By: Slawson H.B. No. 18
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the protection of minors from harmful, deceptive, or
  unfair trade practices in connection with the use of certain
  digital services.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subtitle A, Title 11, Business & Commerce Code,
  is amended by adding Chapter 509 to read as follows:
  CHAPTER 509. COLLECTION OR USE OF MINORS' PERSONAL IDENTIFYING
  INFORMATION BY DIGITAL SERVICE PROVIDERS
  SUBCHAPTER A. GENERAL PROVISIONS
         Sec. 509.001.  DEFINITIONS. In this chapter:
               (1)  "Digital service" means a website, an application,
  a program, or software that performs collection or processing
  functions with Internet connectivity.
               (2)  "Digital service provider" means a person who owns
  or operates a digital service.
               (3)  "Minor" means a child who is at least 13 years of
  age but younger than 18 years of age.
               (4)  "Personal identifying information" means any
  information linked or reasonably linked to a specific minor,
  including:
                     (A)  a name, account name, alias, or online
  identifier;
                     (B)  a home or other physical address;
                     (C)  an Internet Protocol (IP) address or e-mail
  address;
                     (D)  a social security number;
                     (E)  a telephone number;
                     (F)  a driver's license number or state
  identification card number;
                     (G)  a passport number;
                     (H)  physical characteristics or description;
                     (I)  race, ethnicity, or national origin;
                     (J)  religion or faith;
                     (K)  sex, gender, or sexual orientation;
                     (L)  family status;
                     (M)  disability status;
                     (N)  political affiliation;
                     (O)  commercial information, including:
                           (i)  records relating to personal property;
                           (ii)  products or services the minor
  purchased, obtained, or considered; or
                           (iii)  other histories, interests, or
  tendencies in consumption;
                     (P)  biometric information;
                     (Q)  device identifiers, online identifiers,
  persistent identifiers, or digital fingerprinting information;
                     (R)  Internet, browsing, or search history,
  including any information relating to a minor's use of an Internet
  website;
                     (S)  geolocation information;
                     (T)  audio, electronic, visual, thermal,
  olfactory, or similar information, including facial recognition;
                     (U)  educational information;
                     (V)  health information;
                     (W)  the contents of, attachments to, and parties
  to text messages, e-mails, voicemails, audio conversations, and
  video conversations;
                     (X)  financial information, including:
                           (i)  bank account numbers;
                           (ii)  credit card numbers;
                           (iii)  debit card numbers;
                           (iv)  insurance policy numbers; or
                           (v)  information related to the balance of
  any financial accounts; or
                     (Y)  any inferences drawn from personal
  identifying information that might identify a minor's traits,
  characteristics, or trends.
         Sec. 509.002.  APPLICABILITY. (a) This chapter applies to a
  digital service provider that:
               (1)  collects or processes the personal identifying
  information of minors; and
               (2)  either:
                     (A)  targets minors; or
                     (B)  knows or should know that the digital service
  appeals to minors.
         (b)  For purposes of Subsection (a):
               (1)  a digital service targets or appeals to minors if:
                     (A)  the digital service contains subject matter
  that is tailored toward minors, including:
                           (i)  animated characters;
                           (ii)  instruction or activities intended for
  minors;
                           (iii)  music or audio popular among minors;
                           (iv)  images containing:
                                 (a)  models who are minors; or
                                 (b)  celebrities who are minors or who
  are popular among minors;
                           (v)  colloquial use of language that is
  common among minors; or
                           (vi)  advertisements intended for minors; or
                     (B)  empirical evidence obtained by the digital
  service provider, an advertiser, the press, third-party
  complaints, or another entity that conducts privacy and security
  impact assessments demonstrates that:
                           (i)  many users of the digital service are
  minors; or
                           (ii)  the intended audience for the digital
  service is minors; and
               (2)  a digital service does not target or appeal to
  minors by referring or linking to a digital service that targets or
  appeals to minors.
  SUBCHAPTER B. DIGITAL SERVICE PROVIDER DUTIES AND PROHIBITIONS
         Sec. 509.051.  DIGITAL SERVICE PROVIDER DUTY TO PREVENT
  HARM. (a) A digital service provider shall prevent physical,
  emotional, and developmental harm to a minor using a digital
  service, including:
               (1)  self harm, suicide, eating disorders, and other
  similar behaviors;
               (2)  substance abuse and patterns of use that indicate
  addiction;
               (3)  bullying and harassment;
               (4)  sexual exploitation, including enticement,
  grooming, trafficking, abuse, and child pornography;
               (5)  advertisements for products or services that are
  unlawful for a minor, including illegal drugs, tobacco, gambling,
  pornography, and alcohol; and
               (6)  predatory, unfair, or deceptive marketing
  practices.
         (b)  A digital service provider shall ensure that a minor is
  not exposed to a type of harm described by Subsection (a).
         Sec. 509.052.  PROHIBITION ON COLLECTION OF PERSONAL
  IDENTIFYING INFORMATION; EXEMPTIONS. (a) Except as provided by this
  section, a digital service provider may not collect a minor's
  personal identifying information.
         (b)  A digital service provider may collect a minor's
  personal identifying information for employment purposes.
         (c)  A digital service provider may collect a minor's
  personal identifying information if the minor's parent or guardian
  consents in a manner that:
               (1)  is specific, informed, and unambiguous;
               (2)  takes into account:
                     (A)  the minor's age; and
                     (B)  the minor's developmental and cognitive
  needs and capabilities;
               (3)  is for only a single specific act of collection or
  processing of personal identifying information;
               (4)  occurs in the absence of any financial or other
  incentive;
               (5)  occurs before the collection or processing of the
  minor's personal identifying information;
               (6)  occurs in a time, place, and manner that the
  minor's parent or guardian would expect the consent to be sought;
  and
               (7)  is not deceptive or coercive.
         (d)  A digital service provider may collect a minor's
  personal identifying information without the consent of the minor's
  parent or guardian if:
               (1)  the personal identifying information is a form of
  online contact information that:
                     (A)  is used to respond to a single specific
  request made by the minor;
                     (B)  is not used to contact the minor in any other
  way; and
                     (C)  is not retained by the digital service
  provider once a response has been made;
               (2)  the personal identifying information is for the
  purpose of receiving consent under Subsection (c) and is not
  retained by the digital service provider after:
                     (A)  the minor's parent or guardian gives consent
  under Subsection (c); or
                     (B)  eight hours after the personal identifying
  information is collected; or
               (3)  the personal identifying information is necessary
  to respond to judicial process or comply with a law enforcement
  agency on a matter related to public safety.
         (e)  A digital service provider that collects a minor's
  personal identifying information with the consent of the minor's
  parent or guardian shall set the minor's digital service to the
  strongest settings available to protect the minor from harm, as
  described by Section 509.051(a).
         Sec. 509.053.  PARENTAL TOOLS. (a) A digital service
  provider shall make available to each parent or guardian who gives
  consent under Section 509.052 parental tools to allow the parent or
  guardian to supervise the minor's use of the digital service.
         (b)  Parental tools under this section must allow a parent or
  guardian to:
               (1)  control the minor's privacy and account settings,
  including the settings described by Section 509.052(e);
               (2)  restrict the ability of a minor to make purchases
  and financial transactions;
               (3)  monitor the amount of time the minor spends using
  the digital service; and
               (4)  disable any default parental controls placed on
  the digital service.
         Sec. 509.054.  ACCESS TO PERSONAL IDENTIFYING INFORMATION.
  (a) A minor or minor's parent or guardian may submit a request to a
  digital service provider to access the minor's personal identifying
  information.
         (b)  A digital service provider shall establish and make
  available a simple and easily accessible method by which a minor or
  a minor's parent or guardian may make a request for information
  under this section.
         (c)  The method established under Subsection (b) must allow a
  minor or minor's parent or guardian to access:
               (1)  all of the minor's personal identifying
  information in the digital service provider's possession that the
  provider has collected or processed, organized by:
                     (A)  type of personal identifying information;
  and
                     (B)  purpose for which the digital service
  provider processed each type of personal identifying information;
               (2)  the name of each third party to which the digital
  service provider disclosed the personal identifying information,
  if applicable;
               (3)  each source other than the minor from which the
  digital service provider obtained the minor's personal identifying
  information;
               (4)  the length of time for which the digital service
  provider will retain the minor's personal identifying information;
               (5)  any index or score assigned to the minor as a
  result of the personal identifying information, including whether
  the digital service provider created the index or score and, if not,
  who created the index or score;
               (6)  the manner in which the digital service provider
  uses an index or score under Subdivision (5);
               (7)  a method by which a minor or minor's parent or
  guardian may:
                     (A)  dispute the accuracy of any personal
  identifying information collected or processed by the digital
  service provider; and
                     (B)  request that the digital service provider
  correct any personal identifying information collected or
  processed by the digital service provider; and
               (8)  a method by which a minor or minor's parent or
  guardian may request that the digital service provider delete any
  personal identifying information collected or processed by the
  digital service provider.
         (d)  If a digital service provider receives a request under
  Subsection (c)(7), the digital service provider shall, not later
  than the 45th day after the request is made:
               (1)  determine whether the relevant personal
  identifying information is inaccurate or incomplete; and
               (2)  make any corrections necessary.
         (e)  If a digital service provider receives a request under
  Subsection (c)(8), the digital service provider shall delete the
  personal identifying information specified by the request not later
  than the 45th day after the request is made.
         Sec. 509.055.  ADVERTISING AND MARKETING DUTIES. A digital
  service provider that allows advertisers to advertise to minors on
  the digital service shall disclose in a clear and accessible
  manner:
               (1)  the name of each product, service, or brand
  advertising on the digital service;
               (2)  the subject matter of each advertisement or
  marketing material on the digital service;
               (3)  if the digital service provider or advertiser
  targets advertisements to minors on the digital service, the reason
  why each advertisement has been targeted to a minor;
               (4)  the way in which a minor's personal identifying
  information leads to each advertisement targeted to the minor; and
               (5)  whether certain media on the digital service are
  advertisements.
         Sec. 509.056.  USE OF ALGORITHMS. A digital service provider
  that uses algorithms to automate the suggestion, promotion, or
  ranking of information to minors on the digital service shall:
               (1)  ensure that the algorithm does not interfere with
  the digital service provider's duties under Section 509.051; and
               (2)  disclose in the digital service provider's terms
  of service, in a clear and accessible manner:
                     (A)  an overview of the manner in which the
  digital service uses algorithms to provide information to minors;
                     (B)  an overview of the manner in which those
  algorithms use the personal identifying information of minors;
                     (C)  options available to a minor and a minor's
  parent or guardian to modify the results of information provided by
  the algorithm, including the ability to opt out of or down-rank
  certain information; and
                     (D)  the ability minors have to opt out of using
  the algorithm.
         Sec. 509.057.  PROHIBITION ON LIMITING OR DISCONTINUING
  DIGITAL SERVICE. A digital service provider may not limit or
  discontinue a digital service provided to a minor because the minor
  or minor's parent or guardian withholds or withdraws consent to the
  collection or processing of any personal identifying information
  not required to provide the digital service.
  SUBCHAPTER C. ENFORCEMENT
         Sec. 509.101.  CIVIL ACTION; LIABILITY. (a) A minor's parent
  or guardian may bring an action against a digital service provider
  for a violation of this chapter.
         (b)  Notwithstanding Sections 41.003 and 41.004, Civil
  Practice and Remedies Code, a parent or guardian who prevails in an
  action under this section is entitled to receive:
               (1)  injunctive relief;
               (2)  actual damages;
               (3)  punitive damages;
               (4)  reasonable attorney's fees;
               (5)  court costs; and
               (6)  any other relief the court deems appropriate.
         (c)  A violation of this chapter constitutes an injury in
  fact to the minor.
         Sec. 509.102.  DECEPTIVE TRADE PRACTICE. A violation of this
  chapter is a false, misleading, or deceptive act or practice as
  defined by Section 17.46(b). In addition to any remedy under this
  chapter, a remedy under Subchapter E, Chapter 17, is also available
  for a violation of this chapter.
         SECTION 2.  This Act takes effect September 1, 2024.