[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1418 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 1418

   To amend the Children's Online Privacy Protection Act of 1998 to 
  strengthen protections relating to the online collection, use, and 
disclosure of personal information of children and teens, and for other 
                               purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 3, 2023

Mr. Markey (for himself and Mr. Cassidy) introduced the following bill; 
    which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To amend the Children's Online Privacy Protection Act of 1998 to 
  strengthen protections relating to the online collection, use, and 
disclosure of personal information of children and teens, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Children and 
Teens' Online Privacy Protection Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Online collection, use, and disclosure of personal information 
                            of children and teens.
Sec. 4. Fair Information Practices Principles.
Sec. 5. Digital Marketing Bill of Rights for Teens.
Sec. 6. Targeted marketing to children or teens.
Sec. 7. Removal of content.
Sec. 8. Rule for treatment of users of websites, services, and 
                            applications directed to children or teens.
Sec. 9. Study of mobile and online application oversight.
Sec. 10. Youth Privacy and Marketing Division.
Sec. 11. Enforcement and applicability.
Sec. 12. GAO study.

SEC. 2. DEFINITIONS.

    (a) In General.--In this Act:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Standards.--The term ``standards'' means benchmarks, 
        guidelines, best practices, methodologies, procedures, and 
        processes.
    (b) Other Definitions.--The definitions set forth in section 1302 
of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 
6501), as amended by section 3(a) of this Act, shall apply in this Act, 
except to the extent the Commission provides otherwise by regulations 
issued under section 553 of title 5, United States Code.

SEC. 3. ONLINE COLLECTION, USE, AND DISCLOSURE OF PERSONAL INFORMATION 
              OF CHILDREN AND TEENS.

    (a) Definitions.--Section 1302 of the Children's Online Privacy 
Protection Act of 1998 (15 U.S.C. 6501) is amended--
            (1) by amending paragraph (2) to read as follows:
            ``(2) Operator.--The term `operator'--
                    ``(A) means any person--
                            ``(i) who, for commercial purposes, in 
                        interstate or foreign commerce operates or 
                        provides a website on the internet, an online 
                        service, an online application, a mobile 
                        application, or a connected device; and
                            ``(ii) who--
                                    ``(I) collects or maintains, either 
                                directly or through a service provider, 
                                personal information from or about the 
                                users of that website, service, 
                                application, or connected device;
                                    ``(II) allows another person to 
                                collect personal information directly 
                                from users of that website, service, 
                                application, or connected device (in 
                                which case, the operator is deemed to 
                                have collected the information); or
                                    ``(III) allows users of that 
                                website, service, application, or 
                                connected device to publicly disclose 
                                personal information (in which case, 
                                the operator is deemed to have 
                                collected the information); and
                    ``(B) does not include any nonprofit entity that 
                would otherwise be exempt from coverage under section 5 
                of the Federal Trade Commission Act (15 U.S.C. 45).'';
            (2) in paragraph (4)--
                    (A) by amending subparagraph (A) to read as 
                follows:
                    ``(A) the release of personal information collected 
                from a child or teen for any purpose, except where the 
                personal information is provided to a person other than 
                an operator who--
                            ``(i) provides support for the internal 
                        operations of the website, online service, 
                        online application, mobile application, or 
                        connected device of the operator, excluding any 
                        activity relating to targeted marketing 
                        directed to children, teens, or connected 
                        devices; and
                            ``(ii) does not disclose or use that 
                        personal information for any other purpose; 
                        and''; and
                    (B) in subparagraph (B)--
                            (i) by inserting ``or teen'' after 
                        ``child'' each place the term appears;
                            (ii) by inserting ``or teens'' after 
                        ``children''; and
                            (iii) by striking ``website or online 
                        service'' and inserting ``website, online 
                        service, online application, mobile 
                        application, or connected device'';
            (3) in paragraph (8), by striking subparagraphs (F) and (G) 
        and inserting the following:
                    ``(F) geolocation information;
                    ``(G) information generated from the measurement or 
                technological processing of an individual's biological, 
                physical, or physiological characteristics, including--
                            ``(i) fingerprints;
                            ``(ii) voice prints;
                            ``(iii) iris or retina imagery scans;
                            ``(iv) facial imagery or templates;
                            ``(v) deoxyribonucleic acid (DNA) 
                        information; or
                            ``(vi) gait;
                    ``(H) information reasonably associated with or 
                attributed to a child or teen;
                    ``(I) information (including an internet protocol 
                address) that permits the identification of--
                            ``(i) an individual; or
                            ``(ii) any device used by an individual to 
                        directly or indirectly access the internet or 
                        an online service, online application, mobile 
                        application, or connected device; or
                    ``(J) information concerning a child or teen or the 
                parents of that child or teen (including any unique or 
                substantially unique identifier, such as a customer 
                number) that an operator collects online from the child 
                or teen and combines with an identifier described in 
                this paragraph.'';
            (4) by amending paragraph (9) to read as follows:
            ``(9) Verifiable consent.--The term `verifiable consent' 
        means any reasonable effort (taking into consideration 
        available technology), including a request for authorization 
        for future collection, use, and disclosure described in the 
        notice, to ensure that, in the case of a child, a parent of the 
        child, or, in the case of a teen, the teen--
                    ``(A) receives specific notice of the personal 
                information collection, use, and disclosure practices 
                of the operator; and
                    ``(B) before the personal information of the child 
                or teen is collected, freely and unambiguously 
                authorizes--
                            ``(i) the collection, use, and disclosure, 
                        as applicable, of that personal information; 
                        and
                            ``(ii) any subsequent use of that personal 
                        information.'';
            (5) by striking paragraph (10) and redesignating paragraphs 
        (11) and (12) as paragraphs (10) and (11), respectively; and
            (6) by adding at the end the following:
            ``(12) Connected device.--The term `connected device' means 
        a device that is capable of connecting to the internet, 
        directly or indirectly, or to another connected device.
            ``(13) Online application.--The term `online application'--
                    ``(A) means an internet-connected software program; 
                and
                    ``(B) includes a service or application offered via 
                a connected device.
            ``(14) Online service.--
                    ``(A) In general.--The term `online service' means 
                a mass-market retail service by wire or radio that 
                provides the capability to transmit data and receive 
                data from all or substantially all Internet endpoints, 
                including any capabilities that are incidental to and 
                enable the operation of a communications service, but 
                excluding dial-up Internet service.
                    ``(B) Scope.--Such term includes--
                            ``(i) any service that the Federal 
                        Communications Commission finds to be providing 
                        a functionally equivalent service to a service 
                        described in subparagraph (A); and
                            ``(ii) a service or application offered via 
                        a connected device.
            ``(15) Directed to children or teens.--
                    ``(A) In general.--The terms `directed to 
                children', `directed to teens', and `directed to 
                children or teens' mean, with respect to a website, 
                online service, online application, mobile application, 
                or connected device, that the website, online service, 
                online application, mobile application, or connected 
                device, or a portion thereof, is targeted to children 
                or teens, as the case may be, as demonstrated by--
                            ``(i) the subject matter of the website, 
                        online service, online application, mobile 
                        application, or connected device;
                            ``(ii) the visual content of the website, 
                        online service, online application, mobile 
                        application, or connected device;
                            ``(iii) the use of animated characters or 
                        child-oriented activities for children, or the 
                        use of teen-oriented characters or teen-
                        oriented activities for teens, and related 
                        incentives on the website, online service, 
                        online application, mobile application, or 
                        connected device;
                            ``(iv) the music or other audio content on 
                        the website, online service, online 
                        application, mobile application, or connected 
                        device;
                            ``(v) the age of models on the website, 
                        online service, online application, mobile 
                        application, or connected device;
                            ``(vi) the presence, on the website, online 
                        service, online application, mobile 
                        application, or connected device, of--
                                    ``(I) child celebrities;
                                    ``(II) celebrities who appeal to 
                                children;
                                    ``(III) teen celebrities; or
                                    ``(IV) celebrities who appeal to 
                                teens;
                            ``(vii) the language used on the website, 
                        online service, online application, mobile 
                        application, or connected device;
                            ``(viii) advertising content used on, or 
                        used to advertise, the website, online service, 
                        online application, mobile application, or 
                        connected device; or
                            ``(ix) reliable empirical evidence relating 
                        to--
                                    ``(I) the composition of the 
                                audience of the website, online 
                                service, online application, mobile 
                                application, or connected device; and
                                    ``(II) the intended audience of the 
                                website, online service, online 
                                application, mobile application, or 
                                connected device.
                    ``(B) Rules of construction.--
                            ``(i) Services deemed directed to children 
                        or teens.--For the purposes of this title, a 
                        website, online service, online application, 
                        mobile application, or connected device, or a 
                        portion thereof, shall be deemed to be directed 
                        to children or teens if it collects personal 
                        information directly from users of any other 
                        website, online service, online application, 
                        mobile application, or connected device that 
                        is--
                                    ``(I) directed to children or teens 
                                under the criteria described in 
                                subparagraph (A); or
                                    ``(II) used or reasonably likely to 
                                be used by children or teens.
                            ``(ii) Services deemed directed to mixed 
                        audiences.--
                                    ``(I) In general.--A website, 
                                online service, online application, 
                                mobile application, or connected device 
                                that is directed to children or teens 
                                under the criteria described in 
                                subparagraph (A), but that does not 
                                target children or teens as the primary 
                                audience of the website, online 
                                service, online application, mobile 
                                application, or connected device shall 
                                not be deemed to be directed to 
                                children or teens for purposes of this 
                                title if the website, online service, 
                                online application, mobile application, 
                                or connected device--
                                            ``(aa) does not collect 
                                        personal information from any 
                                        user of the website, online 
                                        service, online application, 
                                        mobile application, or 
                                        connected device before 
                                        verifying age information of 
                                        the user; and
                                            ``(bb) does not, without 
                                        first complying with any 
                                        relevant notice and consent 
                                        provision under this title, 
                                        collect, use, or disclose 
                                        personal information of any 
                                        user who identifies themselves 
                                        to the website, online service, 
                                        online application, mobile 
                                        application, or connected 
                                        device as an individual who is 
                                        age 16 or younger.
                                    ``(II) Use of certain tools.--For 
                                purposes of this title, a website, 
                                online service, online application, 
                                mobile application, or connected 
                                device, shall not be deemed directed to 
                                children or teens solely because the 
                                website, online service, online 
                                application, mobile application, or 
                                connected device refers or links to any 
                                other website, online service, online 
                                application, mobile application, or 
                                connected device directed to children 
                                or teens by using information location 
                                tools, including--
                                            ``(aa) a directory;
                                            ``(bb) an index;
                                            ``(cc) a reference;
                                            ``(dd) a pointer; or
                                            ``(ee) a hypertext link.
            ``(16) Mobile application.--The term `mobile application'--
                    ``(A) means a software program that runs on the 
                operating system of--
                            ``(i) a cellular telephone;
                            ``(ii) a tablet computer; or
                            ``(iii) a similar portable computing device 
                        that transmits data over a wireless connection; 
                        and
                    ``(B) includes a service or application offered via 
                a connected device.
            ``(17) Geolocation information.--The term `geolocation 
        information' means information sufficient to identify a street 
        name and name of a city or town.
            ``(18) Teen.--The term `teen' means an individual over the 
        age of 12 and under the age of 17.
            ``(19) Targeted marketing.--
                    ``(A) In general.--The term `targeted marketing' 
                means advertising or any other effort to market a 
                product or service that is directed to a specific 
                individual or device--
                            ``(i) based on--
                                    ``(I) the personal information of--
                                            ``(aa) the individual; or
                                            ``(bb) a group of 
                                        individuals who are similar in 
                                        gender, age, income level, 
                                        race, or ethnicity to the 
                                        specific individual to whom the 
                                        product or service is marketed;
                                    ``(II) psychological profiling of 
                                an individual or group of individuals; 
                                or
                                    ``(III) a unique identifier of the 
                                device; or
                            ``(ii) as a result of use by the 
                        individual, access by any device of the 
                        individual, or use by a group of individuals 
                        who are similar to the specific individual, of 
                        more than a single--
                                    ``(I) website;
                                    ``(II) online service;
                                    ``(III) online application;
                                    ``(IV) mobile application;
                                    ``(V) connected device; or
                                    ``(VI) operating system.
                    ``(B) Exclusions.--The term `targeted marketing' 
                shall not include--
                            ``(i) advertising or marketing to an 
                        individual or the device of an individual in 
                        response to the individual's specific request 
                        for information or feedback;
                            ``(ii) contextual advertising, such as when 
                        an advertisement is displayed based on the 
                        context in which the advertisement appears and 
                        does not vary based on who is viewing the 
                        advertisement; or
                            ``(iii) processing personal information 
                        solely for measuring or reporting advertising 
                        or content performance, reach, or frequency, 
                        including independent measurement.
                    ``(C) Authority to further define.--The Commission 
                may promulgate rules under section 553 of title 5, 
                United State Code, to further define the term `targeted 
                marketing' but only as necessary to address changes to 
                or innovations of technology, changes in how personal 
                information is used or transferred, changes to the 
                means and manners by which children or teens interact 
                with a website, online service, online application, 
                mobile application, or connected device, or evolving 
                concerns regarding the privacy of children or teens.
            ``(20) Reasonably likely to be used.--The Commission may 
        promulgate rules under section 553 of title 5, United States 
        Code, or issue guidance to establish factors that should be 
        considered in applying the term `reasonably likely to be used' 
        for the purposes of this title.
            ``(21) Reasonably likely to be a child or teen.--The 
        Commission may promulgate rules under section 553 of title 5, 
        United States Code, or issue guidance to establish factors that 
        should be considered in applying the term `reasonably likely to 
        be a child or teen' for the purposes of this title.''.
    (b) Online Collection, Use, and Disclosure of Personal Information 
of Children and Teens.--Section 1303 of the Children's Online Privacy 
Protection Act of 1998 (15 U.S.C. 6502) is amended--
            (1) by striking the heading and inserting the following: 
        ``online collection, use, and disclosure of personal 
        information of children and teens.'';
            (2) in subsection (a)--
                    (A) by amending paragraph (1) to read as follows:
            ``(1) In general.--It is unlawful for an operator of a 
        website, online service, online application, mobile 
        application, or connected device that is directed to children 
        or teens or is used or reasonably likely to be used by children 
        or teens in a manner that involves the collection of personal 
        information, to collect personal information from a child or 
        teen in a manner that violates the regulations prescribed under 
        subsection (b).''; and
                    (B) in paragraph (2)--
                            (i) by striking ``of such a website or 
                        online service''; and
                            (ii) by striking ``subsection 
                        (b)(1)(B)(iii) to the parent of a child'' and 
                        inserting ``subsection (b)(1)(A)(iii) to the 
                        parent of a child or under subsection 
                        (b)(1)(A)(iv) to a teen''; and
            (3) in subsection (b)--
                    (A) in paragraph (1)--
                            (i) by striking ``this Act'' and inserting 
                        ``the Children and Teens' Online Privacy 
                        Protection Act'';
                            (ii) in subparagraph (A)--
                                    (I) by striking ``operator of any 
                                website'' and all that follows through 
                                ``from a child'' and inserting 
                                ``operator of a website, online 
                                service, online application, mobile 
                                application, or connected device that 
                                is directed to children or teens or is 
                                used or is reasonably likely to be used 
                                by children or teens in a manner that 
                                involves the collection of their 
                                personal information'';
                                    (II) in clause (i)--
                                            (aa) by striking ``notice 
                                        on the website'' and inserting 
                                        ``clear and conspicuous 
                                        notice'';
                                            (bb) by inserting ``or 
                                        teens'' after ``children'';
                                            (cc) by striking ``, and 
                                        the operator's'' and inserting 
                                        ``, the operator's''; and
                                            (dd) by striking ``; and'' 
                                        and inserting ``, and the 
                                        procedures or mechanisms the 
                                        operator uses to ensure that 
                                        personal information is not 
                                        collected from children or 
                                        teens except in accordance with 
                                        the regulations promulgated 
                                        under this paragraph;''; and
                                    (III) in clause (ii)--
                                            (aa) by striking 
                                        ``parental''; and
                                            (bb) by inserting ``or 
                                        teens'' after ``children'';
                            (iii) in subparagraph (B)--
                                    (I) in the matter preceding clause 
                                (i), by striking ``website or online 
                                service'' and inserting ``operator'';
                                    (II) in clause (ii), by inserting 
                                ``to delete personal information 
                                collected from the child or'' after 
                                ``the opportunity at any time''; and
                                    (III) in clause (iii), by inserting 
                                ``, if such information is available to 
                                the operator at the time the parent 
                                makes the request'' before the 
                                semicolon;
                            (iv) by redesignating subparagraphs (C) and 
                        (D) as subparagraphs (D) and (E), respectively;
                            (v) by inserting after subparagraph (B) the 
                        following new subparagraph:
                    ``(C) require the operator to provide, upon the 
                request of a teen under this subparagraph who has 
                provided personal information to the operator, upon 
                proper identification of that teen--
                            ``(i) a description of the specific types 
                        of personal information collected from the teen 
                        by the operator;
                            ``(ii) the opportunity at any time to 
                        delete personal information collected from the 
                        teen and refuse further use or collection of 
                        personal information from the teen; and
                            ``(iii) a means that is reasonable under 
                        the circumstances for the teen to obtain any 
                        personal information collected from the teen, 
                        if such information is available to the 
                        operator at the time the teen makes the 
                        request;'';
                            (vi) in subparagraph (D), as so 
                        redesignated, by striking ``conditioning'' and 
                        all that follows through ``such activity'' and 
                        inserting the following: ``the collection from 
                        a child or teen of more personal information 
                        that is reasonably required to use the website, 
                        online service, online application, mobile 
                        application, or connected device'';
                            (vii) in subparagraph (E), as so 
                        redesignated--
                                    (I) by striking ``of such a website 
                                or online service''; and
                                    (II) by inserting ``and teens'' 
                                after ``children''; and
                            (viii) by adding at the end the following 
                        flush text:
        ``The Commission shall review and update the regulations 
        promulgated under this paragraph as necessary.'';
                    (B) in paragraph (2)--
                            (i) in the matter preceding subparagraph 
                        (A), by striking ``verifiable parental 
                        consent'' and inserting ``verifiable consent'';
                            (ii) in subparagraph (A)--
                                    (I) by inserting ``or teen'' after 
                                ``collected from a child'';
                                    (II) by inserting ``or teen'' after 
                                ``request from the child''; and
                                    (III) by inserting ``or teen or to 
                                contact another child or teen'' after 
                                ``to recontact the child'';
                            (iii) in subparagraph (B)--
                                    (I) by striking ``parent or child'' 
                                and inserting ``parent or teen''; and
                                    (II) by striking ``parental 
                                consent'' each place the term appears 
                                and inserting ``verifiable consent'';
                            (iv) in subparagraph (C)--
                                    (I) in the matter preceding clause 
                                (i), by inserting ``or teen'' after 
                                ``child'' each place the term appears;
                                    (II) in clause (i)--
                                            (aa) by inserting ``or 
                                        teen'' after ``child'' each 
                                        place the term appears; and
                                            (bb) by inserting ``or 
                                        teen, as applicable,'' after 
                                        ``parent'' each place the term 
                                        appears; and
                                    (III) in clause (ii)--
                                            (aa) by inserting ``or 
                                        teen, as applicable,'' after 
                                        ``parent''; and
                                            (bb) by inserting ``or 
                                        teen'' after ``child'' each 
                                        place the term appears; and
                            (v) in subparagraph (D)--
                                    (I) in the matter preceding clause 
                                (i), by inserting ``or teen'' after 
                                ``child'' each place the term appears;
                                    (II) in clause (ii), by inserting 
                                ``or teen'' after ``child''; and
                                    (III) in the flush text following 
                                clause (iii)--
                                            (aa) by inserting ``or 
                                        teen, as applicable,'' after 
                                        ``parent'' each place the term 
                                        appears; and
                                            (bb) by inserting ``or 
                                        teen'' after ``child''; and
                    (C) by amending paragraph (3) to read as follows:
            ``(3) Continuation of service.--The regulations shall 
        prohibit an operator from discontinuing service provided to a 
        child or teen on the basis of a request by the parent of the 
        child or by the teen, under the regulations prescribed under 
        subparagraph (B) or (C) of paragraph (1), respectively, to 
        delete personal information collected from the child or teen, 
        to the extent that the operator is capable of providing such 
        service without such information.''.
    (c) Safe Harbors.--Section 1304 of the Children's Online Privacy 
Protection Act of 1998 (15 U.S.C. 6503) is amended--
            (1) in subsection (b)(1), by inserting ``and teens'' after 
        ``children''; and
            (2) by adding at the end the following:
    ``(d) Publication.--
            ``(1) In general.--The Commission shall publish on the 
        internet website of the Commission any report or documentation 
        required by regulation to be submitted to the Commission to 
        carry out this section.
            ``(2) Restrictions on publication.--The restrictions 
        described in subsection (f) of section 6 of the Federal Trade 
        Commission Act (15 U.S.C. 46(f)) applicable to the publication 
        of information obtained by the Commission through 
        investigations conducted under such section shall apply in same 
        manner to the publication under this subsection of information 
        obtained by the Commission from a report or documentation 
        described in paragraph (1).''.
    (d) Administration and Applicability of Act.--Section 1306 of the 
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is 
amended--
            (1) in subsection (b)--
                    (A) in paragraph (1), by striking ``, in the case 
                of'' and all that follows through ``the Board of 
                Directors of the Federal Deposit Insurance 
                Corporation;'' and inserting the following: ``by the 
                appropriate Federal banking agency, with respect to any 
                insured depository institution (as those terms are 
                defined in section 3 of that Act (12 U.S.C. 1813));''; 
                and
                    (B) by striking paragraph (2) and redesignating 
                paragraphs (3) through (6) as paragraphs (2) through 
                (5), respectively; and
            (2) by adding at the end the following new subsection:
    ``(f) Telecommunications Carriers and Cable Operators.--
            ``(1) Enforcement by commission.--Notwithstanding section 
        4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 
        44, 45(a)(2), 46), or any jurisdictional limitation of the 
        Commission, the Commission shall also enforce this Act and the 
        regulations promulgated under this Act, in the same manner 
        provided in subsection (d), with respect to common carriers 
        subject to the Communications Act of 1934 (47 U.S.C. 151 et 
        seq.) and Acts amendatory thereof and supplementary thereto.
            ``(2) Relationship to other law.--To the extent that 
        section 222, 338(i), or 631 of the Communications Act of 1934 
        (47 U.S.C. 222, 338(i), 551) is inconsistent with this title, 
        this title controls.''.

SEC. 4. FAIR INFORMATION PRACTICES PRINCIPLES.

    (a) In General.--The Fair Information Practices Principles 
described in this section are the following:
            (1) Collection limitation principle.--Except as provided in 
        paragraph (3), personal information should be collected from a 
        child or teen only when collection of the personal information 
        is--
                    (A) consistent with the context of a particular 
                transaction or service or the relationship of the child 
                or teen with the operator, including collection 
                necessary to fulfill a transaction or provide a service 
                requested by the child or teen; or
                    (B) required or specifically authorized by law.
            (2) Data quality principle.--The personal information of a 
        child or teen should be accurate, complete, and kept up-to-date 
        to the extent necessary to fulfill the purposes described in 
        subparagraphs (A) through (D) of paragraph (3).
            (3) Purpose specification principle.--The purposes for 
        which personal information is collected and used should be 
        specified to the parent of a child or to a teen not later than 
        at the time of the collection of the information. The 
        subsequent use or disclosure of the information should be 
        limited to--
                    (A) fulfillment of the transaction or service 
                requested by the teen or parent of the child;
                    (B) support for the internal operations of the 
                website, service, or application, as described in 
                section 312.2 of title 16, Code of Federal Regulations 
                (as in effect on the date of enactment of this Act), 
                excluding any activity relating to targeted marketing 
                directed to children, teens, or a device of a child or 
                teen if the support for internal operations in 
                consistent with the interest of the child or teen;
                    (C) compliance with legal process or other purposes 
                expressly authorized under specific legal authority; or
                    (D) other purposes--
                            (i) that are specified in a notice to the 
                        teen or parent of the child; and
                            (ii) to which the teen or parent of the 
                        child has consented under paragraph (7) before 
                        the information is used or disclosed for such 
                        other purposes.
            (4) Retention limitation principle.--
                    (A) In general.--The personal information of a 
                child or teen should not be retained for longer than is 
                necessary to fulfill a transaction or provide a service 
                requested by the child or teen or such other purposes 
                specified in subparagraphs (A) through (D) of paragraph 
                (3).
                    (B) Data disposal.--The operator should implement a 
                reasonable and appropriate data disposal policy based 
                on the nature and sensitivity of personal information 
                described in subparagraph (A).
            (5) Security safeguards principle.--The personal 
        information of a child or teen should be protected by 
        reasonable and appropriate security safeguards against risks 
        such as loss or unauthorized access, destruction, use, 
        modification, or disclosure.
            (6) Transparency principle.--
                    (A) General principle.--The operator should be 
                transparent about developments, practices, and policies 
                with respect to the personal information of a child or 
                teen.
                    (B) Provision of information.--The operator should 
                provide to each parent of a child, or to each teen, 
                using the website, online service, online application, 
                mobile application, or connected device of the operator 
                with a clear and prominent means--
                            (i) to identify and contact the operator, 
                        by, at a minimum, disclosing, clearly and 
                        prominently, the identity of the operator and--
                                    (I) in the case of an operator who 
                                is an individual, the address of the 
                                principal residence (but not a personal 
                                residence) of the operator and an email 
                                address or online contact form and 
                                telephone number for the operator; or
                                    (II) in the case of any other 
                                operator, the address of the principal 
                                place of business of the operator and 
                                an email address or online contact form 
                                and telephone number for the operator;
                            (ii) to determine whether the operator 
                        possesses any personal information of the child 
                        or teen, the nature of any such information, 
                        and the purposes for which the information was 
                        collected and is being retained;
                            (iii) to obtain any personal information of 
                        the child or teen that is in the possession of 
                        the operator from the operator, or from a 
                        person specified by the operator, within a 
                        reasonable time after making a request, at a 
                        charge (if any) that is not excessive, in a 
                        reasonable manner, and in a form that is 
                        readily intelligible to the child or teen;
                            (iv) to challenge the accuracy of personal 
                        information of the child or teen that is in the 
                        possession of the operator;
                            (v) to determine if the child or teen has 
                        established the inaccuracy of personal 
                        information in a challenge under clause (iv) in 
                        order to have such information erased, 
                        corrected, completed, or otherwise amended; and
                            (vi) to determine the method by which the 
                        operator obtains data relevant to the child or 
                        teen.
                    (C) Limitation.--Nothing in this paragraph shall be 
                construed to permit an operator to erase or otherwise 
                modify personal information requested by a law 
                enforcement agency pursuant to legal authority.
            (7) Individual participation principle.--The operator 
        should--
                    (A) obtain consent from a parent of a child or from 
                a teen before using or disclosing the personal 
                information of the child or teen for any purpose other 
                than the purposes described in subparagraph (A) of 
                paragraph (3); and
                    (B) obtain affirmative express consent from a 
                parent of a child or from a teen before using or 
                disclosing previously collected personal information of 
                the child or teen for purposes that constitute a 
                material change in practice from the original purposes 
                specified to the child or teen under paragraph (3).
            (8) Racial and socioeconomic profiling.--The personal 
        information of a child or teen shall not be used to direct 
        content to the child or teen, or a group of individuals similar 
        to the child or teen, on the basis of race, socioeconomic 
        factors, or any proxy thereof.
    (b) Rule of Construction.--Nothing in this section, including 
compliance with the Fair Information Principles, shall be construed to 
permit an operator to avoid compliance with other requirements set 
forth in this Act or the Children's Online Privacy Protection Act (15 
U.S.C. 6501 et seq.).

SEC. 5. DIGITAL MARKETING BILL OF RIGHTS FOR TEENS.

    (a) Acts Prohibited.--
            (1) Prohibition.--
                    (A) In general.--Except as provided in subparagraph 
                (B), it shall be unlawful for an operator of a website, 
                online service, online application, mobile application, 
                or connected device to collect personal information 
                from a user if--
                            (i) the user is reasonably likely to be a 
                        teen; or
                            (ii) the website, online service, online 
                        application, mobile application, or connected 
                        device is directed to teens.
                    (B) Exception.--Subparagraph (A) shall not apply to 
                an operator that has adopted and complies with a 
                Digital Marketing Bill of Rights for Teens that meets 
                the Fair Information Practices Principles described in 
                section 4.
            (2) Effective date.--This subsection shall take effect on 
        the date that is 180 days after the promulgation of regulations 
        under subsection (b).
    (b) Regulations.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, the Commission shall promulgate, under 
        section 553 of title 5, United States Code, regulations to 
        implement this section, including regulations further defining 
        the Fair Information Practices Principles described in section 
        4.
            (2) Updates.--Not less frequently than once every 4 years 
        after the date on which regulations are promulgated under 
        paragraph (1), the Commission shall review and update those 
        regulations as necessary.

SEC. 6. TARGETED MARKETING TO CHILDREN AND TEENS.

    (a) Prohibited Acts With Respect to Children and Teens.--It shall 
be unlawful for an operator of a website, online service, online 
application, mobile application, or connected device to collect, use, 
disclose to third parties, or compile personal information of a user 
for purposes of targeted marketing (or to allow another person to 
collect, use, disclose, or compile such information for such purpose) 
if--
            (1) such use, disclosure, or compiling of personal 
        information involves or is reasonably likely to involve 
        collection of personal information from a child or teen; or
            (2) the website, online service, online application, mobile 
        application, or connected device is directed to children or 
        teens.
    (b) Effective Date.--This section shall take effect on the date 
that is 180 days after the date of enactment of this Act.

SEC. 7. REMOVAL OF CONTENT.

    (a) Acts Prohibited.--It is unlawful for an operator to make, or 
enable a child or teen to make, publicly available through a website, 
online service, online application, mobile application, or connected 
device content or information that contains or displays personal 
information of children or teens in a manner that violates subsection 
(b).
    (b) Requirement.--
            (1) In general.--An operator, to the extent technologically 
        feasible, shall--
                    (A) implement mechanisms that permit a user of the 
                website, online service, online application, mobile 
                application, or connected device of the operator (and, 
                in the case of a user that is a child, a parent of that 
                user) to erase or otherwise eliminate content or 
                information that is--
                            (i) submitted to the website, online 
                        service, online application, mobile 
                        application, or connected device by that user;
                            (ii) publicly available through the 
                        website, online service, online application, 
                        mobile application, or connected device; and
                            (iii) contains or displays personal 
                        information of children or teens; and
                    (B) take appropriate steps to--
                            (i) make users and parents of users who are 
                        children aware of the mechanisms described in 
                        subparagraph (A); and
                            (ii) provide notice to users and parents of 
                        users who are children that the mechanisms 
                        described in subparagraph (A) do not 
                        necessarily provide comprehensive removal of 
                        the content or information submitted by users.
            (2) Exceptions.--Paragraph (1) shall not be construed to 
        require an operator or third party to erase or otherwise 
        eliminate content or information that--
                    (A) any other provision of Federal or State law 
                requires the operator or third party to maintain; or
                    (B) was submitted to the website, online service, 
                online application, mobile application, or connected 
                device of the operator by any person other than the 
                user who is attempting to erase or otherwise eliminate 
                the content or information, including content or 
                information submitted by the user that was republished 
                or resubmitted by another person.
    (c) Limitation.--Nothing in this section shall be construed to 
limit the authority of a law enforcement agency to obtain any content 
or information from an operator as authorized by law or pursuant to an 
order of a court of competent jurisdiction.
    (d) Effective Date.--This section shall take effect on the date 
that is 180 days after the date of enactment of this Act.

SEC. 8. RULE FOR TREATMENT OF USERS OF WEBSITES, SERVICES, AND 
              APPLICATIONS DIRECTED TO CHILDREN OR TEENS.

    For the purposes of this Act, an operator of a website, online 
service, online application, mobile application, or connected device 
that is directed to children or teens shall treat each user of that 
website, online service, online application, mobile application, or 
connected device as a child or teen, except as permitted by the 
Commission pursuant to a regulation promulgated under this Act, and 
except to the extent the website, online service, online application, 
mobile application, or connected device is deemed directed to mixed 
audiences.

SEC. 9. STUDY OF MOBILE AND ONLINE APPLICATION OVERSIGHT.

    Not later than 3 years after the date of enactment of this Act, the 
Commission shall submit to each committee of the Senate and each 
committee of the House of Representatives that has jurisdiction over 
the Commission a report on the processes of platforms that offer mobile 
and online applications for ensuring that, of those applications that 
are directed to children or teens, the applications operate in 
accordance with--
            (1) this Act, the amendments made by this Act, and rules 
        promulgated under this Act; and
            (2) rules promulgated by the Commission under section 5 of 
        the Federal Trade Commission Act (15 U.S.C. 45) relating to 
        unfair or deceptive acts or practices in marketing.

SEC. 10. YOUTH PRIVACY AND MARKETING DIVISION.

    (a) Establishment.--There is established within the Commission a 
division to be known as the Youth Privacy and Marketing Division.
    (b) Director.--The Youth Privacy and Marketing Division shall be 
headed by a Director.
    (c) Duties.--The Youth Privacy and Marketing Division established 
under subsection (a) shall be responsible for assisting the Commission 
to address, as it relates to this Act and the amendments made by this 
Act--
            (1) the privacy of children and teens; and
            (2) marketing directed at children and teens.
    (d) Staff.--The Director of the Youth Privacy and Marketing 
Division shall hire adequate staff to carry out the duties under 
subsection (c), including individuals who are experts in data 
protection, digital advertising, data analytics, and youth development.
    (e) Reports.--Not later than 1 year after the date of enactment of 
this Act, and each year thereafter, the Director of the Youth and 
Privacy Marketing Division shall submit to the Committee on Commerce, 
Science, and Transportation of the Senate and the Committee on Energy 
and Commerce of the House of Representatives a report that includes--
            (1) a description of the work of the Youth Privacy and 
        Marketing Division on emerging concerns relating to youth 
        privacy and marketing practices; and
            (2) an assessment of how effectively the Commission has, 
        during the period for which the report is submitted, addressed 
        youth privacy and marketing practices.

SEC. 11. ENFORCEMENT AND APPLICABILITY.

    (a) Enforcement by the Commission.--
            (1) In general.--Except as otherwise provided, this Act and 
        the regulations prescribed under this Act shall be enforced by 
        the Commission under the Federal Trade Commission Act (15 
        U.S.C. 41 et seq.).
            (2) Unfair or deceptive acts or practices.--Subject to 
        subsection (b), a violation of this Act or a regulation 
        prescribed under this Act shall be treated as a violation of a 
        rule defining an unfair or deceptive act or practice prescribed 
        under section 18(a)(1)(B) of the Federal Trade Commission Act 
        (15 U.S.C. 57a(a)(1)(B)).
            (3) Actions by the commission.--
                    (A) In general.--Subject to subsection (b), and 
                except as provided in subsection (d)(1), the Commission 
                shall prevent any person from violating this Act or a 
                regulation prescribed under this Act in the same 
                manner, by the same means, and with the same 
                jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this Act, and any person who 
                violates this Act or such regulation shall be subject 
                to the penalties and entitled to the privileges and 
                immunities provided in the Federal Trade Commission 
                Act.
                    (B) Violations.--Notwithstanding section 5(m) of 
                the Federal Trade Commission Act (15 U.S.C. 45(m)), a 
                civil penalty recovered for a violation of this Act or 
                a regulation prescribed under this Act may be in excess 
                of the amounts provided for in that section as the 
                court finds appropriate to deter violations of this Act 
                and regulations prescribed under this Act.
    (b) Enforcement by Certain Other Agencies.--Notwithstanding 
subsection (a), compliance with the requirements imposed under this Act 
shall be enforced as follows:
            (1) Under section 8 of the Federal Deposit Insurance Act 
        (12 U.S.C. 1818) by the appropriate Federal banking agency, 
        with respect to an insured depository institution (as such 
        terms are defined in section 3 of such Act (12 U.S.C. 1813)).
            (2) Under the Federal Credit Union Act (12 U.S.C. 1751 et 
        seq.) by the National Credit Union Administration Board, with 
        respect to any Federal credit union.
            (3) Under part A of subtitle VII of title 49, United States 
        Code, by the Secretary of Transportation, with respect to any 
        air carrier or foreign air carrier subject to such part.
            (4) Under the Packers and Stockyards Act, 1921 (7 U.S.C. 
        181 et seq.) (except as provided in section 406 of that Act (7 
        U.S.C. 226, 227)) by the Secretary of Agriculture, with respect 
        to any activities subject to that Act.
            (5) Under the Farm Credit Act of 1971 (12 U.S.C. 2001 et 
        seq.) by the Farm Credit Administration, with respect to any 
        Federal land bank, Federal land bank association, Federal 
        intermediate credit bank, or production credit association.
    (c) Enforcement by State Attorneys General.--
            (1) In general.--
                    (A) Civil actions.--In any case in which the 
                attorney general of a State has reason to believe that 
                an interest of the residents of that State has been or 
                is threatened or adversely affected by the engagement 
                of any person in a practice that violates this Act or a 
                regulation prescribed under this Act, the State, as 
                parens patriae, may bring a civil action on behalf of 
                the residents of the State in a district court of the 
                United States of appropriate jurisdiction to--
                            (i) enjoin that practice;
                            (ii) enforce compliance with this Act or 
                        such regulation;
                            (iii) obtain damages, restitution, or other 
                        compensation on behalf of residents of the 
                        State; or
                            (iv) obtain such other relief as the court 
                        may consider to be appropriate.
                    (B) Notice.--
                            (i) In general.--Before filing an action 
                        under subparagraph (A), the attorney general of 
                        the State involved shall provide to the 
                        Commission--
                                    (I) written notice of that action; 
                                and
                                    (II) a copy of the complaint for 
                                that action.
                            (ii) Exemption.--
                                    (I) In general.--Clause (i) shall 
                                not apply with respect to the filing of 
                                an action by an attorney general of a 
                                State under this paragraph if the 
                                attorney general of the State 
                                determines that it is not feasible to 
                                provide the notice described in that 
                                clause before the filing of the action.
                                    (II) Notification.--In an action 
                                described in subclause (I), the 
                                attorney general of a State shall 
                                provide notice and a copy of the 
                                complaint to the Commission at the same 
                                time as the attorney general files the 
                                action.
            (2) Intervention.--
                    (A) In general.--On receiving notice under 
                paragraph (1)(B), the Commission shall have the right 
                to intervene in the action that is the subject of the 
                notice.
                    (B) Effect of intervention.--If the Commission 
                intervenes in an action under paragraph (1), it shall 
                have the right--
                            (i) to be heard with respect to any matter 
                        that arises in that action; and
                            (ii) to file a petition for appeal.
            (3) Construction.--For purposes of bringing any civil 
        action under paragraph (1), nothing in this Act shall be 
        construed to prevent an attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of that State to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (4) Actions by the commission.--In any case in which an 
        action is instituted by or on behalf of the Commission for 
        violation of this Act or a regulation prescribed under this 
        Act, no State may, during the pendency of that action, 
        institute a separate action under paragraph (1) against any 
        defendant named in the complaint in the action instituted by or 
        on behalf of the Commission for that violation.
            (5) Venue; service of process.--
                    (A) Venue.--Any action brought under paragraph (1) 
                may be brought in the district court of the United 
                States that meets applicable requirements relating to 
                venue under section 1391 of title 28, United States 
                Code.
                    (B) Service of process.--In an action brought under 
                paragraph (1), process may be served in any district in 
                which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
    (d) Telecommunications Carriers and Cable Operators.--
            (1) Enforcement by commission.--Notwithstanding section 4, 
        5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 
        44, 45(a)(2), 46) or any jurisdictional limitation of the 
        Commission, the Commission shall also enforce this Act and 
        regulations promulgated under this Act, in the same manner 
        provided in paragraph (a), with respect to common carriers 
        subject to the Communications Act of 1934 (47 U.S.C. 151 et 
        seq.) and Acts amendatory thereof and supplementary thereto.
            (2) Relationship to other laws.--To the extent that section 
        222, 338(i), or 631 of the Communications Act of 1934 (47 
        U.S.C. 222, 338(i), 551) is inconsistent with this Act, this 
        Act controls.
    (e) Safe Harbors.--
            (1) Definition.--In this subsection--
                    (A) the term ``applicable section'' means section 
                5, 6, 7, or 8 of this Act;
                    (B) the term ``covered operator'' means an operator 
                subject to guidelines approved under paragraph (2);
                    (C) the term ``requesting entity'' means an entity 
                that submits a safe harbor request to the Commission; 
                and
                    (D) the term ``safe harbor request'' means a 
                request to have self-regulatory guidelines described in 
                paragraph (2)(A) approved under that paragraph.
            (2) Guidelines.--
                    (A) In general.--An operator may satisfy the 
                requirements of regulations issued under an applicable 
                section by following a set of self-regulatory 
                guidelines, issued by representatives of the marketing 
                or online industries, or by other persons, that, after 
                notice and an opportunity for comment, are approved by 
                the Commission upon making a determination that the 
                guidelines meet the requirements of the regulations 
                issued under that applicable section.
                    (B) Expedited response to requests.--Not later than 
                180 days after the date on which a safe harbor request 
                is filed under subparagraph (A), the Commission shall 
                act upon the request set forth in writing the 
                conclusions of the Commission with regard to the 
                request.
                    (C) Appeals.--A requesting entity may appeal the 
                final action of the Commission under subparagraph (B), 
                or a failure by the Commission to act in the period 
                described in that paragraph, to a district court of the 
                United States of appropriate jurisdiction, as provided 
                for in section 706 of title 5, United States Code.
            (3) Incentives.--
                    (A) Self-regulatory incentives.--In prescribing 
                regulations under an applicable section, the Commission 
                shall provide incentives for self-regulation by covered 
                operators to implement the protections afforded 
                children and teens, as applicable, under the regulatory 
                requirements described in those sections.
                    (B) Deemed compliance.--The incentives under 
                subparagraph (A) shall include provisions for ensuring 
                that a covered operator will be deemed to be in 
                compliance with the requirements of the regulations 
                under an applicable section if that person complies 
                with guidelines approved under paragraph (2).
            (4) Regulations.--
                    (A) In general.--In prescribing regulations 
                relating to safe harbor guidelines under an applicable 
                section, the Commission shall--
                            (i) establish criteria for the approval of 
                        guidelines that will ensure that a covered 
                        operator provides substantially the same or 
                        greater protections for children and teens, as 
                        applicable, as those contained in the 
                        regulations issued under the applicable 
                        section; and
                            (ii) subject to subsection (B), require 
                        that any report or documentation required to be 
                        submitted to the Commission by a covered 
                        operator or requesting entity will be published 
                        on the internet website of the Commission.
                    (B) Restrictions on publication.--The restrictions 
                described in subsection (f) of section 6 of the Federal 
                Trade Commission Act (15 U.S.C. 46(f)) applicable to 
                the publication of information obtained by the 
                Commission through investigations conducted under such 
                section shall apply in same manner to the publication 
                under this paragraph of information included in a 
                report or documentation described in subparagraph (A).
            (5) Report by the inspector general.--
                    (A) In general.--Not later than 2 years after the 
                date of enactment of this Act, and once each 2 years 
                thereafter, the Inspector General of the Commission 
                shall submit to the Commission and each committee of 
                the Senate and each committee of the House of 
                Representatives that has jurisdiction over the 
                Commission a report regarding the safe harbor 
                provisions under this subparagraph, which shall 
                include--
                            (i) an analysis of whether the safe harbor 
                        provisions are--
                                    (I) operating fairly and 
                                effectively; and
                                    (II) effectively protecting the 
                                interests of children and teens; and
                            (ii) proposals for policy changes that 
                        would improve the effectiveness of the safe 
                        harbor provisions.
                    (B) Publication.--Not later than 10 days after the 
                date on which a report under subparagraph (A) is 
                submitted, the Commission shall publish the report on 
                the internet website of the Commission.
    (f) Effective Date.--This section shall take effect on the date 
that is 90 days after the date of enactment of this Act.
    (g) Rule of Construction.--Nothing in this Act may be construed to 
authorize any action by the Commission that would violate section 18(h) 
of the Federal Trade Commission Act (15 U.S.C. 57a(h)).

SEC. 12. GAO STUDY.

    (a) Study.--The Comptroller General of the United States (in this 
section referred to as the ``Comptroller General'') shall conduct a 
study on the privacy of teens who use financial technology products. 
Such study shall--
            (1) identify the type of financial technology products that 
        teens are using;
            (2) identify the potential risks to teens' privacy from 
        using such financial technology products; and
            (3) determine whether existing laws are sufficient to 
        address such risks to teens' privacy.
    (b) Report.--Not later than 1 year after the date of enactment of 
this section, the Comptroller General shall submit to Congress a report 
containing the results of the study conducted under subsection (a), 
together with recommendations for such legislation and administrative 
action as the Comptroller General determines appropriate.
                                 <all>