[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2657 Introduced in House (IH)]
<DOC>
119th CONGRESS
1st Session
H. R. 2657
To require large social media platform providers to create, maintain,
and make available to third-party safety software providers a set of
real-time application programming interfaces, through which a child or
a parent or legal guardian of a child may delegate permission to a
third-party safety software provider to manage the online interactions,
content, and account settings of such child on the large social media
platform on the same terms as such child, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 3, 2025
Ms. Wasserman Schultz (for herself, Mr. Carter of Georgia, Ms. Schrier,
Mrs. Miller-Meeks, Mr. Suozzi, and Mr. Fitzpatrick) introduced the
following bill; which was referred to the Committee on Energy and
Commerce
_______________________________________________________________________
A BILL
To require large social media platform providers to create, maintain,
and make available to third-party safety software providers a set of
real-time application programming interfaces, through which a child or
a parent or legal guardian of a child may delegate permission to a
third-party safety software provider to manage the online interactions,
content, and account settings of such child on the large social media
platform on the same terms as such child, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Sammy's Law''.
SEC. 2. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) parents and legal guardians should be empowered to use
the services of third-party safety software providers to
protect the children of such parents and legal guardians from
certain harms on large social media platforms; and
(2) dangers like cyberbullying, human trafficking, illegal
drug distribution, sexual harassment, and violence perpetrated,
facilitated, or exacerbated through the use of certain large
social media platforms have harmed children on such platforms.
SEC. 3. DEFINITIONS.
In this Act:
(1) Child.--The term ``child'' means any individual under
the age of 17 years who has registered an account with a large
social media platform.
(2) Commerce.--The term ``commerce'' has the meaning given
such term in section 4 of the Federal Trade Commission Act (15
U.S.C. 44).
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Large social media platform.--The term ``large social
media platform''--
(A) means a service--
(i) provided through an internet website or
a mobile application (or both);
(ii) the terms of service of which do not
prohibit the use of the service by a child;
(iii) with any feature or features that
enable a child to share images, text, or video
through the internet with other users of the
service whom such child has met, identified, or
become aware of solely through the use of the
service; and
(iv) that has more than 100,000,000 monthly
global active users or generates more than
$1,000,000,000 in gross revenue per year,
adjusted yearly for inflation; and
(B) does not include--
(i) a service that primarily serves--
(I) to facilitate--
(aa) the sale or provision
of professional services; or
(bb) the sale of commercial
products; or
(II) to provide news or
information, where the service does not
offer the ability for content to be
sent by a user directly to a child; or
(ii) a service that--
(I) has a feature that enables a
user who communicates directly with a
child through a message (including a
text, audio, or video message) not
otherwise available to other users of
the service to add other users to that
message that such child may not have
otherwise met, identified, or become
aware of solely through the use of the
service; and
(II) does not have any feature or
features described in subparagraph
(A)(iii).
(5) Large social media platform provider.--The term ``large
social media platform provider'' means any person who, for
commercial purposes in or affecting commerce, provides,
manages, operates, or controls a large social media platform.
(6) State.--The term ``State'' means each State of the
United States, the District of Columbia, each commonwealth,
territory, or possession of the United States, and each
federally recognized Indian Tribe.
(7) Third-party safety software provider.--The term
``third-party safety software provider'' means any person who,
for commercial purposes in or affecting commerce, is authorized
by a child (if the child is 13 years of age or older) or a
parent or legal guardian of a child to interact with a large
social media platform to manage the online interactions,
content, or account settings of such child for the sole purpose
of protecting such child from harm, including physical or
emotional harm.
(8) User data.--The term ``user data'' means any
information needed to have a profile on a large social media
platform or content on a large social media platform, including
images, video, audio, or text, that is created by or sent to a
child on or through the account of such child with such
platform, but only--
(A) if the information or content is created by or
sent to such child while a delegation under section
4(a) is in effect with respect to the account; and
(B) during a 30-day period beginning on the date on
which the information or content is created by or sent
to such child.
SEC. 4. PROVIDING ACCESS TO THIRD-PARTY SAFETY SOFTWARE.
(a) Duty of Large Social Media Platform Providers.--
(1) In general.--Not later than 30 days after the effective
date of this Act (in the case of a service that is a large
social media platform on such effective date) or not later than
30 days after a service becomes a large social media platform
(in the case of a service that becomes a large social media
platform after such effective date), the large social media
platform provider shall create, maintain, and make available to
any third-party safety software provider registered with the
Commission under subsection (b)(1) a set of third-party-
accessible real-time application programming interfaces,
including any information necessary to use such interfaces, by
which a child (if the child is 13 years of age or older) or a
parent or legal guardian of a child may delegate permission to
the third-party safety software provider to--
(A) manage the online interactions, content, and
account settings of such child on the large social
media platform on the same terms as such child; and
(B) initiate secure transfers of user data from the
large social media platform in a commonly-used and
machine-readable format to the third-party safety
software provider, where the frequency of such
transfers may not be limited by the large social media
platform provider to less than once per hour.
(2) Revocation.--Once a child or a parent or legal guardian
of a child makes a delegation under paragraph (1), the large
social media platform provider shall make the application
programming interfaces and information described in such
paragraph available to the third-party safety software provider
on an ongoing basis until--
(A) the child (if the child made the delegation) or
the parent or legal guardian of such child revokes the
delegation;
(B) the child or a parent or legal guardian of such
child revokes or disables the registration of the
account of such child with the large social media
platform;
(C) the third-party safety software provider
rejects the delegation; or
(D) one or more of the affirmations made by the
third-party safety software provider under subsection
(b)(1)(A) is no longer true.
(3) Secure transfer of user data.--A large social media
platform provider shall establish and implement reasonable
policies, practices, and procedures regarding the secure
transfer of user data pursuant to a delegation under paragraph
(1) from the large social media platform to a third-party
safety software provider in order to mitigate any risks related
to user data.
(4) Disclosure.--In the case of a delegation made by a
child or a parent or legal guardian of a child under paragraph
(1) with respect to the account of such child with a large
social media platform, the large social media platform provider
shall--
(A) disclose to such child and (if the parent or
legal guardian made the delegation) the parent or legal
guardian the fact that the delegation has been made;
(B) provide to such child and (if such parent or
legal guardian made the delegation) such parent or
legal guardian a summary of the user data that is
transferred to the third-party safety software
provider; and
(C) update the summary provided under subparagraph
(B) as necessary to reflect any change to the user data
that is transferred to the third-party safety software
provider.
(5) Limitation.--Any management by a third-party safety
software provider of online interactions, content, and account
settings of a child under this subsection shall be limited to
such management that protects such child from harm, including
the optimization of the privacy settings of the account, stated
user age, and marketing settings of the child.
(b) Third-Party Safety Software Providers.--
(1) Registration with commission.--A third-party safety
software provider shall register with the Commission as a
condition of accessing an application programming interface and
any information under subsection (a). As a condition of such
registration, the third-party safety software provider shall--
(A) satisfactorily demonstrate to the Commission
that the third-party safety software provider--
(i) is a company based in the United
States;
(ii) is not a subsidiary of any foreign-
owned company or otherwise controlled by a
foreign person or persons;
(iii) will solely use any user data
obtained under subsection (a) for the purpose
of protecting a child from harm in accordance
with any applicable terms of service and the
provisions of this Act;
(iv) will only disclose user data obtained
under subsection (a) as permitted by subsection
(f);
(v) will process and maintain all user data
obtained under subsection (a) and copies of any
communications generated in relation thereto
exclusively on hardware and devices located
within the territorial boundaries of the United
States;
(vi)(I) will delete any user data obtained
under this section as soon as possible but not
later than 14 days after receiving such data
from the large social media platform, not
including any data the third-party safety
software provider discloses under subsection
(f);
(II) for any data disclosed under
subsection (f)(1)(C), will maintain such data
until the child or a parent or legal guardian
of the child who made a delegation under
subsection (a) and whose data is at issue
requests that the third-party safety software
provider delete such data; and
(III) in the event that the child or a
parent or legal guardian of the child who made
a delegation under subsection (a) cancels their
account with the third-party safety software
provider, will delete all applicable user data
no later than 30 days after the request for
account cancellation has been made; and
(vii) will disclose, in an easy-to-
understand, human-readable format, to each
child with respect to whose account with a
large social media platform the service of the
third-party safety software provider is
operating and (if a parent or legal guardian of
the child made the delegation under subsection
(a) with respect to the account) to the parent
or legal guardian, sufficient information
detailing the operation of the service and what
information the third-party safety software
provider is collecting to enable such child and
(if applicable) such parent or legal guardian
to make informed decisions regarding the use of
the service; and
(B) as part of the registration process, undergo a
security review in such form as the Commission may
proscribe but which may include requiring that a
qualified independent auditing firm conduct such a
review to independently verify and confirm via a
written report (which shall be exempt from disclosure
under section 552(b)(3) of title 5, United States Code)
that the third-party safety software provider--
(i) is in compliance, or has the ability to
comply, with the requirements of subparagraph
(A);
(ii) is able to provide services in
accordance with any applicable terms of service
and any relevant disclosures made to any
consumer, including whether such terms and
disclosures are clear and conspicuous and are
written in plain and easy-to-understand
English;
(iii) has taken appropriate steps to assess
potential risks and to protect the
confidentiality, integrity, and security of any
user data, including a determination of the
adequacy of business and technology-related
controls, policies, procedures, and other
safeguards employed by the third-party safety
software provider based on guidance issued by
the Commission and other industry standards and
best practices; and
(iv) assesses compliance with applicable
Federal law, including the requirements of this
Act.
(2) Annual audit.--
(A) Audit process; audit report.--For each year or
partial year during which a third-party safety software
provider is registered with the Commission under
paragraph (1), the third-party safety software provider
shall retain the services of a qualified independent
auditing firm to complete an annual audit and write an
audit report (which shall be exempt from disclosure
under section 552(b)(3) of title 5, United States
Code), and such audit report shall--
(i) include a review and assessment of the
third-party safety software provider's initial
security review and any subsequent written
reports, including whether the third-party
safety software provider has remained in
compliance with the requirements described in
paragraph (1)(B); and
(ii) identify whether the third-party
safety software provider has made any material
changes in how the third-party safety software
provider provides services, and in the event of
any such material changes, provide an
explanation as to how such changes have
impacted users.
(B) Submission to commission.--Not later than 30
days after the date on which an audit report is written
under subparagraph (A), a third-party safety software
provider shall submit to the Commission--
(i) a full copy of such audit report; and
(ii) a summary of such audit report that
may contain redactions to protect the
proprietary information and trade secrets of
the third-party safety software provider.
(C) Audit review by commission.--The Commission
shall--
(i) review each audit report submitted by a
third-party safety software provider under
subparagraph (B)(i) to verify compliance;
(ii) make a copy of the summary of such
audit report submitted by a third-party safety
software provider under subparagraph (B)(ii)
available to the public; and
(iii) in the event an audit required under
subparagraph (A) detects an unusual finding,
direct a third-party safety software provider
to promptly investigate and resolve the matter.
(3) Additional authority of commission.--In addition to the
jurisdiction, powers, and duties of the Commission otherwise
provided under this Act and any other provision of law, the
Commission may take an adverse action against a third-party
safety software provider, including by--
(A) denying an initial registration for the third-
party safety software provider under paragraph (1);
(B) permanently de-registering the third-party
safety software provider; and
(C) suspending the registration of the third-party
safety software provider due to an audit finding of a
material risk to the security of the data or safety of
the public, including for--
(i) willful misconduct or gross negligence
by the third-party safety software provider;
(ii) a material misrepresentation made by a
third-party safety software provider to the
Commission or to any consumer;
(iii) failure by the third-party safety
software provider to comply with any
requirements of this Act or failure to operate
in accordance with the affirmations,
assertions, representations, or terms of any
security review, audit, terms of services, or
consumer disclosures;
(iv) failure by the third-party safety
software provider to respond to an unusual
finding in an annual audit completed under
paragraph (2)(A); and
(v) failure by the third-party safety
software provider to adhere to or implement
guidance issued by the Commission.
(4) Rights of third-party safety software providers.--
(A) In general.--In the event the Commission takes
an adverse action against a third-party safety software
provider under paragraph (3), the Commission shall give
the third-party safety software provider--
(i) the opportunity to appeal the findings
of the auditor or such action of the
Commission; and
(ii) the opportunity to remediate any
deficiencies, except in the case of a finding
of--
(I) willful misconduct;
(II) gross negligence; or
(III) a demonstrated history of
multiple failures in relation to the
types of material risk described in
paragraph (3)(C)(ii) through (3)(C)(v).
(B) Exception.--The rights described in
subparagraph (A) shall not prevent the Commission from
suspending the registration of a third-party safety
software provider to protect the public from ongoing
material risk for the period during which the third-
party safety software provider is in the process of
exercising the rights described in paragraph (4).
(c) Authentication.--Not later than 180 days after the date of the
enactment of this Act, the Commission shall issue guidance to
facilitate the ability of a third-party safety software provider to
obtain user data or access under subsection (a) in a manner that
ensures that a request for user data or access on behalf of a child is
a verifiable request.
(d) Guidance and Consumer Education.--The Commission shall--
(1) not later than 180 days after the date of the enactment
of this Act, issue guidance for large social media platform
providers and third-party safety software providers regarding
the maintenance of reasonable safety standards to protect user
data; and
(2) educate consumers regarding the rights of consumers
under this Act.
(e) Indemnification.--In any civil action in Federal or State court
(other than an action brought by the Commission), a large social media
platform provider may not be held liable for damages arising out of the
transfer of user data to a third-party safety software provider under
subsection (a), if the large social media platform provider has in good
faith complied with the requirements of this Act and the guidance
issued by the Commission under this Act.
(f) User Data Disclosure.--
(1) Permitted disclosures.--A third-party safety software
provider may not disclose any user data obtained under
subsection (a) to any other person except--
(A) pursuant to a lawful request from a government
body, including for law enforcement purposes or for
judicial or administrative proceedings by means of a
court order or a court-ordered warrant, a subpoena or
summons issued by a judicial officer, or a grand jury
subpoena;
(B) to the extent that such disclosure is required
by law and such disclosure complies with and is limited
to the relevant requirements of such law;
(C) to the child or a parent or legal guardian of
the child who made a delegation under such subsection
and whose data is at issue, with such third-party
safety software provider making a good faith effort to
ensure that such disclosure includes only the user data
necessary for a reasonable parent or caregiver to
understand that such child is experiencing (or is at
foreseeable risk to experience) the following harms--
(i) suicide;
(ii) anxiety;
(iii) depression;
(iv) eating disorders;
(v) violence, including being the victim of
or planning to commit or facilitate assault;
(vi) substance abuse;
(vii) fraud;
(viii) severe forms of trafficking in
persons (as defined in section 103 of the
Trafficking Victims Protection Act of 2000 (22
U.S.C. 7102));
(ix) sexual abuse;
(x) physical injury;
(xi) harassment;
(xii) sexually explicit conduct or child
pornography (as defined in section 2256 of
title 18, United States Code);
(xiii) terrorism (as defined in section
140(d) of the Foreign Relations Authorization
Act, Fiscal Years 1988 and 1989 (22 U.S.C.
2656f(d))), including communications with or in
support of a foreign terrorist organization (as
designated by the Secretary of State under
section 219(a) of the Immigration and
Nationality Act (8 U.S.C. 1189(a)));
(xiv) academic dishonesty, including
cheating, plagiarism, and other forms of
academic dishonesty that are intended to gain
an unfair academic advantage; and
(xv) sharing personal information, limited
to--
(I) home address;
(II) phone number;
(III) social security number; and
(IV) personal banking information;
(D) in the case of a reasonably foreseeable serious
and imminent threat to the health or safety of any
individual, if the disclosure is made to a person or
persons reasonably able to prevent or lessen the
threat; or
(E) to a public health authority or other
appropriate government authority authorized by law to
receive reports of child abuse or neglect.
(2) Disclosure reporting.--A third-party safety software
provider that makes a disclosure permitted by paragraph (1)(A),
(1)(B), (1)(D), or (1)(E) shall promptly inform the child with
respect to whose account with a large social media platform the
delegation was made under subsection (a) and (if a parent or
legal guardian of the child made the delegation) the parent or
legal guardian that such a disclosure has been or will be made,
except if--
(A) the third-party safety software provider, in
the exercise of professional judgment, believes
informing such child or parent or legal guardian would
place such child at risk of serious harm; or
(B) the third-party safety software provider is
prohibited by law (including a valid order by a court
or administrative body) from informing such child or
parent or legal guardian.
SEC. 5. IMPLEMENTATION AND ENFORCEMENT.
(a) Enforcement.--
(1) Unfair or deceptive acts or practices.--A violation of
this Act shall be treated as a violation of a rule defining an
unfair or deceptive act or practice prescribed under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
(2) Powers of commission.--
(A) In general.--The Commission shall enforce this
Act in the same manner, by the same means, and with the
same jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates this Act shall be subject to the penalties and
entitled to the privileges and immunities provided in
the Federal Trade Commission Act (15 U.S.C. 41 et
seq.).
(3) Preservation of authority.--Nothing in this Act may be
construed to limit the authority of the Commission under any
other provision of law.
(b) FTC Guidance.--Not later than 180 days after the date of the
enactment of this Act, the Commission shall issue guidance to assist
large social media platform providers and third-party safety software
providers in complying with this Act.
(c) Compliance Assessment.--The Commission, on a biannual basis,
shall assess compliance by large social media platform providers and
third-party safety software providers with the provisions of this Act.
(d) Complaints.--The Commission shall establish procedures under
which a child, or the parent or legal guardian of such child, a large
social media platform provider, or a third-party safety software
provider may file a complaint alleging that a large social media
platform provider or a third-party safety software provider has
violated this Act.
SEC. 6. ONE NATIONAL STANDARD.
(a) In General.--No State or political subdivision of a State may
maintain, enforce, prescribe, or continue in effect any law, rule,
regulation, requirement, standard, or other provision having the force
and effect of law of the State, or political subdivision of a State,
related to requiring large social media platform providers to create,
maintain, and make available to third-party safety software providers a
set of real-time application programming interfaces, through which a
child or a parent or legal guardian of a child may delegate permission
to a third-party safety software provider to manage the online
interactions, content, and account settings of such child on a large
social media platform on the same terms as such child.
(b) Rule of Construction.--This section may not be construed to--
(1) limit the enforcement of any consumer protection law of
a State or political subdivision of a State;
(2) preempt the applicability of State trespass, contract,
or tort law; or
(3) preempt the applicability of any State law to the
extent that the law relates to acts of fraud, unauthorized
access to personal information, or notification of unauthorized
access to personal information.
SEC. 7. EFFECTIVE DATE.
This Act shall take effect on the date on which the Commission
issues guidance under section 5(b).
<all>