| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the protection of minors from harmful, deceptive, or |
|
|
unfair trade practices in connection with the use of certain |
|
|
digital services. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. This Act may be cited as the Securing Children |
|
|
Online through Parental Empowerment (SCOPE) Act. |
|
|
SECTION 2. Subtitle A, Title 11, Business & Commerce Code, |
|
|
is amended by adding Chapter 509 to read as follows: |
|
|
CHAPTER 509. USE OF DIGITAL SERVICES BY MINORS |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 509.001. DEFINITIONS. In this chapter: |
|
|
(1) "Digital service" means a website, an application, |
|
|
a program, or software that performs collection or processing |
|
|
functions with Internet connectivity. |
|
|
(2) "Digital service provider" means a person who owns |
|
|
or operates a digital service. |
|
|
(3) "Known minor" means a minor under circumstances |
|
|
where a digital service provider has actual knowledge of, or |
|
|
wilfully disregards, a minor's age. |
|
|
(4) "Minor" means a child who is younger than 18 years |
|
|
of age who: |
|
|
(A) has never been married; and |
|
|
(B) has not had the disabilities of minority |
|
|
removed for general purposes. |
|
|
(5) "Verified parent" means a person who has |
|
|
registered with a digital service provider as the parent or |
|
|
guardian of a known minor under Section 509.052. |
|
|
Sec. 509.002. APPLICABILITY. (a) This chapter does not |
|
|
apply to: |
|
|
(1) a state agency or a political subdivision of this |
|
|
state; |
|
|
(2) a financial institution or data subject to Title |
|
|
V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.); |
|
|
(3) a covered entity or business associate governed by |
|
|
the privacy, security, and breach notification rules issued by the |
|
|
United States Department of Health and Human Services, 45 C.F.R. |
|
|
Parts 160 and 164, established under the Health Insurance |
|
|
Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d |
|
|
et seq.), and the Health Information Technology for Economic and |
|
|
Clinical Health Act (Division A, Title XIII, and Division B, Title |
|
|
IV, Pub. L. No. 111-5); |
|
|
(4) a small business as defined by the United States |
|
|
Small Business Administration on September 1, 2024; |
|
|
(5) an institution of higher education; |
|
|
(6) a digital service provider who processes or |
|
|
maintains user data in connection with the employment, promotion, |
|
|
reassignment, or retention of the user as an employee or |
|
|
independent contractor, to the extent that the user's data is |
|
|
processed or maintained for that purpose; |
|
|
(7) an operator or provider regulated by Subchapter D, |
|
|
Chapter 32, Education Code; or |
|
|
(8) a person subject to the Family Educational Rights |
|
|
and Privacy Act of 1974 (20 U.S.C. Section 1232g) that operates a |
|
|
digital service. |
|
|
(b) An Internet service provider or Internet service |
|
|
provider's affiliate is not considered to be a digital service |
|
|
provider if the Internet service provider or affiliate provides |
|
|
access or connection to a digital service, unless the Internet |
|
|
service provider or affiliate exercises control of or is otherwise |
|
|
responsible for the creation or provision of content that exposes a |
|
|
known minor to harm as described by Section 509.053. |
|
|
(c) A person is not a known minor after the person's 18th |
|
|
birthday. |
|
|
SUBCHAPTER B. DIGITAL SERVICE PROVIDER DUTIES AND PROHIBITIONS |
|
|
Sec. 509.051. PROHIBITION ON AGREEMENTS WITH KNOWN MINORS; |
|
|
EXEMPTIONS. (a) Except as provided by this section, a digital |
|
|
service provider may not enter into an agreement with a known minor. |
|
|
(b) For purposes of this section, an agreement includes: |
|
|
(1) a terms of service agreement; |
|
|
(2) a user agreement; and |
|
|
(3) the creation of an account for a digital service. |
|
|
(c) A digital service provider may enter into an agreement |
|
|
with a known minor if the known minor's parent or guardian consents |
|
|
in a verifiable manner that: |
|
|
(1) is specific, informed, and unambiguous; and |
|
|
(2) occurs in the absence of any financial incentive. |
|
|
(d) For purposes of this section, the following are |
|
|
acceptable methods a digital service provider may use to obtain |
|
|
consent: |
|
|
(1) providing a form for the known minor's parent or |
|
|
guardian to sign and return to the digital service provider by |
|
|
common carrier, facsimile, or electronic scan; |
|
|
(2) providing a toll-free telephone number for the |
|
|
known minor's parent or guardian to call to consent; |
|
|
(3) coordinating a call with a known minor's parent or |
|
|
guardian over videoconferencing technology; |
|
|
(4) collecting information related to the known |
|
|
minor's parent's or guardian's government-issued identification and |
|
|
deleting that information after confirming the identity of the |
|
|
parent or guardian; |
|
|
(5) allowing the known minor's parent or guardian to |
|
|
provide consent by responding to an e-mail and taking additional |
|
|
steps to verify the parent's or guardian's identity; |
|
|
(6) obtaining consent from a person registered with |
|
|
the digital service provider as the known minor's verified parent |
|
|
under Section 509.052; and |
|
|
(7) any other commercially reasonable method of |
|
|
obtaining consent that complies with Subsection (c). |
|
|
(e) An agreement under this section must include a method by |
|
|
which a known minor's parent or guardian can register with the |
|
|
digital service provider as the minor's verified parent under |
|
|
Section 509.052. |
|
|
(f) Before obtaining consent from a known minor's parent or |
|
|
guardian, a digital service provider must give the parent or |
|
|
guardian the ability to permanently enable settings to: |
|
|
(1) enable the highest privacy setting offered by the |
|
|
digital service provider; |
|
|
(2) prevent the digital service provider from |
|
|
collecting any data associated with the minor that is not necessary |
|
|
to provide the digital service; |
|
|
(3) prevent the digital service provider from |
|
|
processing any data associated with the minor in a manner that is |
|
|
not related to the purpose for which the data was collected; |
|
|
(4) prevent the digital service provider from sharing, |
|
|
disclosing, or transferring data associated with the minor in |
|
|
exchange for monetary or other valuable consideration; |
|
|
(5) prevent collection of geolocation data by the |
|
|
digital service provider; |
|
|
(6) prevent the display of targeted advertising for |
|
|
the minor; or |
|
|
(7) prevent the minor from making purchases or |
|
|
financial transactions. |
|
|
(g) If a minor's parent or guardian, including a verified |
|
|
parent, gives consent or performs another function of a parent or |
|
|
guardian under this chapter, the digital service provider: |
|
|
(1) is considered to have actual knowledge that the |
|
|
minor is less than 18 years of age; and |
|
|
(2) must treat the minor as a known minor. |
|
|
(h) An agreement between a digital service provider and a |
|
|
known minor under this section may not be construed to prevent the |
|
|
digital service provider from collecting, processing, or sharing |
|
|
user data in a manner necessary to comply with: |
|
|
(1) a civil, criminal, or regulatory inquiry, |
|
|
investigation, subpoena, or summons by a governmental authority; or |
|
|
(2) a law enforcement agency investigating conduct |
|
|
that the digital service provider reasonably believes in good faith |
|
|
to violate federal, state, or local laws. |
|
|
Sec. 509.052. REGISTRATION AS VERIFIED PARENT. (a) A |
|
|
digital service provider shall provide a process for a known |
|
|
minor's parent or guardian to register with the digital service |
|
|
provider as the known minor's verified parent. |
|
|
(b) The registration process under this section must |
|
|
require a known minor's parent or guardian to confirm the parent's |
|
|
or guardian's identity using a method acceptable for obtaining |
|
|
consent under Sections 509.051(d)(1)-(5). |
|
|
(c) A person registered with a digital service provider as a |
|
|
known minor's verified parent may give consent or perform other |
|
|
functions of a known minor's parent or guardian under this chapter |
|
|
relating to a digital service provider with whom the verified |
|
|
parent is registered without confirming the verified parent's |
|
|
identity under Sections 509.051(d)(1)-(5). |
|
|
Sec. 509.053. DIGITAL SERVICE PROVIDER DUTY TO EXERCISE |
|
|
REASONABLE CARE. In relation to a known minor's use of a digital |
|
|
service, a digital service provider shall exercise reasonable care |
|
|
to prevent: |
|
|
(1) self harm, suicide, eating disorders, and other |
|
|
similar behaviors; |
|
|
(2) substance abuse and patterns of use that indicate |
|
|
addiction; |
|
|
(3) bullying and harassment; |
|
|
(4) sexual exploitation, including enticement, |
|
|
grooming, trafficking, abuse, and child pornography; |
|
|
(5) advertisements for products or services that are |
|
|
unlawful for a minor, including illegal drugs, tobacco, gambling, |
|
|
pornography, and alcohol; and |
|
|
(6) predatory, unfair, or deceptive marketing |
|
|
practices. |
|
|
Sec. 509.054. ACCESS TO DATA ASSOCIATED WITH KNOWN MINOR. |
|
|
(a) A known minor's parent or guardian may submit a request to a |
|
|
digital service provider to access any data on the digital service |
|
|
associated with the minor. |
|
|
(b) A digital service provider shall establish and make |
|
|
available a simple and easily accessible method by which a known |
|
|
minor's parent or guardian may make a request for access under this |
|
|
section. |
|
|
(c) The method established under Subsection (b) must: |
|
|
(1) allow a known minor's parent or guardian to access: |
|
|
(A) all data in the digital service provider's |
|
|
possession associated with the known minor, organized by: |
|
|
(i) type of data; and |
|
|
(ii) purpose for which the digital service |
|
|
provider processed each type of data; |
|
|
(B) the name of each third party to which the |
|
|
digital service provider disclosed the data, if applicable; |
|
|
(C) each source other than the minor from which |
|
|
the digital service provider obtained data associated with the |
|
|
known minor; |
|
|
(D) the length of time for which the digital |
|
|
service provider will retain the data associated with the known |
|
|
minor; |
|
|
(E) any index or score assigned to the minor as a |
|
|
result of the data, including whether the digital service provider |
|
|
created the index or score and, if not, who created the index or |
|
|
score; |
|
|
(F) the manner in which the digital service |
|
|
provider uses an index or score under Paragraph (E); |
|
|
(G) a method by which the known minor's parent or |
|
|
guardian may: |
|
|
(i) dispute the accuracy of any data |
|
|
collected or processed by the digital service provider; and |
|
|
(ii) request that the digital service |
|
|
provider correct any data collected or processed by the digital |
|
|
service provider; and |
|
|
(H) a method by which the known minor's parent or |
|
|
guardian may request that the digital service provider delete any |
|
|
data associated with the known minor collected or processed by the |
|
|
digital service provider; and |
|
|
(2) require a known minor's parent or guardian to |
|
|
confirm the parent's or guardian's identity using a method |
|
|
acceptable under Sections 509.051(d)(1)-(5). |
|
|
(d) A verified parent is not required to confirm the |
|
|
verified parent's identity under Subsection (c)(2) when making a |
|
|
request under this section to the digital service provider with |
|
|
whom the verified parent is registered. |
|
|
(e) If a digital service provider receives a request under |
|
|
Subsection (c)(1)(G), the digital service provider shall, not later |
|
|
than the 45th day after the request is made: |
|
|
(1) determine whether the relevant data is inaccurate |
|
|
or incomplete; and |
|
|
(2) make any corrections necessary. |
|
|
(f) If a digital service provider receives a request under |
|
|
Subsection (c)(1)(H), the digital service provider shall delete the |
|
|
data specified by the request not later than the 45th day after the |
|
|
request is made. |
|
|
Sec. 509.055. ADVERTISING AND MARKETING DUTIES. A digital |
|
|
service provider that allows advertisers to advertise to known |
|
|
minors on the digital service shall disclose in a clear and |
|
|
accessible manner at the time the advertisement is displayed: |
|
|
(1) the name of each product, service, or brand |
|
|
advertising on the digital service; |
|
|
(2) the subject matter of each advertisement or |
|
|
marketing material on the digital service; |
|
|
(3) if the digital service provider or advertiser |
|
|
targets advertisements to known minors on the digital service, the |
|
|
reason why each advertisement has been targeted to a minor; |
|
|
(4) the way in which data associated with a known |
|
|
minor's use of the digital service leads to each advertisement |
|
|
targeted to the minor; and |
|
|
(5) whether certain media on the digital service are |
|
|
advertisements. |
|
|
Sec. 509.056. USE OF ALGORITHMS. A digital service |
|
|
provider that uses algorithms to automate the suggestion, |
|
|
promotion, or ranking of information to known minors on the digital |
|
|
service shall: |
|
|
(1) ensure that the algorithm does not interfere with |
|
|
the digital service provider's duties under Section 509.053; and |
|
|
(2) disclose in the digital service provider's terms |
|
|
of service, in a clear and accessible manner: |
|
|
(A) an overview of the manner in which the |
|
|
digital service uses algorithms to provide information to known |
|
|
minors; and |
|
|
(B) an overview of the manner in which those |
|
|
algorithms use data associated with a known minor. |
|
|
Sec. 509.057. PROHIBITION AGAINST DISCRIMINATION. A |
|
|
digital service provider may not discriminate against a known minor |
|
|
or the known minor's parent or guardian in any manner for exercising |
|
|
a right described by this chapter. |
|
|
Sec. 509.058. PROTECTION OF TRADE SECRETS. Nothing in this |
|
|
subchapter may be construed to require a digital service provider |
|
|
to disclose a trade secret. |
|
|
SUBCHAPTER C. ENFORCEMENT |
|
|
Sec. 509.101. DECEPTIVE TRADE PRACTICE. A violation of |
|
|
this chapter is a false, misleading, or deceptive act or practice as |
|
|
defined by Section 17.46(b). Except as provided by Section |
|
|
509.102, in addition to any remedy under this chapter, any public |
|
|
remedy under Subchapter E, Chapter 17, is also available for a |
|
|
violation of this chapter. |
|
|
Sec. 509.102. NO PRIVATE RIGHT OF ACTION. This chapter may |
|
|
not be construed as providing a basis for, or being subject to, a |
|
|
private right of action for a violation of this chapter. |
|
|
SECTION 3. If any provision of this Act or its application |
|
|
to any person or circumstance is held invalid, the invalidity does |
|
|
not affect other provisions or applications of this Act that can be |
|
|
given effect without the invalid provision or application, and to |
|
|
this end the provisions of this Act are declared to be severable. |
|
|
SECTION 4. This Act takes effect September 1, 2024. |