[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1418 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
1st Session
S. 1418
To amend the Children's Online Privacy Protection Act of 1998 to
strengthen protections relating to the online collection, use, and
disclosure of personal information of children and teens, and for other
purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 3, 2023
Mr. Markey (for himself and Mr. Cassidy) introduced the following bill;
which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To amend the Children's Online Privacy Protection Act of 1998 to
strengthen protections relating to the online collection, use, and
disclosure of personal information of children and teens, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Children and
Teens' Online Privacy Protection Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Online collection, use, and disclosure of personal information
of children and teens.
Sec. 4. Fair Information Practices Principles.
Sec. 5. Digital Marketing Bill of Rights for Teens.
Sec. 6. Targeted marketing to children or teens.
Sec. 7. Removal of content.
Sec. 8. Rule for treatment of users of websites, services, and
applications directed to children or teens.
Sec. 9. Study of mobile and online application oversight.
Sec. 10. Youth Privacy and Marketing Division.
Sec. 11. Enforcement and applicability.
Sec. 12. GAO study.
SEC. 2. DEFINITIONS.
(a) In General.--In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Standards.--The term ``standards'' means benchmarks,
guidelines, best practices, methodologies, procedures, and
processes.
(b) Other Definitions.--The definitions set forth in section 1302
of the Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6501), as amended by section 3(a) of this Act, shall apply in this Act,
except to the extent the Commission provides otherwise by regulations
issued under section 553 of title 5, United States Code.
SEC. 3. ONLINE COLLECTION, USE, AND DISCLOSURE OF PERSONAL INFORMATION
OF CHILDREN AND TEENS.
(a) Definitions.--Section 1302 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6501) is amended--
(1) by amending paragraph (2) to read as follows:
``(2) Operator.--The term `operator'--
``(A) means any person--
``(i) who, for commercial purposes, in
interstate or foreign commerce operates or
provides a website on the internet, an online
service, an online application, a mobile
application, or a connected device; and
``(ii) who--
``(I) collects or maintains, either
directly or through a service provider,
personal information from or about the
users of that website, service,
application, or connected device;
``(II) allows another person to
collect personal information directly
from users of that website, service,
application, or connected device (in
which case, the operator is deemed to
have collected the information); or
``(III) allows users of that
website, service, application, or
connected device to publicly disclose
personal information (in which case,
the operator is deemed to have
collected the information); and
``(B) does not include any nonprofit entity that
would otherwise be exempt from coverage under section 5
of the Federal Trade Commission Act (15 U.S.C. 45).'';
(2) in paragraph (4)--
(A) by amending subparagraph (A) to read as
follows:
``(A) the release of personal information collected
from a child or teen for any purpose, except where the
personal information is provided to a person other than
an operator who--
``(i) provides support for the internal
operations of the website, online service,
online application, mobile application, or
connected device of the operator, excluding any
activity relating to targeted marketing
directed to children, teens, or connected
devices; and
``(ii) does not disclose or use that
personal information for any other purpose;
and''; and
(B) in subparagraph (B)--
(i) by inserting ``or teen'' after
``child'' each place the term appears;
(ii) by inserting ``or teens'' after
``children''; and
(iii) by striking ``website or online
service'' and inserting ``website, online
service, online application, mobile
application, or connected device'';
(3) in paragraph (8), by striking subparagraphs (F) and (G)
and inserting the following:
``(F) geolocation information;
``(G) information generated from the measurement or
technological processing of an individual's biological,
physical, or physiological characteristics, including--
``(i) fingerprints;
``(ii) voice prints;
``(iii) iris or retina imagery scans;
``(iv) facial imagery or templates;
``(v) deoxyribonucleic acid (DNA)
information; or
``(vi) gait;
``(H) information reasonably associated with or
attributed to a child or teen;
``(I) information (including an internet protocol
address) that permits the identification of--
``(i) an individual; or
``(ii) any device used by an individual to
directly or indirectly access the internet or
an online service, online application, mobile
application, or connected device; or
``(J) information concerning a child or teen or the
parents of that child or teen (including any unique or
substantially unique identifier, such as a customer
number) that an operator collects online from the child
or teen and combines with an identifier described in
this paragraph.'';
(4) by amending paragraph (9) to read as follows:
``(9) Verifiable consent.--The term `verifiable consent'
means any reasonable effort (taking into consideration
available technology), including a request for authorization
for future collection, use, and disclosure described in the
notice, to ensure that, in the case of a child, a parent of the
child, or, in the case of a teen, the teen--
``(A) receives specific notice of the personal
information collection, use, and disclosure practices
of the operator; and
``(B) before the personal information of the child
or teen is collected, freely and unambiguously
authorizes--
``(i) the collection, use, and disclosure,
as applicable, of that personal information;
and
``(ii) any subsequent use of that personal
information.'';
(5) by striking paragraph (10) and redesignating paragraphs
(11) and (12) as paragraphs (10) and (11), respectively; and
(6) by adding at the end the following:
``(12) Connected device.--The term `connected device' means
a device that is capable of connecting to the internet,
directly or indirectly, or to another connected device.
``(13) Online application.--The term `online application'--
``(A) means an internet-connected software program;
and
``(B) includes a service or application offered via
a connected device.
``(14) Online service.--
``(A) In general.--The term `online service' means
a mass-market retail service by wire or radio that
provides the capability to transmit data and receive
data from all or substantially all Internet endpoints,
including any capabilities that are incidental to and
enable the operation of a communications service, but
excluding dial-up Internet service.
``(B) Scope.--Such term includes--
``(i) any service that the Federal
Communications Commission finds to be providing
a functionally equivalent service to a service
described in subparagraph (A); and
``(ii) a service or application offered via
a connected device.
``(15) Directed to children or teens.--
``(A) In general.--The terms `directed to
children', `directed to teens', and `directed to
children or teens' mean, with respect to a website,
online service, online application, mobile application,
or connected device, that the website, online service,
online application, mobile application, or connected
device, or a portion thereof, is targeted to children
or teens, as the case may be, as demonstrated by--
``(i) the subject matter of the website,
online service, online application, mobile
application, or connected device;
``(ii) the visual content of the website,
online service, online application, mobile
application, or connected device;
``(iii) the use of animated characters or
child-oriented activities for children, or the
use of teen-oriented characters or teen-
oriented activities for teens, and related
incentives on the website, online service,
online application, mobile application, or
connected device;
``(iv) the music or other audio content on
the website, online service, online
application, mobile application, or connected
device;
``(v) the age of models on the website,
online service, online application, mobile
application, or connected device;
``(vi) the presence, on the website, online
service, online application, mobile
application, or connected device, of--
``(I) child celebrities;
``(II) celebrities who appeal to
children;
``(III) teen celebrities; or
``(IV) celebrities who appeal to
teens;
``(vii) the language used on the website,
online service, online application, mobile
application, or connected device;
``(viii) advertising content used on, or
used to advertise, the website, online service,
online application, mobile application, or
connected device; or
``(ix) reliable empirical evidence relating
to--
``(I) the composition of the
audience of the website, online
service, online application, mobile
application, or connected device; and
``(II) the intended audience of the
website, online service, online
application, mobile application, or
connected device.
``(B) Rules of construction.--
``(i) Services deemed directed to children
or teens.--For the purposes of this title, a
website, online service, online application,
mobile application, or connected device, or a
portion thereof, shall be deemed to be directed
to children or teens if it collects personal
information directly from users of any other
website, online service, online application,
mobile application, or connected device that
is--
``(I) directed to children or teens
under the criteria described in
subparagraph (A); or
``(II) used or reasonably likely to
be used by children or teens.
``(ii) Services deemed directed to mixed
audiences.--
``(I) In general.--A website,
online service, online application,
mobile application, or connected device
that is directed to children or teens
under the criteria described in
subparagraph (A), but that does not
target children or teens as the primary
audience of the website, online
service, online application, mobile
application, or connected device shall
not be deemed to be directed to
children or teens for purposes of this
title if the website, online service,
online application, mobile application,
or connected device--
``(aa) does not collect
personal information from any
user of the website, online
service, online application,
mobile application, or
connected device before
verifying age information of
the user; and
``(bb) does not, without
first complying with any
relevant notice and consent
provision under this title,
collect, use, or disclose
personal information of any
user who identifies themselves
to the website, online service,
online application, mobile
application, or connected
device as an individual who is
age 16 or younger.
``(II) Use of certain tools.--For
purposes of this title, a website,
online service, online application,
mobile application, or connected
device, shall not be deemed directed to
children or teens solely because the
website, online service, online
application, mobile application, or
connected device refers or links to any
other website, online service, online
application, mobile application, or
connected device directed to children
or teens by using information location
tools, including--
``(aa) a directory;
``(bb) an index;
``(cc) a reference;
``(dd) a pointer; or
``(ee) a hypertext link.
``(16) Mobile application.--The term `mobile application'--
``(A) means a software program that runs on the
operating system of--
``(i) a cellular telephone;
``(ii) a tablet computer; or
``(iii) a similar portable computing device
that transmits data over a wireless connection;
and
``(B) includes a service or application offered via
a connected device.
``(17) Geolocation information.--The term `geolocation
information' means information sufficient to identify a street
name and name of a city or town.
``(18) Teen.--The term `teen' means an individual over the
age of 12 and under the age of 17.
``(19) Targeted marketing.--
``(A) In general.--The term `targeted marketing'
means advertising or any other effort to market a
product or service that is directed to a specific
individual or device--
``(i) based on--
``(I) the personal information of--
``(aa) the individual; or
``(bb) a group of
individuals who are similar in
gender, age, income level,
race, or ethnicity to the
specific individual to whom the
product or service is marketed;
``(II) psychological profiling of
an individual or group of individuals;
or
``(III) a unique identifier of the
device; or
``(ii) as a result of use by the
individual, access by any device of the
individual, or use by a group of individuals
who are similar to the specific individual, of
more than a single--
``(I) website;
``(II) online service;
``(III) online application;
``(IV) mobile application;
``(V) connected device; or
``(VI) operating system.
``(B) Exclusions.--The term `targeted marketing'
shall not include--
``(i) advertising or marketing to an
individual or the device of an individual in
response to the individual's specific request
for information or feedback;
``(ii) contextual advertising, such as when
an advertisement is displayed based on the
context in which the advertisement appears and
does not vary based on who is viewing the
advertisement; or
``(iii) processing personal information
solely for measuring or reporting advertising
or content performance, reach, or frequency,
including independent measurement.
``(C) Authority to further define.--The Commission
may promulgate rules under section 553 of title 5,
United State Code, to further define the term `targeted
marketing' but only as necessary to address changes to
or innovations of technology, changes in how personal
information is used or transferred, changes to the
means and manners by which children or teens interact
with a website, online service, online application,
mobile application, or connected device, or evolving
concerns regarding the privacy of children or teens.
``(20) Reasonably likely to be used.--The Commission may
promulgate rules under section 553 of title 5, United States
Code, or issue guidance to establish factors that should be
considered in applying the term `reasonably likely to be used'
for the purposes of this title.
``(21) Reasonably likely to be a child or teen.--The
Commission may promulgate rules under section 553 of title 5,
United States Code, or issue guidance to establish factors that
should be considered in applying the term `reasonably likely to
be a child or teen' for the purposes of this title.''.
(b) Online Collection, Use, and Disclosure of Personal Information
of Children and Teens.--Section 1303 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6502) is amended--
(1) by striking the heading and inserting the following:
``online collection, use, and disclosure of personal
information of children and teens.'';
(2) in subsection (a)--
(A) by amending paragraph (1) to read as follows:
``(1) In general.--It is unlawful for an operator of a
website, online service, online application, mobile
application, or connected device that is directed to children
or teens or is used or reasonably likely to be used by children
or teens in a manner that involves the collection of personal
information, to collect personal information from a child or
teen in a manner that violates the regulations prescribed under
subsection (b).''; and
(B) in paragraph (2)--
(i) by striking ``of such a website or
online service''; and
(ii) by striking ``subsection
(b)(1)(B)(iii) to the parent of a child'' and
inserting ``subsection (b)(1)(A)(iii) to the
parent of a child or under subsection
(b)(1)(A)(iv) to a teen''; and
(3) in subsection (b)--
(A) in paragraph (1)--
(i) by striking ``this Act'' and inserting
``the Children and Teens' Online Privacy
Protection Act'';
(ii) in subparagraph (A)--
(I) by striking ``operator of any
website'' and all that follows through
``from a child'' and inserting
``operator of a website, online
service, online application, mobile
application, or connected device that
is directed to children or teens or is
used or is reasonably likely to be used
by children or teens in a manner that
involves the collection of their
personal information'';
(II) in clause (i)--
(aa) by striking ``notice
on the website'' and inserting
``clear and conspicuous
notice'';
(bb) by inserting ``or
teens'' after ``children'';
(cc) by striking ``, and
the operator's'' and inserting
``, the operator's''; and
(dd) by striking ``; and''
and inserting ``, and the
procedures or mechanisms the
operator uses to ensure that
personal information is not
collected from children or
teens except in accordance with
the regulations promulgated
under this paragraph;''; and
(III) in clause (ii)--
(aa) by striking
``parental''; and
(bb) by inserting ``or
teens'' after ``children'';
(iii) in subparagraph (B)--
(I) in the matter preceding clause
(i), by striking ``website or online
service'' and inserting ``operator'';
(II) in clause (ii), by inserting
``to delete personal information
collected from the child or'' after
``the opportunity at any time''; and
(III) in clause (iii), by inserting
``, if such information is available to
the operator at the time the parent
makes the request'' before the
semicolon;
(iv) by redesignating subparagraphs (C) and
(D) as subparagraphs (D) and (E), respectively;
(v) by inserting after subparagraph (B) the
following new subparagraph:
``(C) require the operator to provide, upon the
request of a teen under this subparagraph who has
provided personal information to the operator, upon
proper identification of that teen--
``(i) a description of the specific types
of personal information collected from the teen
by the operator;
``(ii) the opportunity at any time to
delete personal information collected from the
teen and refuse further use or collection of
personal information from the teen; and
``(iii) a means that is reasonable under
the circumstances for the teen to obtain any
personal information collected from the teen,
if such information is available to the
operator at the time the teen makes the
request;'';
(vi) in subparagraph (D), as so
redesignated, by striking ``conditioning'' and
all that follows through ``such activity'' and
inserting the following: ``the collection from
a child or teen of more personal information
that is reasonably required to use the website,
online service, online application, mobile
application, or connected device'';
(vii) in subparagraph (E), as so
redesignated--
(I) by striking ``of such a website
or online service''; and
(II) by inserting ``and teens''
after ``children''; and
(viii) by adding at the end the following
flush text:
``The Commission shall review and update the regulations
promulgated under this paragraph as necessary.'';
(B) in paragraph (2)--
(i) in the matter preceding subparagraph
(A), by striking ``verifiable parental
consent'' and inserting ``verifiable consent'';
(ii) in subparagraph (A)--
(I) by inserting ``or teen'' after
``collected from a child'';
(II) by inserting ``or teen'' after
``request from the child''; and
(III) by inserting ``or teen or to
contact another child or teen'' after
``to recontact the child'';
(iii) in subparagraph (B)--
(I) by striking ``parent or child''
and inserting ``parent or teen''; and
(II) by striking ``parental
consent'' each place the term appears
and inserting ``verifiable consent'';
(iv) in subparagraph (C)--
(I) in the matter preceding clause
(i), by inserting ``or teen'' after
``child'' each place the term appears;
(II) in clause (i)--
(aa) by inserting ``or
teen'' after ``child'' each
place the term appears; and
(bb) by inserting ``or
teen, as applicable,'' after
``parent'' each place the term
appears; and
(III) in clause (ii)--
(aa) by inserting ``or
teen, as applicable,'' after
``parent''; and
(bb) by inserting ``or
teen'' after ``child'' each
place the term appears; and
(v) in subparagraph (D)--
(I) in the matter preceding clause
(i), by inserting ``or teen'' after
``child'' each place the term appears;
(II) in clause (ii), by inserting
``or teen'' after ``child''; and
(III) in the flush text following
clause (iii)--
(aa) by inserting ``or
teen, as applicable,'' after
``parent'' each place the term
appears; and
(bb) by inserting ``or
teen'' after ``child''; and
(C) by amending paragraph (3) to read as follows:
``(3) Continuation of service.--The regulations shall
prohibit an operator from discontinuing service provided to a
child or teen on the basis of a request by the parent of the
child or by the teen, under the regulations prescribed under
subparagraph (B) or (C) of paragraph (1), respectively, to
delete personal information collected from the child or teen,
to the extent that the operator is capable of providing such
service without such information.''.
(c) Safe Harbors.--Section 1304 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6503) is amended--
(1) in subsection (b)(1), by inserting ``and teens'' after
``children''; and
(2) by adding at the end the following:
``(d) Publication.--
``(1) In general.--The Commission shall publish on the
internet website of the Commission any report or documentation
required by regulation to be submitted to the Commission to
carry out this section.
``(2) Restrictions on publication.--The restrictions
described in subsection (f) of section 6 of the Federal Trade
Commission Act (15 U.S.C. 46(f)) applicable to the publication
of information obtained by the Commission through
investigations conducted under such section shall apply in same
manner to the publication under this subsection of information
obtained by the Commission from a report or documentation
described in paragraph (1).''.
(d) Administration and Applicability of Act.--Section 1306 of the
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is
amended--
(1) in subsection (b)--
(A) in paragraph (1), by striking ``, in the case
of'' and all that follows through ``the Board of
Directors of the Federal Deposit Insurance
Corporation;'' and inserting the following: ``by the
appropriate Federal banking agency, with respect to any
insured depository institution (as those terms are
defined in section 3 of that Act (12 U.S.C. 1813));'';
and
(B) by striking paragraph (2) and redesignating
paragraphs (3) through (6) as paragraphs (2) through
(5), respectively; and
(2) by adding at the end the following new subsection:
``(f) Telecommunications Carriers and Cable Operators.--
``(1) Enforcement by commission.--Notwithstanding section
4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C.
44, 45(a)(2), 46), or any jurisdictional limitation of the
Commission, the Commission shall also enforce this Act and the
regulations promulgated under this Act, in the same manner
provided in subsection (d), with respect to common carriers
subject to the Communications Act of 1934 (47 U.S.C. 151 et
seq.) and Acts amendatory thereof and supplementary thereto.
``(2) Relationship to other law.--To the extent that
section 222, 338(i), or 631 of the Communications Act of 1934
(47 U.S.C. 222, 338(i), 551) is inconsistent with this title,
this title controls.''.
SEC. 4. FAIR INFORMATION PRACTICES PRINCIPLES.
(a) In General.--The Fair Information Practices Principles
described in this section are the following:
(1) Collection limitation principle.--Except as provided in
paragraph (3), personal information should be collected from a
child or teen only when collection of the personal information
is--
(A) consistent with the context of a particular
transaction or service or the relationship of the child
or teen with the operator, including collection
necessary to fulfill a transaction or provide a service
requested by the child or teen; or
(B) required or specifically authorized by law.
(2) Data quality principle.--The personal information of a
child or teen should be accurate, complete, and kept up-to-date
to the extent necessary to fulfill the purposes described in
subparagraphs (A) through (D) of paragraph (3).
(3) Purpose specification principle.--The purposes for
which personal information is collected and used should be
specified to the parent of a child or to a teen not later than
at the time of the collection of the information. The
subsequent use or disclosure of the information should be
limited to--
(A) fulfillment of the transaction or service
requested by the teen or parent of the child;
(B) support for the internal operations of the
website, service, or application, as described in
section 312.2 of title 16, Code of Federal Regulations
(as in effect on the date of enactment of this Act),
excluding any activity relating to targeted marketing
directed to children, teens, or a device of a child or
teen if the support for internal operations in
consistent with the interest of the child or teen;
(C) compliance with legal process or other purposes
expressly authorized under specific legal authority; or
(D) other purposes--
(i) that are specified in a notice to the
teen or parent of the child; and
(ii) to which the teen or parent of the
child has consented under paragraph (7) before
the information is used or disclosed for such
other purposes.
(4) Retention limitation principle.--
(A) In general.--The personal information of a
child or teen should not be retained for longer than is
necessary to fulfill a transaction or provide a service
requested by the child or teen or such other purposes
specified in subparagraphs (A) through (D) of paragraph
(3).
(B) Data disposal.--The operator should implement a
reasonable and appropriate data disposal policy based
on the nature and sensitivity of personal information
described in subparagraph (A).
(5) Security safeguards principle.--The personal
information of a child or teen should be protected by
reasonable and appropriate security safeguards against risks
such as loss or unauthorized access, destruction, use,
modification, or disclosure.
(6) Transparency principle.--
(A) General principle.--The operator should be
transparent about developments, practices, and policies
with respect to the personal information of a child or
teen.
(B) Provision of information.--The operator should
provide to each parent of a child, or to each teen,
using the website, online service, online application,
mobile application, or connected device of the operator
with a clear and prominent means--
(i) to identify and contact the operator,
by, at a minimum, disclosing, clearly and
prominently, the identity of the operator and--
(I) in the case of an operator who
is an individual, the address of the
principal residence (but not a personal
residence) of the operator and an email
address or online contact form and
telephone number for the operator; or
(II) in the case of any other
operator, the address of the principal
place of business of the operator and
an email address or online contact form
and telephone number for the operator;
(ii) to determine whether the operator
possesses any personal information of the child
or teen, the nature of any such information,
and the purposes for which the information was
collected and is being retained;
(iii) to obtain any personal information of
the child or teen that is in the possession of
the operator from the operator, or from a
person specified by the operator, within a
reasonable time after making a request, at a
charge (if any) that is not excessive, in a
reasonable manner, and in a form that is
readily intelligible to the child or teen;
(iv) to challenge the accuracy of personal
information of the child or teen that is in the
possession of the operator;
(v) to determine if the child or teen has
established the inaccuracy of personal
information in a challenge under clause (iv) in
order to have such information erased,
corrected, completed, or otherwise amended; and
(vi) to determine the method by which the
operator obtains data relevant to the child or
teen.
(C) Limitation.--Nothing in this paragraph shall be
construed to permit an operator to erase or otherwise
modify personal information requested by a law
enforcement agency pursuant to legal authority.
(7) Individual participation principle.--The operator
should--
(A) obtain consent from a parent of a child or from
a teen before using or disclosing the personal
information of the child or teen for any purpose other
than the purposes described in subparagraph (A) of
paragraph (3); and
(B) obtain affirmative express consent from a
parent of a child or from a teen before using or
disclosing previously collected personal information of
the child or teen for purposes that constitute a
material change in practice from the original purposes
specified to the child or teen under paragraph (3).
(8) Racial and socioeconomic profiling.--The personal
information of a child or teen shall not be used to direct
content to the child or teen, or a group of individuals similar
to the child or teen, on the basis of race, socioeconomic
factors, or any proxy thereof.
(b) Rule of Construction.--Nothing in this section, including
compliance with the Fair Information Principles, shall be construed to
permit an operator to avoid compliance with other requirements set
forth in this Act or the Children's Online Privacy Protection Act (15
U.S.C. 6501 et seq.).
SEC. 5. DIGITAL MARKETING BILL OF RIGHTS FOR TEENS.
(a) Acts Prohibited.--
(1) Prohibition.--
(A) In general.--Except as provided in subparagraph
(B), it shall be unlawful for an operator of a website,
online service, online application, mobile application,
or connected device to collect personal information
from a user if--
(i) the user is reasonably likely to be a
teen; or
(ii) the website, online service, online
application, mobile application, or connected
device is directed to teens.
(B) Exception.--Subparagraph (A) shall not apply to
an operator that has adopted and complies with a
Digital Marketing Bill of Rights for Teens that meets
the Fair Information Practices Principles described in
section 4.
(2) Effective date.--This subsection shall take effect on
the date that is 180 days after the promulgation of regulations
under subsection (b).
(b) Regulations.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate, under
section 553 of title 5, United States Code, regulations to
implement this section, including regulations further defining
the Fair Information Practices Principles described in section
4.
(2) Updates.--Not less frequently than once every 4 years
after the date on which regulations are promulgated under
paragraph (1), the Commission shall review and update those
regulations as necessary.
SEC. 6. TARGETED MARKETING TO CHILDREN AND TEENS.
(a) Prohibited Acts With Respect to Children and Teens.--It shall
be unlawful for an operator of a website, online service, online
application, mobile application, or connected device to collect, use,
disclose to third parties, or compile personal information of a user
for purposes of targeted marketing (or to allow another person to
collect, use, disclose, or compile such information for such purpose)
if--
(1) such use, disclosure, or compiling of personal
information involves or is reasonably likely to involve
collection of personal information from a child or teen; or
(2) the website, online service, online application, mobile
application, or connected device is directed to children or
teens.
(b) Effective Date.--This section shall take effect on the date
that is 180 days after the date of enactment of this Act.
SEC. 7. REMOVAL OF CONTENT.
(a) Acts Prohibited.--It is unlawful for an operator to make, or
enable a child or teen to make, publicly available through a website,
online service, online application, mobile application, or connected
device content or information that contains or displays personal
information of children or teens in a manner that violates subsection
(b).
(b) Requirement.--
(1) In general.--An operator, to the extent technologically
feasible, shall--
(A) implement mechanisms that permit a user of the
website, online service, online application, mobile
application, or connected device of the operator (and,
in the case of a user that is a child, a parent of that
user) to erase or otherwise eliminate content or
information that is--
(i) submitted to the website, online
service, online application, mobile
application, or connected device by that user;
(ii) publicly available through the
website, online service, online application,
mobile application, or connected device; and
(iii) contains or displays personal
information of children or teens; and
(B) take appropriate steps to--
(i) make users and parents of users who are
children aware of the mechanisms described in
subparagraph (A); and
(ii) provide notice to users and parents of
users who are children that the mechanisms
described in subparagraph (A) do not
necessarily provide comprehensive removal of
the content or information submitted by users.
(2) Exceptions.--Paragraph (1) shall not be construed to
require an operator or third party to erase or otherwise
eliminate content or information that--
(A) any other provision of Federal or State law
requires the operator or third party to maintain; or
(B) was submitted to the website, online service,
online application, mobile application, or connected
device of the operator by any person other than the
user who is attempting to erase or otherwise eliminate
the content or information, including content or
information submitted by the user that was republished
or resubmitted by another person.
(c) Limitation.--Nothing in this section shall be construed to
limit the authority of a law enforcement agency to obtain any content
or information from an operator as authorized by law or pursuant to an
order of a court of competent jurisdiction.
(d) Effective Date.--This section shall take effect on the date
that is 180 days after the date of enactment of this Act.
SEC. 8. RULE FOR TREATMENT OF USERS OF WEBSITES, SERVICES, AND
APPLICATIONS DIRECTED TO CHILDREN OR TEENS.
For the purposes of this Act, an operator of a website, online
service, online application, mobile application, or connected device
that is directed to children or teens shall treat each user of that
website, online service, online application, mobile application, or
connected device as a child or teen, except as permitted by the
Commission pursuant to a regulation promulgated under this Act, and
except to the extent the website, online service, online application,
mobile application, or connected device is deemed directed to mixed
audiences.
SEC. 9. STUDY OF MOBILE AND ONLINE APPLICATION OVERSIGHT.
Not later than 3 years after the date of enactment of this Act, the
Commission shall submit to each committee of the Senate and each
committee of the House of Representatives that has jurisdiction over
the Commission a report on the processes of platforms that offer mobile
and online applications for ensuring that, of those applications that
are directed to children or teens, the applications operate in
accordance with--
(1) this Act, the amendments made by this Act, and rules
promulgated under this Act; and
(2) rules promulgated by the Commission under section 5 of
the Federal Trade Commission Act (15 U.S.C. 45) relating to
unfair or deceptive acts or practices in marketing.
SEC. 10. YOUTH PRIVACY AND MARKETING DIVISION.
(a) Establishment.--There is established within the Commission a
division to be known as the Youth Privacy and Marketing Division.
(b) Director.--The Youth Privacy and Marketing Division shall be
headed by a Director.
(c) Duties.--The Youth Privacy and Marketing Division established
under subsection (a) shall be responsible for assisting the Commission
to address, as it relates to this Act and the amendments made by this
Act--
(1) the privacy of children and teens; and
(2) marketing directed at children and teens.
(d) Staff.--The Director of the Youth Privacy and Marketing
Division shall hire adequate staff to carry out the duties under
subsection (c), including individuals who are experts in data
protection, digital advertising, data analytics, and youth development.
(e) Reports.--Not later than 1 year after the date of enactment of
this Act, and each year thereafter, the Director of the Youth and
Privacy Marketing Division shall submit to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee on Energy
and Commerce of the House of Representatives a report that includes--
(1) a description of the work of the Youth Privacy and
Marketing Division on emerging concerns relating to youth
privacy and marketing practices; and
(2) an assessment of how effectively the Commission has,
during the period for which the report is submitted, addressed
youth privacy and marketing practices.
SEC. 11. ENFORCEMENT AND APPLICABILITY.
(a) Enforcement by the Commission.--
(1) In general.--Except as otherwise provided, this Act and
the regulations prescribed under this Act shall be enforced by
the Commission under the Federal Trade Commission Act (15
U.S.C. 41 et seq.).
(2) Unfair or deceptive acts or practices.--Subject to
subsection (b), a violation of this Act or a regulation
prescribed under this Act shall be treated as a violation of a
rule defining an unfair or deceptive act or practice prescribed
under section 18(a)(1)(B) of the Federal Trade Commission Act
(15 U.S.C. 57a(a)(1)(B)).
(3) Actions by the commission.--
(A) In general.--Subject to subsection (b), and
except as provided in subsection (d)(1), the Commission
shall prevent any person from violating this Act or a
regulation prescribed under this Act in the same
manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act, and any person who
violates this Act or such regulation shall be subject
to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission
Act.
(B) Violations.--Notwithstanding section 5(m) of
the Federal Trade Commission Act (15 U.S.C. 45(m)), a
civil penalty recovered for a violation of this Act or
a regulation prescribed under this Act may be in excess
of the amounts provided for in that section as the
court finds appropriate to deter violations of this Act
and regulations prescribed under this Act.
(b) Enforcement by Certain Other Agencies.--Notwithstanding
subsection (a), compliance with the requirements imposed under this Act
shall be enforced as follows:
(1) Under section 8 of the Federal Deposit Insurance Act
(12 U.S.C. 1818) by the appropriate Federal banking agency,
with respect to an insured depository institution (as such
terms are defined in section 3 of such Act (12 U.S.C. 1813)).
(2) Under the Federal Credit Union Act (12 U.S.C. 1751 et
seq.) by the National Credit Union Administration Board, with
respect to any Federal credit union.
(3) Under part A of subtitle VII of title 49, United States
Code, by the Secretary of Transportation, with respect to any
air carrier or foreign air carrier subject to such part.
(4) Under the Packers and Stockyards Act, 1921 (7 U.S.C.
181 et seq.) (except as provided in section 406 of that Act (7
U.S.C. 226, 227)) by the Secretary of Agriculture, with respect
to any activities subject to that Act.
(5) Under the Farm Credit Act of 1971 (12 U.S.C. 2001 et
seq.) by the Farm Credit Administration, with respect to any
Federal land bank, Federal land bank association, Federal
intermediate credit bank, or production credit association.
(c) Enforcement by State Attorneys General.--
(1) In general.--
(A) Civil actions.--In any case in which the
attorney general of a State has reason to believe that
an interest of the residents of that State has been or
is threatened or adversely affected by the engagement
of any person in a practice that violates this Act or a
regulation prescribed under this Act, the State, as
parens patriae, may bring a civil action on behalf of
the residents of the State in a district court of the
United States of appropriate jurisdiction to--
(i) enjoin that practice;
(ii) enforce compliance with this Act or
such regulation;
(iii) obtain damages, restitution, or other
compensation on behalf of residents of the
State; or
(iv) obtain such other relief as the court
may consider to be appropriate.
(B) Notice.--
(i) In general.--Before filing an action
under subparagraph (A), the attorney general of
the State involved shall provide to the
Commission--
(I) written notice of that action;
and
(II) a copy of the complaint for
that action.
(ii) Exemption.--
(I) In general.--Clause (i) shall
not apply with respect to the filing of
an action by an attorney general of a
State under this paragraph if the
attorney general of the State
determines that it is not feasible to
provide the notice described in that
clause before the filing of the action.
(II) Notification.--In an action
described in subclause (I), the
attorney general of a State shall
provide notice and a copy of the
complaint to the Commission at the same
time as the attorney general files the
action.
(2) Intervention.--
(A) In general.--On receiving notice under
paragraph (1)(B), the Commission shall have the right
to intervene in the action that is the subject of the
notice.
(B) Effect of intervention.--If the Commission
intervenes in an action under paragraph (1), it shall
have the right--
(i) to be heard with respect to any matter
that arises in that action; and
(ii) to file a petition for appeal.
(3) Construction.--For purposes of bringing any civil
action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(4) Actions by the commission.--In any case in which an
action is instituted by or on behalf of the Commission for
violation of this Act or a regulation prescribed under this
Act, no State may, during the pendency of that action,
institute a separate action under paragraph (1) against any
defendant named in the complaint in the action instituted by or
on behalf of the Commission for that violation.
(5) Venue; service of process.--
(A) Venue.--Any action brought under paragraph (1)
may be brought in the district court of the United
States that meets applicable requirements relating to
venue under section 1391 of title 28, United States
Code.
(B) Service of process.--In an action brought under
paragraph (1), process may be served in any district in
which the defendant--
(i) is an inhabitant; or
(ii) may be found.
(d) Telecommunications Carriers and Cable Operators.--
(1) Enforcement by commission.--Notwithstanding section 4,
5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C.
44, 45(a)(2), 46) or any jurisdictional limitation of the
Commission, the Commission shall also enforce this Act and
regulations promulgated under this Act, in the same manner
provided in paragraph (a), with respect to common carriers
subject to the Communications Act of 1934 (47 U.S.C. 151 et
seq.) and Acts amendatory thereof and supplementary thereto.
(2) Relationship to other laws.--To the extent that section
222, 338(i), or 631 of the Communications Act of 1934 (47
U.S.C. 222, 338(i), 551) is inconsistent with this Act, this
Act controls.
(e) Safe Harbors.--
(1) Definition.--In this subsection--
(A) the term ``applicable section'' means section
5, 6, 7, or 8 of this Act;
(B) the term ``covered operator'' means an operator
subject to guidelines approved under paragraph (2);
(C) the term ``requesting entity'' means an entity
that submits a safe harbor request to the Commission;
and
(D) the term ``safe harbor request'' means a
request to have self-regulatory guidelines described in
paragraph (2)(A) approved under that paragraph.
(2) Guidelines.--
(A) In general.--An operator may satisfy the
requirements of regulations issued under an applicable
section by following a set of self-regulatory
guidelines, issued by representatives of the marketing
or online industries, or by other persons, that, after
notice and an opportunity for comment, are approved by
the Commission upon making a determination that the
guidelines meet the requirements of the regulations
issued under that applicable section.
(B) Expedited response to requests.--Not later than
180 days after the date on which a safe harbor request
is filed under subparagraph (A), the Commission shall
act upon the request set forth in writing the
conclusions of the Commission with regard to the
request.
(C) Appeals.--A requesting entity may appeal the
final action of the Commission under subparagraph (B),
or a failure by the Commission to act in the period
described in that paragraph, to a district court of the
United States of appropriate jurisdiction, as provided
for in section 706 of title 5, United States Code.
(3) Incentives.--
(A) Self-regulatory incentives.--In prescribing
regulations under an applicable section, the Commission
shall provide incentives for self-regulation by covered
operators to implement the protections afforded
children and teens, as applicable, under the regulatory
requirements described in those sections.
(B) Deemed compliance.--The incentives under
subparagraph (A) shall include provisions for ensuring
that a covered operator will be deemed to be in
compliance with the requirements of the regulations
under an applicable section if that person complies
with guidelines approved under paragraph (2).
(4) Regulations.--
(A) In general.--In prescribing regulations
relating to safe harbor guidelines under an applicable
section, the Commission shall--
(i) establish criteria for the approval of
guidelines that will ensure that a covered
operator provides substantially the same or
greater protections for children and teens, as
applicable, as those contained in the
regulations issued under the applicable
section; and
(ii) subject to subsection (B), require
that any report or documentation required to be
submitted to the Commission by a covered
operator or requesting entity will be published
on the internet website of the Commission.
(B) Restrictions on publication.--The restrictions
described in subsection (f) of section 6 of the Federal
Trade Commission Act (15 U.S.C. 46(f)) applicable to
the publication of information obtained by the
Commission through investigations conducted under such
section shall apply in same manner to the publication
under this paragraph of information included in a
report or documentation described in subparagraph (A).
(5) Report by the inspector general.--
(A) In general.--Not later than 2 years after the
date of enactment of this Act, and once each 2 years
thereafter, the Inspector General of the Commission
shall submit to the Commission and each committee of
the Senate and each committee of the House of
Representatives that has jurisdiction over the
Commission a report regarding the safe harbor
provisions under this subparagraph, which shall
include--
(i) an analysis of whether the safe harbor
provisions are--
(I) operating fairly and
effectively; and
(II) effectively protecting the
interests of children and teens; and
(ii) proposals for policy changes that
would improve the effectiveness of the safe
harbor provisions.
(B) Publication.--Not later than 10 days after the
date on which a report under subparagraph (A) is
submitted, the Commission shall publish the report on
the internet website of the Commission.
(f) Effective Date.--This section shall take effect on the date
that is 90 days after the date of enactment of this Act.
(g) Rule of Construction.--Nothing in this Act may be construed to
authorize any action by the Commission that would violate section 18(h)
of the Federal Trade Commission Act (15 U.S.C. 57a(h)).
SEC. 12. GAO STUDY.
(a) Study.--The Comptroller General of the United States (in this
section referred to as the ``Comptroller General'') shall conduct a
study on the privacy of teens who use financial technology products.
Such study shall--
(1) identify the type of financial technology products that
teens are using;
(2) identify the potential risks to teens' privacy from
using such financial technology products; and
(3) determine whether existing laws are sufficient to
address such risks to teens' privacy.
(b) Report.--Not later than 1 year after the date of enactment of
this section, the Comptroller General shall submit to Congress a report
containing the results of the study conducted under subsection (a),
together with recommendations for such legislation and administrative
action as the Comptroller General determines appropriate.
<all>