AI That Serves Individuals, Not Platforms

Policy can set guardrails, but it cannot engineer empathy.

The future of safety will require personal AI systems that:

• are owned by individuals or families
  
• understand context, values, and emotional cues
  
• escalate concerns privately and appropriately
  
• do not store global chat logs
  
• do not generalize across millions of users
  
• protect people, not corporate platforms
  

Imagine a world where each family has its own AI agent, trained on their communication patterns, norms, and boundaries.An AI partner that can detect distress because it knows the user, not because it is guessing from a database of millions of strangers.

This is the direction in which responsible AI is moving, and it is at the heart of our work at Permission.

What to Expect in 2026

2025 was the first year of targeted chatbot regulation. 2026 may be the year of chatbot governance.

Expect:

• More state-level bills mirroring SB 243
  
• Increased federal involvement through the proposed GUARD Act
• Sector-specific restrictions on mental health chatbots
  
• AI oversight frameworks tied to age assurance and data privacy
  
• Renewed debates around bans vs. transparency-based models
  

States are beginning to experiment. Some will follow California’s balanced approach. Others may attempt stricter prohibitions. But all share a central concern: the emotional stakes of AI systems that feel conversational.

Closing Thoughts

As a mom here in San Diego, I’m grateful to see our state take this issue seriously. As Permission’s Chief Advocacy Officer, I also see where the next generation of protection must go. SB 243 sets the foundation, but the future will belong to AI that is personal, contextual, and accountable to the people it serves.

We’re excited to share that the ASK/USDC liquidity pool is now officially live on Aerodrome Finance, the premier decentralized exchange built on Base. This milestone makes it easier than ever for ASK holders to trade, swap, and provide liquidity directly within the Coinbase ecosystem.

Why This Matters

• More access. You can now trade ASK directly through Aerodrome, Base’s premier DEX—and soon, through the Coinbase app itself, thanks to its new DEX integration.
  
  
• More liquidity. ASK liquidity is already live in the USDC/ASK pool, strengthening accessibility for everyone.
  
  
• More connection to real utility. As ASK continues to power the Permission ecosystem, this move brings its utility to DeFi, where liquidity meets data ownership + real demand for permissioned data.

How to Join In

• Visit the official USDC/ASK pool on Aerodrome.

• Always confirm the official ASK contract address on Base before trading:
  0xBB146326778227A8498b105a18f84E0987A684b4
  

• You can trade, provide liquidity, or simply watch the pool evolve — it’s all part of growing ASK’s footprint on Base.

Building on Base’s Vision

Base has quickly become one of the most vibrant ecosystems in crypto, driven by the vision that on-chain should be open, affordable, and accessible to everyone. Its rapid growth reflects a broader shift toward usability and real-world applications, something that aligns perfectly with Permission’s mission.

As Coinbase CEO Brian Armstrong has emphasized, Base isn’t just another Layer-2 — it’s the foundation for bringing the next billion users on-chain. ASK’s launch on Base taps directly into that movement, expanding access to a global audience and connecting Permission’s data-ownership mission to one of the most forward-thinking ecosystems in Web3.

100,000+ ASK Holders on Base 🎉

As of this writing, we’re proud to share that ASK has surpassed 100,000 holders on Base. This is a huge milestone that reflects the growing strength and reach of the Permission community.

From early supporters to new users discovering ASK through Base and Aerodrome, this growth underscores the demand for consent-driven data solutions that reward people for the value they create.

Providing Liquidity Has Benefits

When you add liquidity to the USDC/ASK pool, you’re helping deepen the market and improve access for other community members. In return, you’ll earn a share of trading fees generated by the pool.

And as Aerodrome continues to expand its ve(3,3)-style governance model, liquidity providers could see additional incentive opportunities in the future. Nothing is live yet, but the structure is there, and we’re watching closely as the Base DeFi ecosystem evolves.

It’s a great way for long-term ASK supporters to stay engaged and help grow the ecosystem while participating in DeFi on one of crypto’s fastest-growing networks.

What’s Next

ASK’s presence on Base is just the beginning. We’re continuing to build toward broader omnichain accessibility, more liquidity venues, and new ways to earn ASK. Each milestone strengthens ASK’s position as the tokenized reward for permission.

Learn More

📘 ASK Token Utilities & Docs

💧 Aerodrome Liquidity Pool

Disclaimer:
This post is for informational purposes only and does not constitute financial, investment, or legal advice. Token values can fluctuate and all participation involves risk. Always do your own research before trading or providing liquidity.

Roblox isn’t just a game — it’s a digital playground with tens of millions of daily users, most of them children between 9 and 15 years old.

For many, it’s the first place they build, chat, and explore online. But as with every major platform serving young audiences, keeping that experience safe is a monumental challenge.

Recent lawsuits and law-enforcement reports highlight how complex that challenge has become. Roblox reported more than 13,000 cases of sextortion and child exploitation in 2023 alone — a staggering figure that reflects not negligence, but the sheer scale of what all digital ecosystems now face.

The Industry’s Safety Challenge

Most parents assume Roblox and similar platforms are constantly monitored. In reality, the scale is overwhelming: millions of messages, interactions, and virtual spaces every hour. Even the most advanced AI moderation systems can miss the subtleties of manipulation and coded communication that predators use.

Roblox has publicly committed to safety and continues to invest heavily in AI moderation and human review — efforts that deserve recognition. Yet as independent researcher Ben Simon (“Ruben Sim”) and others have noted, moderation at this scale is an arms race that demands new tools and deeper collaboration across the industry.

By comparison, TikTok employs more than 40,000 human moderators — over ten times Roblox’s reported staff — despite having roughly three times the daily active users. The contrast underscores a reality no platform escapes: AI moderation is essential, but insufficient on its own.

When Games Become Gateways

Children as young as six have encountered inappropriate content, virtual strip clubs, or predatory advances within user-generated spaces. What often begins as a friendly in-game chat can shift into private messages, promises of Robux (Roblox’s digital currency), or requests for photos and money.

And exploitation isn’t always sexual. Many predators use financial manipulation, convincing kids to share account credentials or make in-game purchases on their behalf.

For parents, Roblox’s family-friendly design can create a false sense of security. The lesson is not that Roblox is unsafe, but that no single moderation system can substitute for parental awareness and dialogue.

Even when interactions seem harmless, kids can give away more than they realize.

A name, a birthday, or a photo might seem trivial, but in the wrong hands it can open the door to identity theft.

The Hidden Threat: Child Identity Theft

Indeed, a lesser-known but equally serious risk is identity theft.

When children overshare personal details — their full name, birthdate, school, address, or even family information — online or with strangers, that data can be used to impersonate them.

Because minors rarely have active financial records, child identity theft often goes undetected for years, sometimes until they apply for a driver’s license, a student loan, or their first job. By then, the damage can be profound: financial loss, credit score damage, and emotional stress. Restoring a stolen identity can require years of effort, documentation, and legal action.

The best defense is prevention.

Teach children early why their personal information should never be shared publicly or in private chats — and remind them that real friends never need to know everything about you to play together online.

AI Moderation Needs Human Partnership

AI moderation remains reactive.

Algorithms flag suspicious language, but they can’t interpret tone, hesitation, or the subtle erosion of boundaries that signals grooming.

Predators evolve faster than filters, which means the answer isn’t more AI for the platform, but smarter AI for the family.

The Limits of Centralized AI

‍The truth is, today’s moderation AI isn’t really designed to protect people; it’s designed to protect platforms. Its job is to reduce liability, flag content, and preserve brand safety at scale. But in doing so, it often treats users as data points, not individuals.

This is the paradox of centralized AI safety: the bigger it gets, the less it understands.

It can process millions of messages a second, but not the intent behind them. It can delete an account in a millisecond, but can’t tell whether it’s protecting a child or punishing a joke.

That’s why the future of safety can’t live inside one corporate algorithm. It has to live with the individual — in personal AI agents that see context, respect consent, and act in the user’s best interest. Instead of a single moderation brain governing millions, every family deserves an AI partner that watches with understanding, not suspicion.

A system that exists to protect them, not the platform.

The Future of Child Safety: Collaboration, Not Competition

The Roblox story underscores an industry-wide truth: safety can’t be one-size-fits-all.
Every child’s online experience is different and protecting it requires both platform vigilance and parent empowerment.

At Permission, we believe the next generation of online safety will come from collaboration, not competition. Instead of replacing platform systems, our personal AI agents complement them — giving parents visibility and peace of mind while supporting the broader ecosystem of trust that companies like Roblox are working to build.

From one-size-fits-all moderation to one-AI-per-family insight — in harmony with the platforms kids already love.

Each family’s AI guardian can learn their child’s unique patterns, highlight potential risks across apps, and summarize activity in clear reports that parents control. That’s what we mean by ethical visibility — insight without invasion.

You can explore this philosophy further in our upcoming piece:
➡️ Monitoring Without Spying: How to Build Digital Trust With Your Child (link coming soon)

What Parents Can Do Now

Until personalized AI guardians are widespread, families can take practical steps today:

• Talk early and often. Make online safety part of everyday conversation.
  
  
• Ask, don’t accuse. Curiosity builds trust; interrogation breeds secrecy.
  
  
• Play together. Experience games and chat environments firsthand.
  
  
• Set boundaries collaboratively. Agree on rules, timing, and social norms.
  
  
• Teach red flags. Encourage your child to tell you when something feels wrong — without fear of punishment.

A Shared Responsibility

The recent Roblox lawsuits remind all of us just how complicated parenting in the digital world can feel. It’s not just about rules or apps: it’s about guiding your kids through a space that changes faster than any of us could have imagined! 

And the truth is, everyone involved wants the same thing: a digital world where kids can explore safely, confidently, and with the freedom to just be kids.

At Permission, we’re committed to building an AI that understands what matters, respects your family’s values and boundaries, and puts consent at the center of every interaction.

For years, Permission has championed a simple idea: your data has value, and you deserve to be rewarded for it. Our mission is clear: to enable individuals to own their data and be compensated when it’s used. Until now, we’ve made that possible through our opt-in experience, giving you the choice to engage and earn.

But the internet is evolving, and so are we.

Now, with the rise of AI, our vision has never been more relevant. The world is waking up to the fact that data is the fuel driving digital intelligence, and individuals should be the ones who benefit directly from it.

The time is now. AI has created both the urgency and the infrastructure to finally make our vision real. The solution is the "Permission Agent: The Personal AI that Pays You."

‍What is the Permission Agent?

The Permission Agent is your own AI-powered digital assistant - it knows you, works for you, and turns your data into a revenue stream.

Running seamlessly in your browser, it manages your consent across the digital world while identifying the moments when your data has value, making sure you are the one who gets rewarded.

In essence, it acts as your personal representative in the online economy, constantly spotting opportunities, securing your rewards, and giving you back control of your digital life.

Human data powers the next generation of AI, and for it to be trusted it must be verified, auditable, and permissioned. Most importantly, it must reward the people who provide it. With the Permission Agent, this vision becomes reality: your data is safeguarded, your consent is respected, and you are compensated every step of the way.

This is more than a seamless way to earn. It’s a bold step toward a future where the internet is rebuilt around trust, transparency, and fairness - with people at the center.

‍Passive Earning and Compounded Referral Rewards

With the Permission Agent, earning isn’t just smarter - it’s continuous and always working in the background. As you browse normally, your Agent quietly unlocks opportunities and secures rewards on your behalf.

Beyond this passive earning, the value multiplies when you invite friends to Permission. Instead of a one-time referral bonus, you’ll earn a percentage of everything your friends earn, for life. Each time they browse, engage, and collect rewards, you benefit too — and the more friends you bring in, the greater your earnings become.

All rewards are paid in $ASK, the token that powers the Permission ecosystem. Whether you choose to redeem, trade for cash or crypto, or save and accumulate, the more you collect, the more value you unlock.

Changes to Permission Platform

Our mission has always been to create a fair internet - one where people truly own their data and get rewarded for it. The opt-in experience was an important first step, opening the door to a world where individuals could engage and earn. But now it’s time to evolve.

Effective October 1st, the following platform changes will be implemented:

• Branded daily offers will no longer appear in their current form.  
• The Earn Marketplace will be transformed into Personalize Your AI - a new way to earn by taking actions that help your Agent better understand you, bringing you even greater personalization and value.
• The browser extension will be the primary surface for earning from your data, and, should you choose to activate passive earning, you’ll benefit from ongoing rewards as your Agent works for you in the background.

With the Permission Agent, you gain a proactive partner that works for you around the clock — unlocking rewards, protecting your data, and ensuring you benefit from every opportunity,  without needing to constantly make manual decisions.

‍How to Get Started

Getting set up takes just a few minutes:

1. Download the Permission Agent (browser extension)
   
   
2. Activate it to claim your ASK token bonus
   
   
3. Browse as usual — your Agent works in the background to find earning opportunities for you
   

The more you use it, the more it learns how to unlock rewards and maximize the value of your time online.

A New Era of the Internet

This isn’t just a new tool - it’s a turning point.

The Permission Agent marks the beginning of a digital world where people truly own their data, decide when and how to share it, and are rewarded every step of the way.