| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the regulation of Internet products, services, and |
|
|
features accessed by children; providing a civil penalty. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Subtitle C, Title 5, Business & Commerce Code, is |
|
|
amended by adding Chapter 121 to read as follows: |
|
|
CHAPTER 121. INTERNET PRODUCTS, SERVICES, AND FEATURES ACCESSED |
|
|
BY CHILDREN |
|
|
SUBCHAPTER A. GENERAL PROVISIONS |
|
|
Sec. 121.001. DEFINITIONS. In this chapter: |
|
|
(1) "Child" means an individual younger than 18 years |
|
|
of age. |
|
|
(2) "Consumer" has the meaning assigned by Section |
|
|
20.01. |
|
|
(3) "Personal identifying information" has the |
|
|
meaning assigned by Section 521.002. |
|
|
SUBCHAPTER B. DUTIES AND PROHIBITIONS |
|
|
Sec. 121.051. DATA PROTECTION IMPACT ASSESSMENT REQUIRED. |
|
|
(a) Except as provided by Subsection (d), a person shall conduct a |
|
|
data protection impact assessment to assess and mitigate risks |
|
|
posed to a child who accesses a product, service, or feature |
|
|
provided by the person if the person: |
|
|
(1) provides a product, service, or feature to a |
|
|
consumer in this state through an Internet website that is likely to |
|
|
be accessed by a child; |
|
|
(2) collects a consumer's personal identifying |
|
|
information; and |
|
|
(3) in the preceding year: |
|
|
(A) generated more than $25 million in annual |
|
|
gross revenue; |
|
|
(B) collected or used the personal identifying |
|
|
information of more than 50,000 consumers; or |
|
|
(C) generated more than half of the person's |
|
|
annual gross revenue from the collection and sale of a consumer's |
|
|
personal identifying information. |
|
|
(b) An assessment under this section must: |
|
|
(1) identify: |
|
|
(A) the purpose of the product, service, or |
|
|
feature; |
|
|
(B) the manner in which the product, service, or |
|
|
feature uses personal identifying information; and |
|
|
(C) any risks to children posed by the manner in |
|
|
which the product, service, or feature uses personal identifying |
|
|
information; and |
|
|
(2) assess: |
|
|
(A) whether the product, service, or feature |
|
|
poses a risk of exposing a child to harmful content; |
|
|
(B) whether the algorithms or advertising |
|
|
systems used by the product, service, or feature pose a risk of |
|
|
exposing a child to harmful content; and |
|
|
(C) the manner in which the product, service, or |
|
|
feature: |
|
|
(i) uses design features to increase or |
|
|
extend use of the product by a child; and |
|
|
(ii) collects and processes the child's |
|
|
personal identifying information. |
|
|
(c) For the purposes of this section: |
|
|
(1) a product, service, or feature is considered |
|
|
likely to be accessed by a child if the product, service, or |
|
|
feature: |
|
|
(A) is intended, wholly or partly, to be used by a |
|
|
child; |
|
|
(B) is routinely accessed by children; |
|
|
(C) is substantially similar to another product, |
|
|
service, or feature that is routinely accessed by children; |
|
|
(D) is marketed to children; or |
|
|
(E) has design elements that are known to |
|
|
interest children, including games, cartoons, music, and content |
|
|
pertaining to celebrities of interest to children; and |
|
|
(2) content is considered harmful if the content is |
|
|
reasonably likely to have a detrimental impact on a child's |
|
|
physical, mental, or emotional health. |
|
|
(d) This section does not apply to a person who: |
|
|
(1) is required to maintain and disseminate a privacy |
|
|
policy under the Health Insurance Portability and Accountability |
|
|
Act of 1996 (42 U.S.C. Section 1320d et seq.); or |
|
|
(2) provides a product, service, or feature to a |
|
|
consumer through an Internet website if the product, service, or |
|
|
feature is: |
|
|
(A) a broadband service; |
|
|
(B) a telecommunications service; or |
|
|
(C) a service that involves the delivery or use |
|
|
of a physical product. |
|
|
Sec. 121.052. IMPACT MANAGEMENT PLAN REQUIRED. A person |
|
|
required to conduct a data protection impact assessment under |
|
|
Section 121.051 shall develop an impact management plan to mitigate |
|
|
or eliminate any risks identified in the assessment. The plan must |
|
|
include defined goals and a timeline to achieve those goals. |
|
|
Sec. 121.053. PROVISION OF ASSESSMENT TO ATTORNEY GENERAL. |
|
|
(a) On the request of the attorney general, a person required to |
|
|
conduct a data protection impact assessment under Section 121.051 |
|
|
shall, not later than the third business day after the person |
|
|
receives the request, provide a list of data protection impact |
|
|
assessments conducted by the person under Section 121.051. The |
|
|
list must include the product, service, or feature assessed and the |
|
|
date of the assessment. |
|
|
(b) On the request of the attorney general, a person |
|
|
required to conduct a data protection impact assessment under |
|
|
Section 121.051 shall, not later than the fifth business day after |
|
|
the person receives the request, provide a copy of a data protection |
|
|
impact assessment conducted by the person. |
|
|
(c) Production of a data protection impact assessment under |
|
|
this section does not constitute a waiver of attorney-client |
|
|
privilege or attorney work product protection. |
|
|
Sec. 121.054. PROTECTION OF PERSONAL IDENTIFYING |
|
|
INFORMATION. (a) A person required to conduct a data protection |
|
|
impact assessment under Section 121.051 shall: |
|
|
(1) estimate the age of an individual using a product, |
|
|
service, or feature, and, in the case of a child: |
|
|
(A) configure default settings of a product, |
|
|
service, or feature to a high level of privacy, unless the person |
|
|
can demonstrate a compelling reason that alternate settings are in |
|
|
the best interest of a child; and |
|
|
(B) provide privacy information, terms of |
|
|
service, policies, and community standards for a product, service, |
|
|
or feature in a clear and concise manner able to be understood by a |
|
|
child; or |
|
|
(2) apply the requirements of Subdivisions (1)(A) and |
|
|
(B) to all users of the product, service, or feature. |
|
|
(b) If a product, service, or feature allows for another |
|
|
person to monitor or track a child, a person required to conduct a |
|
|
data protection impact assessment under Section 121.051 shall |
|
|
ensure the product, service, or feature provides an obvious signal |
|
|
to a child when the product, service, or feature is monitoring or |
|
|
tracking the child. |
|
|
(c) A person required to conduct a data protection impact |
|
|
assessment under Section 121.051 shall enforce any terms, policies, |
|
|
and community standards established by the person, including any |
|
|
policies concerning use of a product by a child. |
|
|
(d) A person required to conduct a data protection impact |
|
|
assessment under Section 121.051 shall provide tools to help a |
|
|
child or the child's parent or guardian exercise privacy rights and |
|
|
report concerns relating to privacy. A tool under this subsection |
|
|
must be prominently displayed, easily accessible, and responsive to |
|
|
requests by a child or the child's parent or guardian. |
|
|
Sec. 121.055. IMPROPER USE OF PERSONAL IDENTIFYING |
|
|
INFORMATION. (a) A person required to conduct a data protection |
|
|
impact assessment under Section 121.051 may not use a child's |
|
|
personal identifying information for any purpose that is not: |
|
|
(1) necessary to provide a product, service, or |
|
|
feature; or |
|
|
(2) the reason for which the person collected the |
|
|
personal identifying information. |
|
|
(b) A person required to conduct a data protection impact |
|
|
assessment under Section 121.051 may not use a child's personal |
|
|
identifying information in a manner that could: |
|
|
(1) expose the child to harmful content, as described |
|
|
by Section 121.051(c); or |
|
|
(2) be detrimental to the physical or mental health |
|
|
and well-being of the child. |
|
|
(c) This section does not affect the ability of a person to |
|
|
which this chapter applies to disclose personal identifying |
|
|
information in a manner necessary to comply with a request by a |
|
|
governmental entity or law enforcement. |
|
|
Sec. 121.056. IMPROPER PROFILING OF CHILD. (a) In this |
|
|
section, "profile" means the automated process of using personal |
|
|
identifying information to analyze specific aspects of an |
|
|
individual's demographic characteristics. |
|
|
(b) A person required to conduct a data protection impact |
|
|
assessment under Section 121.051 may not profile a child unless: |
|
|
(1) the profiling is either: |
|
|
(A) necessary to provide a product, service, or |
|
|
feature; or |
|
|
(B) in the best interests of the child; and |
|
|
(2) the person has implemented safeguards to prevent |
|
|
the child from accessing harmful content, as described by Section |
|
|
121.051(c). |
|
|
Sec. 121.057. IMPROPER USE OF GEOLOCATION DATA. (a) A |
|
|
person required to conduct a data protection impact assessment |
|
|
under Section 121.051 may not collect the precise geolocation data |
|
|
of a child unless the business's product, service, or feature |
|
|
provides an obvious sign to the child for the duration of the |
|
|
collection process that the child's precise geolocation data is |
|
|
being collected. |
|
|
(b) A person required to conduct a data protection impact |
|
|
assessment under Section 121.051 may not collect, use, or sell the |
|
|
precise geolocation data of a child unless the collection, use, or |
|
|
sale is necessary for the person to provide a product, service, or |
|
|
feature to the child. |
|
|
Sec. 121.058. USE OF DECEPTIVE DESIGN ELEMENTS PROHIBITED. |
|
|
A person required to conduct a data protection impact assessment |
|
|
under Section 121.051 may not use deceptive design elements |
|
|
intended to induce a child to provide more personal identifying |
|
|
information than is necessary under this chapter. |
|
|
SUBCHAPTER C. DATA PROTECTION WORK GROUP |
|
|
Sec. 121.101. DATA PROTECTION WORK GROUP. (a) In this |
|
|
section, "work group" means the work group established under this |
|
|
section. |
|
|
(b) The consumer protection division of the attorney |
|
|
general's office shall establish a work group to promote business |
|
|
practices that protect the personal identifying information of |
|
|
consumers. The work group consists of: |
|
|
(1) two members appointed by the governor; |
|
|
(2) two members appointed by the lieutenant governor; |
|
|
(3) two members appointed by the speaker of the house |
|
|
of representatives; and |
|
|
(4) two members appointed by the attorney general. |
|
|
(c) To be eligible to serve as a member of the work group, a |
|
|
person must have expertise in two or more of the following areas: |
|
|
(1) children's data privacy; |
|
|
(2) physical health; |
|
|
(3) mental health and well-being; |
|
|
(4) computer science; or |
|
|
(5) children's rights. |
|
|
(d) A member of the work group receives no compensation for |
|
|
serving on the work group but may be reimbursed for travel or other |
|
|
expenses incurred while conducting the business of the work group. |
|
|
(e) The work group shall solicit input from stakeholders and |
|
|
prepare recommendations for the legislature on ways to protect the |
|
|
personal identifying information of children in this state. |
|
|
(f) Not later than January 1 of each odd-numbered year, the |
|
|
work group shall submit to the legislature a report of the work |
|
|
group's findings and recommendations. The report must: |
|
|
(1) identify products likely to be used by children; |
|
|
(2) evaluate and prioritize the best interests of |
|
|
children; |
|
|
(3) evaluate the manner in which the best interests of |
|
|
children may be furthered by the products in Subdivision (1); |
|
|
(4) evaluate whether the risks posed by the products |
|
|
in Subdivision (1) are proportional to the safeguards put in place |
|
|
by businesses; |
|
|
(5) suggest ways to assess and mitigate risks to |
|
|
children that arise from the products identified under Subdivision |
|
|
(1); and |
|
|
(6) identify best methods of publishing privacy |
|
|
information, terms of service, policies, and community standards |
|
|
for a product in a clear and concise manner able to be understood by |
|
|
a child. |
|
|
(g) This section expires on January 1, 2033. |
|
|
SUBCHAPTER D. ENFORCEMENT |
|
|
Sec. 121.151. CIVIL PENALTY. (a) A person who violates |
|
|
this chapter is liable to the state for a civil penalty in an amount |
|
|
not to exceed: |
|
|
(1) $2,500 for each child exposed to harmful content |
|
|
as described by Section 121.051(c) as a result of a negligent |
|
|
violation; and |
|
|
(2) $7,500 for each child exposed to harmful content |
|
|
as described by Section 121.051(c) as a result of an intentional |
|
|
violation. |
|
|
(b) The attorney general may bring suit to recover a civil |
|
|
penalty imposed under this section. The attorney general may |
|
|
recover attorney's fees and costs incurred in bringing an action |
|
|
under this section. |
|
|
(c) The action may be brought in a district court in: |
|
|
(1) Travis County; or |
|
|
(2) a county in which any part of the violation or |
|
|
threatened violation occurs. |
|
|
(d) The attorney general shall deposit a civil penalty |
|
|
collected under this section in the state treasury to the credit of |
|
|
the general revenue fund. |
|
|
Sec. 121.152. REQUIRED NOTICE. (a) If a person who |
|
|
violates this chapter is in substantial compliance with the |
|
|
requirements under Sections 121.051, 121.052, and 121.053, the |
|
|
attorney general shall, before bringing suit under Section 121.151, |
|
|
issue a notice to the person identifying the provisions of this |
|
|
chapter that the attorney general alleges to have been violated by |
|
|
the person. |
|
|
(b) It shall be a complete defense to suit under Section |
|
|
121.151 if, not later than the 90th day after receiving a notice |
|
|
under Subsection (a), a person cures any violation of this chapter |
|
|
and provides notice to the attorney general of the measures taken to |
|
|
cure the violation and prevent further violations. |
|
|
Sec. 121.153. NO PRIVATE CAUSE OF ACTION. Nothing in this |
|
|
chapter may be construed to create a private cause of action for a |
|
|
violation of this chapter. |
|
|
Sec. 121.154. RULES. The attorney general shall adopt |
|
|
rules to implement this chapter. |
|
|
SECTION 2. This Act takes effect September 1, 2023. |