[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4801 Introduced in House (IH)]
<DOC>
117th CONGRESS
1st Session
H. R. 4801
To amend the Children's Online Privacy Protection Act of 1998 to update
and expand the coverage of such Act, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
July 29, 2021
Ms. Castor of Florida introduced the following bill; which was referred
to the Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To amend the Children's Online Privacy Protection Act of 1998 to update
and expand the coverage of such Act, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Protecting the
Information of our Vulnerable Children and Youth Act'' or the ``Kids
PRIVCY Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Requirements for processing of covered information of children
or teenagers.
Sec. 4. Repeal of safe harbors provision.
Sec. 5. Administration and applicability of Act.
Sec. 6. Review.
Sec. 7. Private right of action.
Sec. 8. Relationship to other law.
Sec. 9. Additional conforming amendment.
Sec. 10. Implementing regulations.
Sec. 11. Youth Privacy and Marketing Division.
Sec. 12. Commission defined.
Sec. 13. Effective date.
SEC. 2. DEFINITIONS.
Section 1302 of the Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6501) is amended--
(1) by striking paragraphs (5) and (10);
(2) by redesignating paragraphs (2), (3), (4), (6), (7),
(8), and (9) as paragraphs (3), (5), (6), (7), (8), (9), and
(10), respectively;
(3) by inserting after paragraph (1) the following:
``(2) Teenager.--The term `teenager' means an individual
over the age of 12 and under the age of 18.'';
(4) by striking paragraph (3) (as so redesignated) and
inserting the following:
``(3) Covered entity.--The term `covered entity' means--
``(A) any organization, corporation, trust,
partnership, sole proprietorship, unincorporated
association, or venture over which the Commission has
authority pursuant to section 5(a)(2) of the Federal
Trade Commission Act (15 U.S.C. 45(a)(2));
``(B) notwithstanding section 5(a)(2) of the
Federal Trade Commission Act (15 U.S.C. 45(a)(2)),
common carriers; and
``(C) notwithstanding sections 4 and 5(a)(2) of the
Federal Trade Commission Act (15 U.S.C. 44 and
45(a)(2)), any nonprofit organization, including any
organization described in section 501(c) of the
Internal Revenue Code of 1986 that is exempt from
taxation under section 501(a) of the Internal Revenue
Code of 1986.
``(4) Operator.--The term `operator' means, with respect to
a digital service, the covered entity that operates such
service, to the extent the covered entity is engaged in
operating such service or in processing covered information
obtained in connection with such service.'';
(5) by amending paragraph (6) (as so redesignated) to read
as follows:
``(6) Disclose.--The term `disclose' means to intentionally
or unintentionally release, transfer, sell, disseminate, share,
publish, lease, license, make available, allow access to, fail
to restrict access to, or otherwise communicate covered
information.'';
(6) by amending paragraph (9) (as so redesignated) to read
as follows:
``(9) Covered information.--The term `covered
information'--
``(A) means any information, linked or reasonably
linkable to a specific teenager or child, or specific
consumer device of a teenager or child;
``(B) may include--
``(i) a name, alias, home or other physical
address, online identifier, Internet Protocol
address, email address, account name, Social
Security number, physical characteristics or
description, telephone number, State
identification card number, driver's license
number, passport number, or other similar
identifier;
``(ii) actual or perceived race, religion,
sex, sexual orientation, sexual behavior,
familial status, gender identity, disability,
age, political affiliation, or national origin;
``(iii) commercial information, including
records relating to personal property, products
or services purchased, obtained, or considered,
or other purchasing or consuming histories,
interests, or tendencies;
``(iv) biometric information;
``(v) device identifiers, online
identifiers, persistent identifiers, or digital
fingerprinting information;
``(vi) internet or other electronic network
activity information, including browsing
history, search history, and information
regarding a teenager's or child's interaction
with an internet website, application, or
advertisement;
``(vii) geolocation information;
``(viii) audio, electronic, visual,
thermal, olfactory, or similar information;
``(ix) education information;
``(x) health information;
``(xi) facial recognition information;
``(xii) contents of, attachments to, and
parties to information, including with respect
to electronic mail, text messages, picture
messages, voicemails, audio conversations, and
video conversations;
``(xiii) financial information, including
bank account numbers, credit card numbers,
debit card numbers, or insurance policy
numbers; and
``(xiv) inferences drawn from any of the
information described in this paragraph to
create a profile about a teenager or child
reflecting the teenager's or child's
preferences, characteristics, psychological
trends, predispositions, behavior, attitudes,
intelligence, abilities, or aptitudes; and
``(C) does not include--
``(i) information that is processed solely
for the purpose of employment of a teenager; or
``(ii) de-identified information.'';
(7) by amending paragraph (10) (as so redesignated) to read
as follows:
``(10) Verifiable consent.--The term `verifiable consent'
means express, affirmative consent freely given by a teenager,
or by the parent of a child, to the processing of covered
information of that teenager or child, respectively--
``(A) that is specific, informed, and unambiguous,
taking into account the age and the developmental or
cognitive needs and capabilities of the teenager or
parent of a child, as applicable;
``(B) that is given separately for each processing
activity;
``(C) where the teenager or parent of a child, as
applicable, has not received any financial or other
incentive in exchange for such consent;
``(D) that is given before any processing occurs,
at a time and in a context in which the teenager or
parent of a child, as applicable, would reasonably
expect to make choices concerning such processing; and
``(E) that is not obtained through the use of a
design, modification, or manipulation of a user
interface with the purpose or substantial effect of
obscuring, subverting, or impairing user autonomy,
decision making, or choice.''; and
(8) by adding at the end the following:
``(13) Process.--The term `process' means to perform any
operation or set of operations on covered information, whether
or not by automated means, including collecting, creating,
acquiring, disclosing, sharing, classifying, sorting,
recording, deriving, inferring, obtaining, assembling,
organizing, structuring, storing, retaining, adapting or
altering, using, or retrieving covered information.
``(14) De-identified information; re-identify.--
``(A) De-identified information.--The term `de-
identified information' means information that cannot
reasonably be used to infer information about, or
otherwise be linked to, a specific teenager or child or
specific consumer device of a teenager or child, if the
covered entity that possesses the information--
``(i) takes reasonable measures to ensure
that the information cannot be associated with
a teenager or child;
``(ii) publicly commits to maintain and use
the information in de-identified form and not
to attempt to re-identify the information,
except for the purpose of testing the
sufficiency of the de-identification measures;
and
``(iii) contractually obligates any
recipients of the information to comply with
clauses (i) and (ii).
``(B) Re-identify.--The term `re-identify' means to
link information that has been de-identified to a
specific teenager or child or specific consumer device
of a teenager or child.
``(15) State.--The term `State' means each of the several
States, the District of Columbia, each territory of the United
States, and each federally recognized Indian Tribe.
``(16) Service provider.--The term `service provider' means
a covered entity that processes covered information at the
direction of, and for the sole benefit of, another covered
entity, and--
``(A) is contractually or legally prohibited from
processing such covered information for any other
purpose; and
``(B) complies with all of the requirements of this
title and the regulations promulgated under this title.
``(17) Digital service.--The term `digital service' means a
website, online service, online application, mobile
application, or any other service that processes covered
information digitally.
``(18) Children's service.--The term `children's service'
means--
``(A) a digital service or portion thereof that is
directed to children; or
``(B) any other digital service or portion thereof,
if the operator of the service decides to treat all
users of the service or portion, as the case may be, as
children.
``(19) Privacy risk.--The term `privacy risk' means
potential adverse consequences to an individual, group of
individuals, or society arising from the processing of covered
information, including--
``(A) physical harm;
``(B) psychological or emotional harm;
``(C) negative or harmful outcomes or decisions
with respect to an individual's eligibility for rights,
benefits, or opportunities;
``(D) reputational and dignity harm;
``(E) financial harm, including price
discrimination;
``(F) inconvenience or expenditure of time;
``(G) disruption and intrusion from unwanted
communications or contacts;
``(H) other effects that limit an individual's
choices, influence an individual's responses, or
predetermine results or outcomes for that individual;
and
``(I) other demonstrable adverse consequences that
affect an individual's private life, including private
family matters, actions, and communications within an
individual's home or similar physical, online, or
digital location.
``(20) Privacy and security impact assessment and
mitigation (psiam).--
``(A) In general.--The terms `privacy and security
impact assessment and mitigation' and `PSIAM' mean,
with respect to a digital service, an assessment and
mitigation by the operator of the service of risks to
the children and teenagers who access the service that
arise from the processing of covered information,
taking into account privacy risks, security risks, the
rights and best interests of children and teenagers,
differing ages, capacities, and developmental needs of
children and teenagers, and any significant internal or
external emerging risks, and ensuring that the PSIAM
builds in risk mitigation and compliance with the other
requirements of this title.
``(B) Requirements.--In conducting a PSIAM with
respect to a digital service, the operator of the
service shall do the following:
``(i) Embed the PSIAM into the design
process of the service and complete the PSIAM
before the launch of the service and on an
ongoing basis, and before making significant
changes to the processing of covered
information.
``(ii) Publicly disclose the nature, scope,
context, and purposes of the processing of
covered information.
``(iii) Depending on the size of the
service and level of risks identified--
``(I) seek and document the views
of children, teenagers, and parents (or
their representatives), as well as
experts in children's and teenagers'
developmental needs; and
``(II) take such views into account
in the design of the service.
``(iv) Publicly disclose an explanation of
why the operator's processing of covered
information is necessary and proportionate vis
a vis the risks for the service, and how the
operator complies with the requirements of this
title.
``(v) Assess any processing of covered
information that is not in the best interests
of children or teenagers or that can be
detrimental to their wellbeing and safety,
whether physical, emotional, developmental, or
material.
``(vi) Identify, assess, and mitigate high-
risk processing of covered information.
``(vii) Identify measures taken to mitigate
the risks identified under clause (vi) and
comply with the other requirements of this
title.
``(viii) Provide for regular internal
reporting on the effectiveness of controls and
residual risks of the operator.
``(C) Auditable by commission.--The Commission may
audit a PSIAM conducted by an operator as the
Commission considers necessary.
``(21) Directed to children.--
``(A) In general.--The term `directed to children'
means, with respect to a digital service, that the
digital service is targeted to or attractive to
children, as demonstrated by--
``(i) the subject matter of the digital
service;
``(ii) the visual content of the digital
service;
``(iii) the use of animated characters or
child-oriented activities for children, and
related incentives, on the digital service;
``(iv) the music or other audio content on
the digital service;
``(v) the age of models on the digital
service;
``(vi) the presence on the digital service
of--
``(I) child celebrities; or
``(II) celebrities who appeal to
children;
``(vii) the language used on the digital
service;
``(viii) advertising content used on, or
used to advertise, the digital service;
``(ix) reliable empirical evidence relating
to--
``(I) the composition of the
audience of the digital service,
including--
``(aa) data the operator of
the digital service may
directly or indirectly collect,
use, profile, buy, sell,
classify, or analyze (via
algorithms or other forms of
data analytics, including look-
alike modeling) about a user or
groups of users to estimate,
identify, or classify the age
or age range (or a proxy
thereof) of such user or groups
of users;
``(bb) advertising
information or results, such as
data, reporting, or information
from the internal
communications of the operator
of the digital service,
including documentation about
its advertising practices, such
as an advertisement insertion
order, or other promotional
material to marketers, that
indicates that covered
information is being collected
from children that are using
the digital service;
``(cc) data or reporting
from the general or trade press
of the digital service
indicating that children are
using the digital service;
``(dd) complaints from
parents or other third parties
about child users using the
digital service, whether
through the complaint mechanism
of the digital service, by
email, or by other means; and
``(ee) data or reporting
from a privacy and security
impact assessment and
mitigation, compliance program,
or other compliance, risk
management, or internal process
that documents privacy risks
and controls related to
children's privacy, including
the existence of data analytics
controlled by the operator of
the digital service, including
those of service providers, and
content analytics capabilities
and functions or outputs; and
``(II) the intended audience of the
digital service, including data the
operator of the digital service
directly or indirectly collects, uses,
profiles, buys, sells, classifies, or
analyzes (via algorithms or other forms
of data analytics, including look-alike
modeling) about the nature of the
content of the digital service that
estimates, identifies, or classifies
the content as child-directed or
similarly estimates, identifies, or
classifies the intended or likely
audience for the content; or
``(x) any other evidence or circumstances
the Commission determines appropriate.
``(B) Covered information from other services.--A
digital service shall be deemed to be directed to
children if the operator of the digital service has
actual or constructive knowledge that the digital
service collects covered information directly from
users of any other digital service that is directed to
children under the criteria described in subparagraph
(A).
``(C) Signals from third parties.--A digital
service shall be deemed directed to children if the
digital service receives a signal from a third party
indicating that the digital service is intended for
children or likely to appeal to children, whether
directly or using a flag or other formal industry
standard or convention.
``(D) Limitation.--A digital service that does not
target children as its primary audience shall not be
deemed directed to children if the digital service--
``(i) does not collect covered information
from any visitor prior to collecting age
information; and
``(ii) prevents the collection, use, or
disclosure of covered information from visitors
who identify themselves as under age 13 without
first complying with the notice and parental
consent provisions of this title and the
regulations promulgated under this title.
``(E) Further limitation.--A digital service shall
not be deemed directed to children solely because the
digital service refers or links to another digital
service that is directed to children by using
information location tools, including a directory,
index, reference, pointer, or hypertext link.
``(F) Determination regarding a portion of a
digital service.--For purposes of determining whether a
portion of a digital service is directed to children,
any reference in this paragraph to a digital service
shall be considered to refer to such portion.
``(22) Likely to be accessed by children or teenagers.--The
term `likely to be accessed by children or teenagers' means,
with respect to a digital service, that the possibility of more
than a de minimis number of children or teenagers accessing the
digital service is more probable than not. In determining
whether a digital service is likely to be accessed by children
or teenagers, the operator of the service shall consider
whether the service has particular appeal to children or
teenagers and whether effective measures (such as age gating)
are in place that prevent children or teenagers from gaining
access to the service.
``(23) Age assurance.--The term `age assurance' means a
verifiable process to estimate or determine the age of a user
of a digital service with a given and documented degree of
certainty.
``(24) Age gate.--The term `age gate' means to use a
verifiable process that meets a documented degree of certainty
to restrict or block access to a digital service for users that
do not meet an age requirement.''.
SEC. 3. REQUIREMENTS FOR PROCESSING OF COVERED INFORMATION OF CHILDREN
OR TEENAGERS.
(a) In General.--Section 1303 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6502) is amended to read as follows:
``SEC. 1303. REQUIREMENTS FOR PROCESSING OF COVERED INFORMATION OF
CHILDREN OR TEENAGERS.
``(a) Requirements for Children's Services.--
``(1) Data minimization.--An operator of a children's
service shall process covered information under the principle
of data minimization, requiring the operator to only process
the minimum amount necessary for a specified purpose.
``(2) Transparency.--An operator of a children's service
shall develop and make publicly available, at all times and in
a machine-readable format, a privacy policy, in a manner that
is clear, easily understood, and written in plain and concise
language, that includes--
``(A) the categories of covered information that
the operator processes about teenagers and children;
``(B) how and under what circumstances covered
information is collected directly from a teenager or
child;
``(C) the categories and the sources of any covered
information processed by the operator that is not
collected directly from a teenager or child;
``(D) a description of the purposes for which the
operator processes covered information, including--
``(i) a description of whether and how the
operator customizes products or services, or
adjusts the prices of products or services for
teenagers or children or based in any part on
processing of covered information;
``(ii) a description of whether and how the
operator, or the operator's affiliates or
service providers, de-identifies information,
including the methods used to de-identify such
information; and
``(iii) a description of whether and how
the operator, or the operator's affiliates or
service providers, generates or uses any
consumer score to make decisions concerning a
teenager or child, and the source or sources of
any such consumer score;
``(E) a description of how long and the
circumstances under which the operator retains covered
information;
``(F) a description of all of the purposes for
which the operator discloses covered information to
service providers and, on a biennial basis, the
categories of service providers;
``(G) a description of whether and for what
purposes the operator discloses covered information to
third parties, and the categories of covered
information disclosed;
``(H) a description of the categories of third
parties to which covered information described in
subparagraph (G) is disclosed, by category or
categories of covered information for each category of
third party to which the covered information is
disclosed;
``(I) whether the operator discloses covered
information to data brokers;
``(J) whether the operator collects covered
information about teenagers or children over time and
across different digital services when a teenager or
child uses the operator's digital service;
``(K) how a teenager or a parent of a child can
exercise their rights to access, correct, and delete
such teenager's or child's covered information as set
forth in paragraph (6);
``(L) a listing of all possible consents that may
be obtained by the operator for the processing of
covered information, how a teenager or the parent of a
child can grant, withhold, withdraw, or modify any such
consent, and the consequences of withholding,
withdrawing, or modifying any such consent;
``(M) the effective date of the notice; and
``(N) how the operator will communicate material
changes of the privacy policy to the teenager or the
parent of a child.
``(3) Consent required.--
``(A) In general.--An operator of a children's
service shall--
``(i) provide clear and concise notice to a
teenager or the parent of a child of the items
of covered information about such teenager or
child, respectively, that is processed by such
operator and how such operator processes such
covered information and obtain verifiable
consent for such processing; and
``(ii) if such operator determines,
including through actual or constructive
knowledge, that such operator has not obtained
verifiable consent for any specific processing
of covered information about a teenager or
child, not later than 48 hours after such
determination--
``(I) obtain verifiable consent; or
``(II) delete all covered
information about such teenager or
child.
``(B) When consent not required.--Verifiable
consent under this paragraph is not required in the
case of--
``(i) online contact information collected
from a teenager or child that--
``(I) is used only to respond
directly on a one-time basis to a
specific request from the teenager or
child;
``(II) is not used to re-contact
the teenager or child; and
``(III) is not retained by the
operator after responding as described
in subclause (I);
``(ii) a request for the name or online
contact information of a teenager or the parent
of a child that is used for the sole purpose of
obtaining verifiable consent or providing
notice under subparagraph (A)(i), where such
information is not retained by the operator if
verifiable consent is not obtained within 48
hours; or
``(iii) the processing of covered
information that is necessary--
``(I) to respond to judicial
process; or
``(II) to the extent permitted
under other provisions of law, to
provide information to law enforcement
agencies or for an investigation on a
matter related to public safety.
``(C) Withdrawal of consent.--
``(i) Mechanism for withdrawal.--An
operator of a children's service shall provide
a teenager or the parent of a child, as
applicable--
``(I) a mechanism to withdraw
consent to the processing of covered
information at any time in a manner
that is as easy as the mechanism to
give consent; and
``(II) clear and conspicuous notice
of the mechanism required by subclause
(I).
``(ii) Effect of withdrawal on prior
processing.--Withdrawal of consent to the
processing of covered information shall not be
construed to affect the lawfulness of any
processing of covered information based on
verifiable consent that was in effect before
such withdrawal.
``(D) Prohibition on limiting or discontinuing
service.--An operator of a children's service may not
refuse to provide a service, or discontinue a service
provided, to a teenager or child, if the teenager or
parent of the child, as applicable, refuses to consent,
or withdraws consent, to the processing of any covered
information not technically required for the operator
to provide such service.
``(4) Retention of data.--
``(A) Retention limitations.--Subject to the
exceptions provided in subparagraph (B), an operator of
a children's service may not keep, retain, or otherwise
store covered information for longer than is reasonably
necessary for the purposes for which the covered
information is processed.
``(B) Exceptions.--Further retention of covered
information shall not be considered to be incompatible
with the purposes of processing described in
subparagraph (A) if such processing is necessary and
done solely for the purposes of--
``(i) compliance with--
``(I) requirements to document
compliance under this title; or
``(II) other laws, regulations, or
legal obligations;
``(ii) preventing risks to the health or
safety of a child or teenager or groups of
children or teenagers; or
``(iii) repairing errors that impair
existing functionality.
``(5) Limitation on disclosing covered information to third
parties.--
``(A) Disclosures.--An operator of a children's
service may not disclose covered information to a third
party unless the operator has a written agreement with
such third party that--
``(i) specifies all of the purposes for
which the third party may process the covered
information for which the operator has
verifiable consent;
``(ii) prohibits the third party from
processing covered information for any purpose
other than the purposes specified under clause
(i); and
``(iii) requires the third party to provide
at least the same privacy and security
protections as the operator.
``(B) Responsibilities of operators regarding third
parties.--An operator of a children's service--
``(i) shall perform reasonable due
diligence in selecting any third party with
which to enter into an agreement described in
subparagraph (A) and shall exercise reasonable
oversight over all such third parties to assure
compliance with the requirements of this title
and the regulations promulgated under this
title; and
``(ii) if the operator has actual or
constructive knowledge that a third party has
violated an agreement described in subparagraph
(A), shall--
``(I) to the extent practicable,
promptly take steps to ensure
compliance with such agreement; and
``(II) promptly report to the
Commission that such a violation
occurred.
``(6) Right to access, correct, and delete covered
information.--
``(A) Access.--An operator of a children's service,
subject to the exceptions in subparagraph (D), shall,
upon request of a teenager or the parent of a child and
after proper identification of such teenager or parent,
promptly provide to such teenager or parent, as
applicable--
``(i) access to all covered information
processed by the operator pertaining to such
teenager or child, including a description of--
``(I) each type of covered
information processed by the operator
pertaining to the teenager or child, as
applicable;
``(II) each purpose for which the
operator processes each category of
covered information pertaining to the
teenager or child, as applicable;
``(III) the names of each third
party to which the operator disclosed
the covered information;
``(IV) each source other than the
teenager or child, as applicable, from
which the operator obtained covered
information pertaining to that teenager
or child, as applicable;
``(V) how long the covered
information will be retained or stored
by the operator and, if not known, the
criteria the operator uses to determine
how long the covered information will
be retained or stored by the operator;
and
``(VI) with respect to any score of
the teenager or child, as applicable,
processed by the operator--
``(aa) how such score is
used by the operator to make
decisions with respect to that
teenager or child, as
applicable; and
``(bb) the source that
created the score if not
created by the operator; and
``(ii) a simple and reasonable mechanism by
which a teenager or parent of a child may
request access to the information described
under clause (i), as applicable.
``(B) Deletion.--An operator of a children's
service, subject to the exceptions in subparagraph (D),
shall--
``(i) establish a simple, publicly and
easily accessible, and reasonable mechanism by
which a teenager or parent of a child with
respect to whom the operator processes covered
information may request the operator to delete
any such covered information (or any component
thereof), including publicly available covered
information submitted to the service by the
child or teenager; and
``(ii) delete such covered information not
later than 45 days after receiving such
request.
``(C) Correction.--An operator of a children's
service, subject to the exceptions in subparagraph (D),
shall--
``(i) provide each teenager or parent of a
child with respect to whom the operator
processes covered information, as applicable, a
simple, publicly and easily accessible, and
reasonable mechanism by which that teenager or
parent may submit a request to the operator--
``(I) to dispute the accuracy or
completeness of that covered
information, or part or component
thereof; and
``(II) to request that such covered
information, or part or component
thereof, be corrected for accuracy or
completeness; and
``(ii) not later than 45 days after
receiving a request under clause (i)--
``(I) determine whether the covered
information disputed or requested to be
corrected is inaccurate or incomplete;
and
``(II) correct the accuracy or
completeness of any covered information
determined by the operator to be
inaccurate or incomplete.
``(D) Exceptions.--An operator of a children's
service may deny a request made under subparagraph (A),
(B), or (C) if--
``(i) the operator is unable to verify the
identity of the teenager or parent of a child
making the request after making a reasonable
effort to verify the identity of such teenager
or parent;
``(ii) with respect to the request made,
the operator determines that--
``(I) the operator is limited from
fulfilling the request by law, legally
recognized privilege, or other legal
obligation; or
``(II) fulfilling the request would
create a legitimate risk to the
privacy, security, or safety of someone
other than the teenager or child, as
applicable;
``(iii) with respect to a request to delete
covered information made under subparagraph (B)
or a request to correct covered information
made under subparagraph (C), the operator
determines that the retention of the covered
information is necessary to--
``(I) complete the transaction with
the teenager or child, as applicable,
for which the covered information was
collected;
``(II) provide a product or service
affirmatively requested by the teenager
or parent of a child, as applicable;
``(III) perform a contract with the
teenager or a parent of a child, as
applicable, including a contract for
billing, financial reporting, or
accounting;
``(IV) keep a record of the covered
information for law enforcement
purposes; or
``(V) identify and repair errors
that impair the functionality of the
children's service; or
``(iv) the covered information is used in
public or peer-reviewed scientific, medical, or
statistical research in the public interest
that adheres to commonly accepted ethical
standards or laws, with informed consent
consistent with section 50.20 of title 21, Code
of Federal Regulations, if the research is
already in progress at the time when the
request to access, delete, or correct is made
under subparagraph (A), (B), or (C).
``(E) Prohibition on limiting or discontinuing
service.--An operator of a children's service may not
refuse to provide a service, or discontinue a service
provided, to a teenager or child, if the teenager or
parent of the child, as applicable, exercises any of
the rights set forth in this paragraph.
``(7) Additional prohibited practices with respect to
teenagers and children.--
``(A) In general.--An operator of a children's
service may not--
``(i) process any covered information in a
manner that is inconsistent with what a
reasonable teenager or parent of a child would
expect in the context of a particular
transaction or the teenager's or parent's
relationship with such operator, or seek to
obtain verifiable consent for such processing;
``(ii) process any covered information in a
manner that is harmful or has been shown to be
detrimental to the well-being of children or
teenagers;
``(iii) process covered information for the
purpose of providing for targeted personalized
advertising or engage in other marketing to a
specific child or teenager or group of children
or teenagers based on--
``(I) using the covered
information, online behavior, or group
identifiers of such child or teenager
or of the children or teenagers in such
group; or
``(II) using the covered
information or online behavior of
children or teenagers who share
characteristics with such child or
teenager or with the children or
teenagers in such group, including
income level or protected
characteristics or proxies thereof;
``(iv) condition the participation of a
child or teenager in a game, sweepstakes, or
other contest on consenting to the processing
of more covered information than is necessary
for such child or teenager to participate;
``(v) engage in cross-device tracking of a
child or teenager unless the child or teenager
is logged-in to a specific service, for the
sole purpose of facilitating the primary
purpose of the good or service or a specific
feature thereof;
``(vi) engage in algorithmic processes that
discriminate on the basis of race, age, gender,
ability, or other protected characteristics;
``(vii) disclose biometric information;
``(viii) disclose geolocation information;
or
``(ix) collect geolocation information by
default or without making it clear to a user
when geolocation tracking is in effect.
``(B) Exceptions.--Nothing in subparagraph (A)
shall prohibit an operator from processing covered
information if necessary solely for purposes of--
``(i) detecting and preventing security
incidents;
``(ii) preventing imminent danger to the
personal safety of an individual or group of
individuals;
``(iii) identifying and repairing errors
that impair the core functionality of the
children's service; or
``(iv) complying with any Federal, State,
or local law, rule, regulation, or other legal
obligation, including civil, criminal, or
regulatory inquiries, investigations,
subpoenas, or court orders or other properly
executed compulsory process requiring the
disclosure of information.
``(8) Security requirements.--
``(A) In general.--An operator of a children's
service shall establish and implement reasonable
security policies, practices, and procedures for the
treatment and protection of covered information, taking
into consideration--
``(i) the size, nature, scope, and
complexity of the activities engaged in by such
operator;
``(ii) the sensitivity of any covered
information at issue;
``(iii) the state of the art in
administrative, technical, and physical
safeguards for protecting such information; and
``(iv) the cost of implementing such
policies, practices, and procedures.
``(B) Specific requirements.--The policies,
practices, and procedures established by an operator
under subparagraph (A) shall include the following:
``(i) A written security policy with
respect to the processing of such covered
information.
``(ii) The identification of an officer or
other individual as the point of contact with
responsibility for the management of
information security.
``(iii) A process for identifying and
assessing any reasonably foreseeable
vulnerabilities in the system or systems
maintained by such operator that contains such
covered information, including regular
monitoring for a breach of security of such
system or systems.
``(iv) A process for taking preventive and
corrective action to mitigate against any
vulnerabilities identified in the process
required by clause (iii), which may include--
``(I) implementing any changes to
the security practices, architecture,
installation, or implementation of
network or operating software; and
``(II) regular testing or otherwise
monitoring the effectiveness of the
safeguards.
``(v) A process for determining if the
covered information is no longer needed and
deleting such covered information by shredding,
permanently erasing, or otherwise modifying the
covered information to make such covered
information permanently unreadable or
indecipherable.
``(vi) A process for overseeing persons who
have access to covered information, including
through internet-connected devices, by--
``(I) taking reasonable steps to
select and retain persons that are
capable of maintaining appropriate
safeguards for the covered information
or internet-connected devices at issue;
and
``(II) requiring all such persons
to implement and maintain such security
measures.
``(vii) A process for employee training and
supervision for implementation of the policies,
practices, and procedures required by this
subsection.
``(viii) A written plan or protocol for
internal and public response in the event of a
breach of security.
``(C) Periodic assessment and consumer privacy and
data security modernization.--An operator of a
children's service shall, not less frequently than
every 12 months, monitor, evaluate, and adjust, as
appropriate, the policies, practices, and procedures of
such operator in light of any relevant changes in--
``(i) technology;
``(ii) internal or external threats and
vulnerabilities to covered information; and
``(iii) the changing business arrangements
of the operator.
``(D) Submission of policies to the ftc.--An
operator of a children's service shall submit the
policies, practices, and procedures established by the
operator under subparagraph (A) to the Commission in
conjunction with a notification of a breach of security
required by any Federal or State statute or regulation
or upon request of the Commission.
``(b) Rulemaking Regarding Requirements for Digital Services Likely
To Be Accessed by Children or Teenagers.--
``(1) In general.--The Commission shall promulgate
regulations under section 553 of title 5, United States Code,
that contain requirements for operators of digital services
that are not children's services but are likely to be accessed
by children or teenagers, which shall be based on the
requirements of subsection (a) but modified as the Commission
considers appropriate given a risk-based approach to determine
age and to determine and mitigate privacy risks and security
risks to the child or teenager, and given differing
developmental needs and cognitive capacities of children or
teenagers. The Commission may include in such regulations
different requirements for operators of different types of such
services.
``(2) Best interests of child or teenager.--The regulations
promulgated under paragraph (1) shall require an operator to
make the best interests of children and teenagers a primary
design consideration when designing its service, including by
conducting a privacy and security impact assessment and
mitigation for the service, addressing all privacy risks to
children and teenagers which arise from the processing of
covered information, taking into account the best interests of
children and teenagers.
``(3) Risk-based approach to determining age of user.--
``(A) In general.--The regulations promulgated
under paragraph (1) shall require a risk-based approach
to determining the age of a specific user of a digital
service under which higher privacy risks and security
risks from the processing of covered information
require a higher certainty of age assurance.
``(B) Age assurance.--The regulations promulgated
under paragraph (1) shall require an operator to
conduct an age assurance to determine the age of each
specific user.
``(C) Approval of age assurance mechanisms.--The
Commission shall establish in the regulations
promulgated under paragraph (1) a process under which
an operator may obtain the approval of the Commission
of particular mechanisms of age assurance as meeting
the age assurance requirements of such regulations for
particular levels of privacy risks.
``(D) Data minimization.--The regulations required
by paragraph (1) shall provide that any data collected
for age assurance shall be the minimal amount necessary
and destroyed immediately or as determined by the
Commission, but consistent with standards that still
allow for auditing and compliance.
``(c) Prohibition on Certain Advertising or Marketing for Digital
Services Likely To Be Accessed by Children or Teenagers.--An operator
of a digital service that is likely to be accessed by children or
teenagers may not process covered information for the purpose of
providing for targeted personalized advertising or engage in other
marketing to a specific child or teenager or group of children or
teenagers based on--
``(1) using the covered information, online behavior, or
group identifiers of such child or teenager or of the children
or teenagers in such group; or
``(2) using the covered information or online behavior of
children or teenagers who share characteristics with such child
or teenager or with the children or teenagers in such group,
including income level or protected characteristics or proxies
thereof.
``(d) Enforcement.--Subject to section 1306, a violation of this
section or a regulation promulgated under this section shall be treated
as a violation of a rule defining an unfair or deceptive act or
practice prescribed under section 18(a)(1)(B) of the Federal Trade
Commission Act (15 U.S.C. 57a(a)(1)(B)).''.
(b) Conforming Amendments.--Section 1305 of the Children's Online
Privacy Protection Act of 1998 (15 U.S.C. 6504) is amended--
(1) in subsection (a)(1)--
(A) by striking ``any regulation of the Commission
prescribed under section 1303(b)'' and inserting
``section 1303 or a regulation promulgated under such
section''; and
(B) in subparagraph (B), by striking ``the
regulation'' and inserting ``such section or such
regulation''; and
(2) in subsection (d)--
(A) by striking ``any regulation prescribed under
section 1303'' and inserting ``section 1303 or a
regulation promulgated under such section''; and
(B) by striking ``that regulation'' and inserting
``such section or such regulation''.
SEC. 4. REPEAL OF SAFE HARBORS PROVISION.
(a) In General.--Section 1304 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6503) is repealed.
(b) Conforming Amendment.--Section 1305(b) of the Children's Online
Privacy Protection Act of 1998 (15 U.S.C. 6504(b)) is amended by
striking paragraph (3).
SEC. 5. ADMINISTRATION AND APPLICABILITY OF ACT.
(a) Enforcement by Federal Trade Commission.--Section 1306(d) of
the Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6505(d)) is amended to read as follows:
``(d) Actions by the Commission.--
``(1) In general.--Except as provided in paragraphs (2) and
(3), the Commission shall prevent any person from violating
section 1303 or a regulation promulgated under such section in
the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all applicable terms
and provisions of the Federal Trade Commission Act (15 U.S.C.
41 et seq.) were incorporated into and made a part of this
title, and any entity that violates such section or such
regulation shall be subject to the penalties and entitled to
the privileges and immunities provided in the Federal Trade
Commission Act in the same manner, by the same means, and with
the same jurisdiction, power, and duties as though all
applicable terms and provisions of the Federal Trade Commission
Act were incorporated into and made a part of this title.
``(2) Increased civil penalty amount.--In the case of a
civil penalty under subsection (l) or (m) of section 5 of the
Federal Trade Commission Act (15 U.S.C. 45) relating to acts or
practices in violation of section 1303 or a regulation
promulgated under such section, the maximum dollar amount per
violation shall be $63,795.
``(3) Nature of relief available.--In any action commenced
by the Commission under subsection (a) of section 19 of the
Federal Trade Commission Act (15 U.S.C. 57b) to enforce section
1303 of this title or a regulation promulgated under such
section, the Commission shall seek all appropriate relief
described in subsection (b) of such section 19, and may,
notwithstanding such subsection, seek any exemplary or punitive
damages.''.
(b) Enforcement by Certain Other Agencies.--Section 1306 of the
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is
amended--
(1) in subsection (b)--
(A) in paragraph (1), by striking ``, in the case
of'' and all that follows and inserting the following:
``by the appropriate Federal banking agency, with
respect to any insured depository institution (as those
terms are defined in section 3 of that Act (12 U.S.C.
1813));'';
(B) in paragraph (6), by striking ``Federal land
bank, Federal land bank association, Federal
intermediate credit bank, or production credit
association'' and inserting ``Farm Credit Bank,
Agricultural Credit Bank (to the extent exercising the
authorities of a Farm Credit Bank), Federal Land Credit
Association, or agricultural credit association''; and
(C) by striking paragraph (2) and redesignating
paragraphs (3) through (6) as paragraphs (2) through
(5), respectively; and
(2) in subsection (c), by striking ``subsection (a)'' each
place it appears and inserting ``subsection (b)''.
SEC. 6. REVIEW.
Section 1307 of the Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6506) is amended--
(1) in the matter preceding paragraph (1), by striking
``the regulations initially issued under section 1303'' and
inserting ``the regulations issued under section 10(a) of the
Protecting the Information of our Vulnerable Children and Youth
Act (relating to the implementation of the amendments made by
such Act to this title)''; and
(2) by amending paragraph (1) to read as follows:
``(1) review the implementation of this title, including
the effect of the implementation of this title on practices
relating to the processing of covered information about
teenagers or children and teenager's and children's ability to
obtain access to information of their choice online; and''.
SEC. 7. PRIVATE RIGHT OF ACTION.
The Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6501 et seq.) is amended--
(1) by redesignating sections 1307 and 1308 as sections
1308 and 1309, respectively; and
(2) by inserting after section 1306 the following:
``SEC. 1307. PRIVATE RIGHT OF ACTION.
``(a) Right of Action.--Any parent of a teenager or parent of a
child alleging a violation of section 1303 or a regulation promulgated
under such section with respect to the covered information of such
teenager or child may bring a civil action in any court of competent
jurisdiction.
``(b) Injury in Fact.--A violation of section 1303 or a regulation
promulgated under such section with respect to the covered information
of a teenager or child constitutes an injury in fact to that teenager
or child.
``(c) Relief.--In a civil action brought under subsection (a) in
which the plaintiff prevails, the court may award--
``(1) injunctive relief;
``(2) actual damages;
``(3) punitive damages;
``(4) reasonable attorney's fees and costs; and
``(5) any other relief that the court determines
appropriate.
``(d) Pre-Dispute Arbitration Agreements.--
``(1) In general.--No pre-dispute arbitration agreement or
pre-dispute joint-action waiver shall be valid or enforceable
with respect to any claim arising under section 1303 or a
regulation promulgated under such section.
``(2) Determination.--A determination as to whether and how
this title or a regulation promulgated under this title applies
to an arbitration agreement shall be determined under Federal
law by the court, rather than the arbitrator, irrespective of
whether the party opposing arbitration challenges such
agreement specifically or in conjunction with any other term of
the contract containing such agreement.
``(3) Definitions.--As used in this subsection--
``(A) the term `pre-dispute arbitration agreement'
means any agreement to arbitrate a dispute that has not
arisen at the time of the making of the agreement; and
``(B) the term `pre-dispute joint-action waiver'
means an agreement, whether or not part of a pre-
dispute arbitration agreement, that would prohibit, or
waive the right of, one of the parties to the agreement
to participate in a joint, class, or collective action
in a judicial, arbitral, administrative, or other
forum, concerning a dispute that has not yet arisen at
the time of the making of the agreement.
``(e) Non-Waiveability.--The rights and remedies provided under
this title may not be waived or limited by contract or otherwise.''.
SEC. 8. RELATIONSHIP TO OTHER LAW.
Section 1306 of the Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6505) is further amended by adding at the end the
following:
``(f) Relationship to Other Law.--
``(1) Other federal privacy or security provisions.--
Nothing in this title or a regulation promulgated under this
title may be construed to modify, limit, or supersede the
operation of any privacy or security provision in any other
Federal statute or regulation.
``(2) State law.--Nothing in this title or a regulation
promulgated under this title may be construed to preempt,
displace, or supplant any State common law or statute, except
to the extent that any such common law or statute specifically
and directly conflicts with the provisions of this title or a
regulation promulgated under this title, and then only to the
extent of the specific and direct conflict. Any such common law
or statute is not in specific and direct conflict if it affords
a greater level of protection to a child or teenager than the
provisions of this title or a regulation promulgated under this
title.
``(3) Section 230 of the communications act of 1934.--
Nothing in section 230 of the Communications Act of 1934 (47
U.S.C. 230) may be construed to impair or limit the provisions
of this title or a regulation promulgated under this title.''.
SEC. 9. ADDITIONAL CONFORMING AMENDMENT.
The heading of title XIII of division C of the Omnibus Consolidated
and Emergency Supplemental Appropriations Act, 1999 (Public Law 105-
277; 112 Stat. 2681-728) is amended by inserting ``AND TEENAGER'S''
after ``CHILDREN'S''.
SEC. 10. IMPLEMENTING REGULATIONS.
(a) In General.--Not later than 1 year after the date of the
enactment of this Act, the Commission shall promulgate regulations
under section 553 of title 5, United States Code, to implement the
amendments made by this Act, including the regulations required by
subsection (b) of section 1303 of the Children's Online Privacy
Protection Act of 1998, as amended by this Act.
(b) Review and Revision.--Not later than 10 years after the date on
which the Commission promulgates the regulations required by subsection
(a), the Commission shall review such regulations and, if the
Commission considers revisions to such regulations appropriate,
promulgate such revisions under section 553 of title 5, United States
Code.
SEC. 11. YOUTH PRIVACY AND MARKETING DIVISION.
(a) Establishment.--There is established within the Commission a
division to be known as the Youth Privacy and Marketing Division.
(b) Director.--The Youth Privacy and Marketing Division shall be
headed by a Director, who shall be appointed by the Chairman of the
Commission.
(c) Duties.--The Youth Privacy and Marketing Division shall be
responsible for addressing, as it relates to this Act and the
amendments made by this Act--
(1) the privacy of children and teenagers; and
(2) marketing directed at children and teenagers.
(d) Staff.--The Director of the Youth Privacy and Marketing
Division shall hire adequate staff to carry out the duties under
subsection (c), including individuals who are experts in data
protection, digital advertising, data analytics, and youth development.
(e) Reports.--Not later than 1 year after the date of the enactment
of this Act, and each year thereafter, the Director of the Youth
Privacy and Marketing Division shall submit to the Committee on
Commerce, Science, and Transportation of the Senate and the Committee
on Energy and Commerce of the House of Representatives a report that
includes--
(1) a description of the work of the Youth Privacy and
Marketing Division on emerging concerns relating to youth
privacy and marketing practices; and
(2) an assessment of how effectively the Commission has,
during the period for which the report is submitted, addressed
youth privacy and marketing practices.
(f) Definitions.--In this section, the terms ``child'' and
``teenager'' have the meanings given such terms in section 1302 of the
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501), as
amended by this Act.
SEC. 12. COMMISSION DEFINED.
In this Act, the term ``Commission'' means the Federal Trade
Commission.
SEC. 13. EFFECTIVE DATE.
The amendments made by this Act shall take effect on the date that
is 1 year after the Commission promulgates the regulations required by
section 10(a).
<all>