|
|
|
|
AN ACT
|
|
relating to the protection of minors from harmful, deceptive, or |
|
unfair trade practices in connection with the use of certain |
|
digital services and electronic devices, including the use and |
|
transfer of electronic devices to students by a public school. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
ARTICLE 1. SHORT TITLE |
|
SECTION 1.01. This Act may be cited as the Securing Children |
|
Online through Parental Empowerment (SCOPE) Act. |
|
ARTICLE 2. USE OF DIGITAL SERVICES BY MINORS |
|
SECTION 2.01. Subtitle A, Title 11, Business & Commerce |
|
Code, is amended by adding Chapter 509 to read as follows: |
|
CHAPTER 509. USE OF DIGITAL SERVICES BY MINORS |
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
Sec. 509.001. DEFINITIONS. In this chapter: |
|
(1) "Digital service" means a website, an application, |
|
a program, or software that collects or processes personal |
|
identifying information with Internet connectivity. |
|
(2) "Digital service provider" means a person who: |
|
(A) owns or operates a digital service; |
|
(B) determines the purpose of collecting and |
|
processing the personal identifying information of users of the |
|
digital service; and |
|
(C) determines the means used to collect and |
|
process the personal identifying information of users of the |
|
digital service. |
|
(3) "Harmful material" has the meaning assigned by |
|
Section 43.24, Penal Code. |
|
(4) "Known minor" means a person that a digital |
|
service provider knows to be a minor. |
|
(5) "Minor" means a child who is younger than 18 years |
|
of age who has not had the disabilities of minority removed for |
|
general purposes. |
|
(6) "Personal identifying information" means any |
|
information, including sensitive information, that is linked or |
|
reasonably linkable to an identified or identifiable individual. |
|
The term includes pseudonymous information when the information is |
|
used by a controller or processor in conjunction with additional |
|
information that reasonably links the information to an identified |
|
or identifiable individual. The term does not include deidentified |
|
information or publicly available information. |
|
(7) "Verified parent" means the parent or guardian of |
|
a known minor whose identity and relationship to the minor have been |
|
verified by a digital service provider under Section 509.101. |
|
Sec. 509.002. APPLICABILITY. (a) Except to the extent that |
|
Section 509.057 applies to any digital service provider, this |
|
chapter applies only to a digital service provider who provides a |
|
digital service that: |
|
(1) connects users in a manner that allows users to |
|
socially interact with other users on the digital service; |
|
(2) allows a user to create a public or semi-public |
|
profile for purposes of signing into and using the digital service; |
|
and |
|
(3) allows a user to create or post content that can be |
|
viewed by other users of the digital service, including sharing |
|
content on: |
|
(A) a message board; |
|
(B) a chat room; or |
|
(C) a landing page, video channel, or main feed |
|
that presents to a user content created and posted by other users. |
|
(b) This chapter does not apply to: |
|
(1) a state agency or a political subdivision of this |
|
state; |
|
(2) a financial institution or data subject to Title |
|
V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.); |
|
(3) a covered entity or business associate governed by |
|
the privacy, security, and breach notification rules issued by the |
|
United States Department of Health and Human Services, 45 C.F.R. |
|
Parts 160 and 164, established under the Health Insurance |
|
Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d |
|
et seq.), and the Health Information Technology for Economic and |
|
Clinical Health Act (Division A, Title XIII, and Division B, Title |
|
IV, Pub. L. No. 111-5); |
|
(4) a small business as defined by the United States |
|
Small Business Administration on September 1, 2024; |
|
(5) an institution of higher education; |
|
(6) a digital service provider who processes or |
|
maintains user data in connection with the employment, promotion, |
|
reassignment, or retention of the user as an employee or |
|
independent contractor, to the extent that the user's data is |
|
processed or maintained for that purpose; |
|
(7) an operator or provider regulated by Subchapter D, |
|
Chapter 32, Education Code, that primarily provides education |
|
services to students or educational institutions; |
|
(8) a person subject to the Family Educational Rights |
|
and Privacy Act of 1974 (20 U.S.C. Section 1232g) that: |
|
(A) operates a digital service; and |
|
(B) primarily provides education services to |
|
students or educational institutions; |
|
(9) a digital service provider's provision of a |
|
digital service that facilitates e-mail or direct messaging |
|
services, if the digital service facilitates only those services; |
|
or |
|
(10) a digital service provider's provision of a |
|
digital service that: |
|
(A) primarily functions to provide a user with |
|
access to news, sports, commerce, or content primarily generated or |
|
selected by the digital service provider; and |
|
(B) allows chat, comment, or other interactive |
|
functionality that is incidental to the digital service. |
|
(c) Unless an Internet service provider, Internet service |
|
provider's affiliate or subsidiary, search engine, or cloud service |
|
provider is responsible for the creation of harmful material or |
|
other content described by Section 509.053(a), the Internet service |
|
provider, Internet service provider's affiliate or subsidiary, |
|
search engine, or cloud service provider is not considered to be a |
|
digital service provider or to offer a digital service if the |
|
Internet service provider or provider's affiliate or subsidiary, |
|
search engine, or cloud service provider solely provides access or |
|
connection, including through transmission, download, intermediate |
|
storage, access software, or other service, to an Internet website |
|
or to other information or content: |
|
(1) on the Internet; or |
|
(2) on a facility, system, or network not under the |
|
control of the Internet service provider, provider's affiliate or |
|
subsidiary, search engine, or cloud service provider. |
|
SUBCHAPTER B. DIGITAL SERVICE PROVIDER DUTIES AND PROHIBITIONS |
|
Sec. 509.051. DIGITAL SERVICE PROVIDER DUTY TO REGISTER AGE |
|
OF USER. (a) A digital service provider may not enter into an |
|
agreement with a person to create an account with a digital service |
|
unless the person has registered the person's age with the digital |
|
service provider. |
|
(b) A person who registers the person's age as younger than |
|
18 years of age is considered to be a known minor to the digital |
|
service provider until after the person's 18th birthday. |
|
(c) A digital service provider may not allow a person who |
|
registers the person's age to alter the person's registered age, |
|
unless the alteration process involves a commercially reasonable |
|
review process. |
|
(d) A minor is considered to be a known minor to a digital |
|
service provider if: |
|
(1) the minor registers the minor's age under Section |
|
509.051 as younger than 18 years of age; or |
|
(2) the minor's parent or guardian, including a |
|
verified parent: |
|
(A) notifies a digital service provider that the |
|
minor is younger than 18 years of age; |
|
(B) successfully disputes the registered age of |
|
the minor; or |
|
(C) performs another function of a parent or |
|
guardian under this chapter. |
|
(e) If a minor is a known minor, or if the minor's parent or |
|
guardian, including a verified parent, takes an action under |
|
Subsection (a), a digital service provider: |
|
(1) is considered to have actual knowledge that the |
|
minor is younger than 18 years of age; and |
|
(2) shall treat the minor as a known minor under this |
|
chapter. |
|
Sec. 509.052. DIGITAL SERVICE PROVIDER DUTIES RELATING TO |
|
AGREEMENT WITH MINOR. Unless a verified parent provides otherwise |
|
under Section 509.102, a digital service provider that enters into |
|
an agreement with a known minor for access to a digital service: |
|
(1) shall: |
|
(A) limit collection of the known minor's |
|
personal identifying information to information reasonably |
|
necessary to provide the digital service; and |
|
(B) limit use of the known minor's personal |
|
identifying information to the purpose for which the information |
|
was collected; and |
|
(2) may not: |
|
(A) allow the known minor to make purchases or |
|
engage in other financial transactions through the digital service; |
|
(B) share, disclose, or sell the known minor's |
|
personal identifying information; |
|
(C) use the digital service to collect the known |
|
minor's precise geolocation data; or |
|
(D) use the digital service to display targeted |
|
advertising to the known minor. |
|
Sec. 509.053. DIGITAL SERVICE PROVIDER DUTY TO PREVENT HARM |
|
TO KNOWN MINORS. (a) In relation to a known minor's use of a digital |
|
service, a digital service provider shall develop and implement a |
|
strategy to prevent the known minor's exposure to harmful material |
|
and other content that promotes, glorifies, or facilitates: |
|
(1) suicide, self-harm, or eating disorders; |
|
(2) substance abuse; |
|
(3) stalking, bullying, or harassment; or |
|
(4) grooming, trafficking, child pornography, or |
|
other sexual exploitation or abuse. |
|
(b) A strategy developed under Subsection (a): |
|
(1) must include: |
|
(A) creating and maintaining a comprehensive |
|
list of harmful material or other content described by Subsection |
|
(a) to block from display to a known minor; |
|
(B) using filtering technology and other |
|
protocols to enforce the blocking of material or content on the list |
|
under Paragraph (A); |
|
(C) using hash-sharing technology and other |
|
protocols to identify recurring harmful material or other content |
|
described by Subsection (a); |
|
(D) creating and maintaining a database of |
|
keywords used for filter evasion, such as identifiable |
|
misspellings, hash-tags, or identifiable homoglyphs; |
|
(E) performing standard human-performed |
|
monitoring reviews to ensure efficacy of filtering technology; |
|
(F) making available to users a comprehensive |
|
description of the categories of harmful material or other content |
|
described by Subsection (a) that will be filtered; and |
|
(G) except as provided by Section 509.058, making |
|
available the digital service provider's algorithm code to |
|
independent security researchers; and |
|
(2) may include: |
|
(A) engaging a third party to rigorously review |
|
the digital service provider's content filtering technology; |
|
(B) participating in industry-specific |
|
partnerships to share best practices in preventing access to |
|
harmful material or other content described by Subsection (a); or |
|
(C) conducting periodic independent audits to |
|
ensure: |
|
(i) continued compliance with the digital |
|
service provider's strategy; and |
|
(ii) efficacy of filtering technology and |
|
protocols used by the digital service provider. |
|
Sec. 509.054. DIGITAL SERVICE PROVIDER DUTY TO CREATE |
|
PARENTAL TOOLS. (a) A digital service provider shall create and |
|
provide to a verified parent parental tools to allow the verified |
|
parent to supervise the verified parent's known minor's use of a |
|
digital service. |
|
(b) Parental tools under this section must allow a verified |
|
parent to: |
|
(1) control the known minor's privacy and account |
|
settings; |
|
(2) alter the duties of a digital service provider |
|
under Section 509.052 with regard to the verified parent's known |
|
minor; |
|
(3) if the verified parent alters the duty of a digital |
|
service provider under Section 509.052(2)(A), restrict the ability |
|
of the verified parent's known minor to make purchases or engage in |
|
financial transactions; and |
|
(4) monitor and limit the amount of time the verified |
|
parent's known minor spends using the digital service. |
|
Sec. 509.055. DIGITAL SERVICE PROVIDER DUTIES REGARDING |
|
ADVERTISING AND MARKETING. A digital service provider shall make a |
|
commercially reasonable effort to prevent advertisers on the |
|
digital service provider's digital service from targeting a known |
|
minor with advertisements that facilitate, promote, or offer a |
|
product, service, or activity that is unlawful for a minor in this |
|
state to use or engage in. |
|
Sec. 509.056. USE OF ALGORITHMS. A digital service |
|
provider that uses algorithms to automate the suggestion, |
|
promotion, or ranking of information to known minors on the digital |
|
service shall: |
|
(1) make a commercially reasonable effort to ensure |
|
that the algorithm does not interfere with the digital service |
|
provider's duties under Section 509.053; and |
|
(2) disclose in the digital service provider's terms |
|
of service, privacy policy, or similar document, in a clear and |
|
accessible manner, an overview of: |
|
(A) the manner in which the digital service uses |
|
algorithms to provide information or content; |
|
(B) the manner in which algorithms promote, rank, |
|
or filter information or content; and |
|
(C) the personal identifying information used as |
|
inputs to provide information or content. |
|
Sec. 509.057. DIGITAL SERVICE PROVIDER DUTY AS TO HARMFUL |
|
MATERIAL. (a) A digital service provider as defined by Section |
|
509.001 that knowingly publishes or distributes material, more than |
|
one-third of which is harmful material or obscene as defined by |
|
Section 43.21, Penal Code, must use a commercially reasonable age |
|
verification method to verify that any person seeking to access |
|
content on or through the provider's digital service is 18 years of |
|
age or older. |
|
(b) If a person seeking to access content on or through the |
|
digital service of a provider for which age verification is |
|
required under this section is not 18 years of age or older, the |
|
digital service provider may not enter into an agreement with the |
|
person for access to the digital service. |
|
Sec. 509.058. PROTECTION OF TRADE SECRETS. Nothing in this |
|
subchapter may be construed to require a digital service provider |
|
to disclose a trade secret. |
|
Sec. 509.059. USE OF KNOWN MINOR'S PERSONAL IDENTIFYING |
|
INFORMATION FOR CERTAIN PURPOSES. Nothing in this subchapter may be |
|
construed to prevent a digital service provider from collecting, |
|
processing, or sharing a known minor's personal identifying |
|
information in a manner necessary to: |
|
(1) comply with a civil, criminal, or regulatory |
|
inquiry, investigation, subpoena, or summons by a governmental |
|
entity; |
|
(2) comply with a law enforcement investigation; |
|
(3) detect, block, or prevent the distribution of |
|
unlawful, obscene, or other harmful material to a known minor; |
|
(4) block or filter spam; |
|
(5) prevent criminal activity; or |
|
(6) protect the security of a digital service. |
|
SUBCHAPTER C. VERIFIED PARENTS |
|
Sec. 509.101. VERIFICATION OF PARENT OR GUARDIAN. (a) A |
|
digital service provider shall verify, using a commercially |
|
reasonable method and for each person seeking to perform an action |
|
on a digital service as a minor's parent or guardian: |
|
(1) the person's identity; and |
|
(2) the relationship of the person to the known minor. |
|
(b) A digital service provider shall provide a process by |
|
which a person who has been verified under Subsection (a) as the |
|
parent or guardian of a known minor may participate in the digital |
|
service as the known minor's verified parent as provided by this |
|
chapter. |
|
Sec. 509.102. POWERS OF VERIFIED PARENT. (a) A verified |
|
parent is entitled to alter the duties of a digital service provider |
|
under Section 509.052 with regard to the verified parent's known |
|
minor. |
|
(b) A verified parent is entitled to supervise the verified |
|
parent's known minor's use of a digital service using tools provided |
|
by a digital service provider under Section 509.054. |
|
Sec. 509.103. ACCESS TO KNOWN MINOR'S PERSONAL IDENTIFYING |
|
INFORMATION. (a) A known minor's verified parent may submit a |
|
request to a digital service provider to: |
|
(1) review and download any personal identifying |
|
information associated with the minor in the possession of the |
|
digital service provider; and |
|
(2) delete any personal identifying information |
|
associated with the minor collected or processed by the digital |
|
service provider. |
|
(b) A digital service provider shall establish and make |
|
available on the digital service provider's digital service a |
|
method by which a known minor's parent or guardian may make a |
|
request for access under this section. |
|
Sec. 509.104. MINOR IN CONSERVATORSHIP OF DEPARTMENT OF |
|
FAMILY AND PROTECTIVE SERVICES. If a minor is in the |
|
conservatorship of the Department of Family and Protective |
|
Services, the department may designate the minor's caregiver or a |
|
member of the department's staff to perform the functions of the |
|
minor's parent or guardian under this chapter. |
|
SUBCHAPTER D. ENFORCEMENT |
|
Sec. 509.151. DECEPTIVE TRADE PRACTICE; ENFORCEMENT BY |
|
ATTORNEY GENERAL. A violation of this chapter is a deceptive act or |
|
practice actionable under Subchapter E, Chapter 17, solely as an |
|
enforcement action by the consumer protection division of the |
|
attorney general's office. |
|
Sec. 509.152. PRIVATE CAUSE OF ACTION. (a) Except as |
|
provided by Subsection (b), this chapter may not be construed as |
|
providing a basis for, or being subject to, a private right of |
|
action for a violation of this chapter. |
|
(b) If a digital service provider violates this chapter, the |
|
parent or guardian of a known minor affected by that violation may |
|
bring a cause of action seeking: |
|
(1) a declaratory judgment under Chapter 37, Civil |
|
Practice and Remedies Code; or |
|
(2) an injunction against the digital service |
|
provider. |
|
(c) A court may not certify an action brought under this |
|
section as a class action. |
|
ARTICLE 3. USE AND TRANSFER OF ELECTRONIC DEVICES BY STUDENTS |
|
SECTION 3.01. The heading to Subchapter C, Chapter 32, |
|
Education Code, is amended to read as follows: |
|
SUBCHAPTER C. TRANSFER OF DATA PROCESSING EQUIPMENT AND ELECTRONIC |
|
DEVICES TO STUDENTS |
|
SECTION 3.02. Section 32.101, Education Code, is amended to |
|
read as follows: |
|
Sec. 32.101. DEFINITIONS [DEFINITION]. In this subchapter: |
|
(1) "Data [, "data] processing" has the meaning |
|
assigned by Section 2054.003, Government Code. |
|
(2) "Electronic device" means a device that is capable |
|
of connecting to a cellular network or the Internet, including: |
|
(A) a computer; |
|
(B) a smartphone; or |
|
(C) a tablet. |
|
(3) "Internet filter" means a software application |
|
that is capable of preventing an electronic device from accessing |
|
certain websites or displaying certain online material. |
|
SECTION 3.03. Subchapter C, Chapter 32, Education Code, is |
|
amended by adding Section 32.1021 to read as follows: |
|
Sec. 32.1021. STANDARDS. The agency shall adopt standards |
|
for permissible electronic devices and software applications used |
|
by a school district or open-enrollment charter school. In adopting |
|
the standards, the agency must: |
|
(1) minimize data collection conducted on students |
|
through electronic devices and software applications; |
|
(2) ensure direct and informed parental consent is |
|
required for a student's use of a software application, other than a |
|
software application necessary for the administration of: |
|
(A) an assessment instrument under Subchapter B, |
|
Chapter 39; or |
|
(B) an assessment relating to college, career, or |
|
military readiness for which student performance is considered in |
|
evaluating a school district's performance under Section 39.054; |
|
(3) ensure software applications do not conduct mental |
|
health assessments or other assessments unrelated to educational |
|
curricula that are intended to collect information about students |
|
without direct and informed parental consent; |
|
(4) ensure that parents are provided the resources |
|
necessary to understand cybersecurity risks and online safety |
|
regarding their child's use of electronic devices before the child |
|
uses an electronic device at the child's school; |
|
(5) specify periods of time during which an electronic |
|
device transferred to a student must be deactivated in the interest |
|
of student safety; |
|
(6) consider necessary adjustments by age level to the |
|
use of electronic devices in the classroom to foster development of |
|
students' abilities regarding spending school time and completing |
|
assignments without the use of an electronic device; |
|
(7) consider appropriate restrictions on student |
|
access to social media websites or applications with an electronic |
|
device transferred to a student by a district or school; |
|
(8) require a district or school, before using a |
|
social media application for an educational purpose, to determine |
|
that an alternative application that is more secure and provides |
|
the same educational functionality as the social media application |
|
is unavailable for that educational purpose; |
|
(9) consider the required use of an Internet filter |
|
capable of notifying appropriate school administrators, who are |
|
then required to notify the student's parent, if a student accesses |
|
inappropriate or concerning content or words, including content |
|
related to: |
|
(A) self-harm; |
|
(B) suicide; |
|
(C) violence to others; or |
|
(D) illicit drugs; |
|
(10) assign to the appropriate officer of a district |
|
or school the duty to receive complaints or concerns regarding |
|
student use of electronic devices, including cybersecurity and |
|
online safety concerns, from district or school staff, other |
|
students, or parents; and |
|
(11) provide methods by which a district or school may |
|
ensure an operator, as that term is defined by Section 32.151, that |
|
contracts with the district or school to provide software |
|
applications complies with Subchapter D. |
|
SECTION 3.04. Section 32.104, Education Code, is amended to |
|
read as follows: |
|
Sec. 32.104. REQUIREMENTS FOR TRANSFER. Before |
|
transferring data processing equipment or an electronic device to a |
|
student, a school district or open-enrollment charter school must: |
|
(1) adopt rules governing transfers under this |
|
subchapter, including provisions for technical assistance to the |
|
student by the district or school; |
|
(2) determine that the transfer serves a public |
|
purpose and benefits the district or school; [and] |
|
(3) remove from the equipment any offensive, |
|
confidential, or proprietary information, as determined by the |
|
district or school; |
|
(4) adopt rules establishing programs promoting |
|
parents as partners in cybersecurity and online safety that involve |
|
parents in students' use of transferred equipment or electronic |
|
devices; and |
|
(5) for the transfer of an electronic device to be used |
|
for an educational purpose, install an Internet filter that blocks |
|
and prohibits pornographic or obscene materials or applications, |
|
including from unsolicited pop-ups, installations, and downloads. |
|
ARTICLE 4. STUDY OF EFFECTS OF MEDIA ON MINORS |
|
SECTION 4.01. (a) A joint committee of the legislature |
|
shall conduct a study on the effects of media on minors. |
|
(b) The joint committee shall consist of: |
|
(1) members of the house of representatives appointed |
|
by the speaker of the house of representatives; and |
|
(2) members of the senate appointed by the lieutenant |
|
governor. |
|
(c) In conducting the study, members of the joint committee |
|
shall confer with experts on the subject. |
|
(d) The members of the joint committee shall examine: |
|
(1) the health and developmental effects of media on |
|
minors; and |
|
(2) the effects of exposure by a minor to various forms |
|
of media, including: |
|
(A) social media platforms; |
|
(B) software applications; |
|
(C) Internet websites; |
|
(D) television programming; |
|
(E) motion pictures and film; |
|
(F) artificial intelligence; |
|
(G) mobile devices; |
|
(H) computers; |
|
(I) video games; |
|
(J) virtual and augmented reality; and |
|
(K) other media formats the joint committee |
|
considers necessary. |
|
ARTICLE 5. TRANSITION AND EFFECTIVE DATE |
|
SECTION 5.01. If any provision of this Act or its |
|
application to any person or circumstance is held invalid, the |
|
invalidity does not affect other provisions or applications of this |
|
Act that can be given effect without the invalid provision or |
|
application, and to this end the provisions of this Act are declared |
|
to be severable. |
|
SECTION 5.02. Article 3 of this Act applies beginning with |
|
the 2023-2024 school year. |
|
SECTION 5.03. (a) Except as provided by Subsection (b) of |
|
this section, this Act takes effect September 1, 2024. |
|
(b) Article 3 of this Act takes effect immediately if it |
|
receives a vote of two-thirds of all the members elected to each |
|
house, as provided by Section 39, Article III, Texas Constitution. |
|
If this Act does not receive the vote necessary for immediate |
|
effect, Article 3 of this Act takes effect September 1, 2023. |
|
|
|
______________________________ |
______________________________ |
|
President of the Senate |
Speaker of the House |
|
|
|
I certify that H.B. No. 18 was passed by the House on April |
|
26, 2023, by the following vote: Yeas 125, Nays 20, 1 present, not |
|
voting; and that the House concurred in Senate amendments to H.B. |
|
No. 18 on May 28, 2023, by the following vote: Yeas 120, Nays 21, 2 |
|
present, not voting. |
|
|
|
______________________________ |
|
Chief Clerk of the House |
|
|
I certify that H.B. No. 18 was passed by the Senate, with |
|
amendments, on May 23, 2023, by the following vote: Yeas 31, Nays |
|
0. |
|
|
|
______________________________ |
|
Secretary of the Senate |
|
APPROVED: __________________ |
|
Date |
|
|
|
__________________ |
|
Governor |