By: Slawson, Patterson, González of El Paso, H.B. No. 18
      Burrows, Darby, et al.
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the protection of minors from harmful, deceptive, or
  unfair trade practices in connection with the use of certain
  digital services.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  This Act may be cited as the Securing Children
  Online through Parental Empowerment (SCOPE) Act.
         SECTION 2.  Subtitle A, Title 11, Business & Commerce Code,
  is amended by adding Chapter 509 to read as follows:
  CHAPTER 509. USE OF DIGITAL SERVICES BY MINORS
  SUBCHAPTER A. GENERAL PROVISIONS
         Sec. 509.001.  DEFINITIONS. In this chapter:
               (1)  "Digital service" means a website, an application,
  a program, or software that performs collection or processing
  functions with Internet connectivity.
               (2)  "Digital service provider" means a person who owns
  or operates a digital service.
               (3)  "Known minor" means a minor under circumstances
  where a digital service provider has actual knowledge of, or
  wilfully disregards, a minor's age.
               (4)  "Minor" means a child who is younger than 18 years
  of age who:
                     (A)  has never been married; and
                     (B)  has not had the disabilities of minority
  removed for general purposes.
               (5)  "Verified parent" means a person who has
  registered with a digital service provider as the parent or
  guardian of a known minor under Section 509.052.
         Sec. 509.002.  APPLICABILITY. (a) This chapter does not
  apply to:
               (1)  a state agency or a political subdivision of this
  state;
               (2)  a financial institution or data subject to Title
  V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
               (3)  a covered entity or business associate governed by
  the privacy, security, and breach notification rules issued by the
  United States Department of Health and Human Services, 45 C.F.R.
  Parts 160 and 164, established under the Health Insurance
  Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d
  et seq.), and the Health Information Technology for Economic and
  Clinical Health Act (Division A, Title XIII, and Division B, Title
  IV, Pub. L. No. 111-5);
               (4)  a small business as defined by the United States
  Small Business Administration on September 1, 2024;
               (5)  an institution of higher education;
               (6)  a digital service provider who processes or
  maintains user data in connection with the employment, promotion,
  reassignment, or retention of the user as an employee or
  independent contractor, to the extent that the user's data is
  processed or maintained for that purpose;
               (7)  an operator or provider regulated by Subchapter D,
  Chapter 32, Education Code; or
               (8)  a person subject to the Family Educational Rights
  and Privacy Act of 1974 (20 U.S.C. Section 1232g) that operates a
  digital service.
         (b)  An Internet service provider or Internet service
  provider's affiliate is not considered to be a digital service
  provider if the Internet service provider or affiliate provides
  access or connection to a digital service, unless the Internet
  service provider or affiliate exercises control of or is otherwise
  responsible for the creation or provision of content that exposes a
  known minor to harm as described by Section 509.053.
         (c)  A person is not a known minor after the person's 18th
  birthday.
  SUBCHAPTER B. DIGITAL SERVICE PROVIDER DUTIES AND PROHIBITIONS
         Sec. 509.051.  PROHIBITION ON AGREEMENTS WITH KNOWN MINORS;
  EXEMPTIONS.  (a)  Except as provided by this section, a digital
  service provider may not enter into an agreement with a known minor.
         (b)  For purposes of this section, an agreement includes:
               (1)  a terms of service agreement;
               (2)  a user agreement; and
               (3)  the creation of an account for a digital service.
         (c)  A digital service provider may enter into an agreement
  with a known minor if the known minor's parent or guardian consents
  in a verifiable manner that:
               (1)  is specific, informed, and unambiguous; and
               (2)  occurs in the absence of any financial incentive.
         (d)  For purposes of this section, the following are
  acceptable methods a digital service provider may use to obtain
  consent:
               (1)  providing a form for the known minor's parent or
  guardian to sign and return to the digital service provider by
  common carrier, facsimile, or electronic scan;
               (2)  providing a toll-free telephone number for the
  known minor's parent or guardian to call to consent;
               (3)  coordinating a call with a known minor's parent or
  guardian over videoconferencing technology;
               (4)  collecting information related to the known
  minor's parent's or guardian's government-issued identification and
  deleting that information after confirming the identity of the
  parent or guardian;
               (5)  allowing the known minor's parent or guardian to
  provide consent by responding to an e-mail and taking additional
  steps to verify the parent's or guardian's identity;
               (6)  obtaining consent from a person registered with
  the digital service provider as the known minor's verified parent
  under Section 509.052; and
               (7)  any other commercially reasonable method of
  obtaining consent that complies with Subsection (c).
         (e)  An agreement under this section must include a method by
  which a known minor's parent or guardian can register with the
  digital service provider as the minor's verified parent under
  Section 509.052.
         (f)  Before obtaining consent from a known minor's parent or
  guardian, a digital service provider must give the parent or
  guardian the ability to permanently enable settings to:
               (1)  enable the highest privacy setting offered by the
  digital service provider;
               (2)  prevent the digital service provider from
  collecting any data associated with the minor that is not necessary
  to provide the digital service;
               (3)  prevent the digital service provider from
  processing any data associated with the minor in a manner that is
  not related to the purpose for which the data was collected;
               (4)  prevent the digital service provider from sharing,
  disclosing, or transferring data associated with the minor in
  exchange for monetary or other valuable consideration;
               (5)  prevent collection of geolocation data by the
  digital service provider;
               (6)  prevent the display of targeted advertising for
  the minor; or
               (7)  prevent the minor from making purchases or
  financial transactions.
         (g)  If a minor's parent or guardian, including a verified
  parent, gives consent or performs another function of a parent or
  guardian under this chapter, the digital service provider:
               (1)  is considered to have actual knowledge that the
  minor is less than 18 years of age; and
               (2)  must treat the minor as a known minor.
         (h)  An agreement between a digital service provider and a
  known minor under this section may not be construed to prevent the
  digital service provider from collecting, processing, or sharing
  user data in a manner necessary to comply with:
               (1)  a civil, criminal, or regulatory inquiry,
  investigation, subpoena, or summons by a governmental authority; or
               (2)  a law enforcement agency investigating conduct
  that the digital service provider reasonably believes in good faith
  to violate federal, state, or local laws.
         Sec. 509.052.  REGISTRATION AS VERIFIED PARENT. (a) A
  digital service provider shall provide a process for a known
  minor's parent or guardian to register with the digital service
  provider as the known minor's verified parent.
         (b)  The registration process under this section must
  require a known minor's parent or guardian to confirm the parent's
  or guardian's identity using a method acceptable for obtaining
  consent under Sections 509.051(d)(1)-(5).
         (c)  A person registered with a digital service provider as a
  known minor's verified parent may give consent or perform other
  functions of a known minor's parent or guardian under this chapter
  relating to a digital service provider with whom the verified
  parent is registered without confirming the verified parent's
  identity under Sections 509.051(d)(1)-(5).
         Sec. 509.053.  DIGITAL SERVICE PROVIDER DUTY TO EXERCISE
  REASONABLE CARE. In relation to a known minor's use of a digital
  service, a digital service provider shall exercise reasonable care
  to prevent:
               (1)  self harm, suicide, eating disorders, and other
  similar behaviors;
               (2)  substance abuse and patterns of use that indicate
  addiction;
               (3)  bullying and harassment;
               (4)  sexual exploitation, including enticement,
  grooming, trafficking, abuse, and child pornography;
               (5)  advertisements for products or services that are
  unlawful for a minor, including illegal drugs, tobacco, gambling,
  pornography, and alcohol; and
               (6)  predatory, unfair, or deceptive marketing
  practices.
         Sec. 509.054.  ACCESS TO DATA ASSOCIATED WITH KNOWN MINOR.
  (a) A known minor's parent or guardian may submit a request to a
  digital service provider to access any data on the digital service
  associated with the minor.
         (b)  A digital service provider shall establish and make
  available a simple and easily accessible method by which a known
  minor's parent or guardian may make a request for access under this
  section.
         (c)  The method established under Subsection (b) must:
               (1)  allow a known minor's parent or guardian to access:
                     (A)  all data in the digital service provider's
  possession associated with the known minor, organized by:
                           (i)  type of data; and
                           (ii)  purpose for which the digital service
  provider processed each type of data;
                     (B)  the name of each third party to which the
  digital service provider disclosed the data, if applicable;
                     (C)  each source other than the minor from which
  the digital service provider obtained data associated with the
  known minor;
                     (D)  the length of time for which the digital
  service provider will retain the data associated with the known
  minor;
                     (E)  any index or score assigned to the minor as a
  result of the data, including whether the digital service provider
  created the index or score and, if not, who created the index or
  score;
                     (F)  the manner in which the digital service
  provider uses an index or score under Paragraph (E);
                     (G)  a method by which the known minor's parent or
  guardian may:
                           (i)  dispute the accuracy of any data
  collected or processed by the digital service provider; and
                           (ii)  request that the digital service
  provider correct any data collected or processed by the digital
  service provider; and
                     (H)  a method by which the known minor's parent or
  guardian may request that the digital service provider delete any
  data associated with the known minor collected or processed by the
  digital service provider; and
               (2)  require a known minor's parent or guardian to
  confirm the parent's or guardian's identity using a method
  acceptable under Sections 509.051(d)(1)-(5).
         (d)  A verified parent is not required to confirm the
  verified parent's identity under Subsection (c)(2) when making a
  request under this section to the digital service provider with
  whom the verified parent is registered.
         (e)  If a digital service provider receives a request under
  Subsection (c)(1)(G), the digital service provider shall, not later
  than the 45th day after the request is made:
               (1)  determine whether the relevant data is inaccurate
  or incomplete; and
               (2)  make any corrections necessary.
         (f)  If a digital service provider receives a request under
  Subsection (c)(1)(H), the digital service provider shall delete the
  data specified by the request not later than the 45th day after the
  request is made.
         Sec. 509.055.  ADVERTISING AND MARKETING DUTIES. A digital
  service provider that allows advertisers to advertise to known
  minors on the digital service shall disclose in a clear and
  accessible manner at the time the advertisement is displayed:
               (1)  the name of each product, service, or brand
  advertising on the digital service;
               (2)  the subject matter of each advertisement or
  marketing material on the digital service;
               (3)  if the digital service provider or advertiser
  targets advertisements to known minors on the digital service, the
  reason why each advertisement has been targeted to a minor;
               (4)  the way in which data associated with a known
  minor's use of the digital service leads to each advertisement
  targeted to the minor; and
               (5)  whether certain media on the digital service are
  advertisements.
         Sec. 509.056.  USE OF ALGORITHMS. A digital service
  provider that uses algorithms to automate the suggestion,
  promotion, or ranking of information to known minors on the digital
  service shall:
               (1)  ensure that the algorithm does not interfere with
  the digital service provider's duties under Section 509.053; and
               (2)  disclose in the digital service provider's terms
  of service, in a clear and accessible manner:
                     (A)  an overview of the manner in which the
  digital service uses algorithms to provide information to known
  minors; and
                     (B)  an overview of the manner in which those
  algorithms use data associated with a known minor.
         Sec. 509.057.  PROHIBITION AGAINST DISCRIMINATION. A
  digital service provider may not discriminate against a known minor
  or the known minor's parent or guardian in any manner for exercising
  a right described by this chapter.
         Sec. 509.058.  PROTECTION OF TRADE SECRETS. Nothing in this
  subchapter may be construed to require a digital service provider
  to disclose a trade secret.
  SUBCHAPTER C. ENFORCEMENT
         Sec. 509.101.  DECEPTIVE TRADE PRACTICE. A violation of
  this chapter is a false, misleading, or deceptive act or practice as
  defined by Section 17.46(b). Except as provided by Section
  509.102, in addition to any remedy under this chapter, any public
  remedy under Subchapter E, Chapter 17, is also available for a
  violation of this chapter.
         Sec. 509.102.  NO PRIVATE RIGHT OF ACTION. This chapter may
  not be construed as providing a basis for, or being subject to, a
  private right of action for a violation of this chapter.
         SECTION 3.  If any provision of this Act or its application
  to any person or circumstance is held invalid, the invalidity does
  not affect other provisions or applications of this Act that can be
  given effect without the invalid provision or application, and to
  this end the provisions of this Act are declared to be severable.
         SECTION 4.  This Act takes effect September 1, 2024.