[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 1586 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 1586
To safeguard children by providing parents with clear and accurate
information about the apps downloaded and used by their children and to
ensure proper parental consent is achieved, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 1, 2025
Mr. Lee introduced the following bill; which was read twice and
referred to the Committee on Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To safeguard children by providing parents with clear and accurate
information about the apps downloaded and used by their children and to
ensure proper parental consent is achieved, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``App Store
Accountability Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. App store obligations.
Sec. 4. App developer obligations.
Sec. 5. Compliance.
Sec. 6. Enforcement by the Federal Trade Commission.
Sec. 7. Enforcement by States.
Sec. 8. Safe harbor.
Sec. 9. Preemption.
Sec. 10. Severability.
Sec. 11. Effective date.
SEC. 2. DEFINITIONS.
In this Act:
(1) Age category.--The term ``age category'' means the
category of an individual based on their age, including the
following categories:
(A) Adult.--An ``adult'' is such an individual who
has attained 18 years of age.
(B) Teenager.--A ``teenager'' is such an individual
who has attained 16 years of age but has not attained
18 years of age.
(C) Child.--A ``child'' is such an individual who
has attained 13 years of age but has not attained 16
years of age.
(D) Young child.--A ``young child'' is such an
individual who has not attained 13 years of age.
(2) Age category data.--The term ``age category data''
means information that identifies the age category of a user
and is collected by a covered app store provider and shared
with an app developer.
(3) Age rating.--The term ``age rating'' means a publicly
displayed assessment of an app's appropriateness for different
age categories.
(4) App.--The term ``app'' means a software application or
electronic service that may be run or directed by a user on a
computer, mobile device, or any other general purpose computing
device.
(5) App developer.--The term ``app developer'' means any
person that owns or controls an app on the app store of a
covered app store provider and is available in the United
States.
(6) App store.--The term ``app store'' means a publicly
available website, software application, or other electronic
service that distributes and facilitates the download onto a
mobile device of an app from a third-party developer by a user
of a computer, mobile device, or any other general purpose
computing device.
(7) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(8) Covered app store provider.--The term ``covered app
store provider'' means any person that owns or controls an app
store available in the United States and for which users in the
United States exceed 5,000,000.
(9) Know.--The term ``know'' means to have actual knowledge
or willful disregard.
(10) Minor.--The term ``minor'' means an individual who has
not attained 18 years of age.
(11) Mobile device.--The term ``mobile device'' means a
phone or general purpose tablet that provides cellular or
wireless connectivity, is capable of connecting to the
internet, runs a mobile operating system, and is capable of
running apps through the mobile operating system.
(12) Mobile operating system.--The term ``mobile operating
system'' means a set of software that manages mobile device
hardware resources, provides common services for mobile device
programs, controls memory allocation, and provides interfaces
for applications to access device functionality.
(13) Parent.--The term ``parent'', with respect to a minor,
means an adult with the legal right to make decisions on behalf
of the minor, including--
(A) a natural parent;
(B) an adoptive parent;
(C) a legal guardian; or
(D) an individual with legal custody over the
minor.
(14) Parental account.--The term ``parental account'' means
an account with a covered app store provider that is--
(A) verified to be established by an individual who
the app store provider has determined is at least 18
years of age through the covered app store provider's
age verification method or process; and
(B) affiliated with one or more account of a user
or prospective user who is a minor.
(15) Parental consent disclosure.--The term ``parental
consent disclosure'' means the following information that is
provided to a parent before obtaining parental consent--
(A) a description of--
(i) the personal data collected by the app
from a user; and
(ii) the personal data shared by the app
with a third party;
(B) a description of the measures taken by the app
developer to protect the confidentiality of the user's
personal data;
(C) if there is an age rating for the app or an in-
app purchase, the app's or in-app purchase's age
rating; and
(D) if there is a content description for the app
or in-app purchase, the app's or in-app purchase's
content description.
(16) Personal data.--The term ``personal data'' has the
same meaning as the term ``personal information'' as defined in
section 1302 of the Children's Online Privacy Protection Act
(15 U.S.C. 6501).
(17) Signal.--The term ``signal'' means age bracketed data
sent by a real-time secure application programming interface or
operating system that is likely to be accessed by minors.
(18) Significant change.--The term ``significant change''
means a material modification of an app's terms of service or
privacy policy that--
(A) changes the category of data collected or
stored;
(B) changes the category of data shared with an
unaffiliated third party that is not a service provider
or processor;
(C) alters the app's age rating or content
description;
(D) adds new monetization features, including in-
app purchases or advertisements; or
(E) changes the app's user experience or
functionality in a manner that a reasonable individual
would view as material.
(19) Verifiable parental consent.--The term ``verifiable
parental consent'' means authorization that is provided--
(A) by a parental account;
(B) in response to a clear and conspicuous parental
content disclosure; and
(C) signifies a parent's freely given, specific,
informed, and unambiguous agreement.
SEC. 3. APP STORE OBLIGATIONS.
(a) In General.--Each covered app store provider shall--
(1) at the time an individual creates an account with the
covered app store provider--
(A) request age information from the individual;
and
(B) verify the individual's age category using a
commercially available method or process that is
reasonably designed to ensure accuracy;
(2) if the age verification method or process determines
the individual is a minor--
(A) require the account to be affiliated with a
parental account; and
(B) obtain verifiable parental consent from the
holder of the affiliated parental account before
allowing the minor to download or purchase an app or
make an in-app purchase;
(3) after receiving notice of a significant change from an
app developer--
(A) notify the user of a significant change; and
(B) for a minor account, notify the holder of the
affiliated parental account and obtain a new verifiable
parental consent;
(4) provide to an app developer the user's age category and
the status of verified parental consent if the user is a minor;
(5) notify an app developer when a parent revokes
verifiable parental consent;
(6) protect the confidentiality of personal data related to
age verification by--
(A) limiting its collection, processing, and
storage to what is strictly necessary to verify a
user's age, obtain verifiable parental consent, or
maintain compliance records; and
(B) safeguarding personal data related to age
verification by adopting reasonable administrative,
technical, and physical safeguards to secure the
collection, processing, storage, and transmission of
this data, including through industry-standard
encryption;
(7) if a covered app store provider displays an age rating
or description of an app's content, the age rating and
description must be clearly and prominently displayed and be in
plain and concise language; and
(8) provide to an app developer the ability to determine,
in real time, the age category of any user and, with respect to
any user that is a minor, whether the covered app store
provider has obtained verifiable parental consent.
(b) Rules of Construction.--Nothing in this section shall be
construed--
(1) to prevent a covered app store provider from taking
reasonable measures to block, detect, or prevent the
distribution of unlawful or obscene material to minors, to
block or filter spam, to prevent criminal activity, or to
protect the security of an app store or app;
(2) to require a covered app store provider to disclose to
an app developer information other than such user's age
category and, with respect to any user that is a minor, whether
the covered app store provider has obtained verifiable parental
consent in accordance with this section;
(3) to allow a covered app store provider to use any
measures required by this section in a way that is arbitrary,
capricious, anti-competitive, or unlawful; or
(4) to affect or restrict the expression of political,
religious, or other viewpoints.
SEC. 4. APP DEVELOPER OBLIGATIONS.
(a) In General.--An app developer shall--
(1) verify through a covered app store's method or process
the age category of the app developer's users or potential
users and, for a minor account, whether verifiable parental
consent has been obtained;
(2) notify a covered app store provider of a significant
change to the app; and
(3) request age category data or verifiable parental
consent--
(A) at the time a potential app user downloads or
purchases an app;
(B) when the app developer implements a significant
change to the app; or
(C) to comply with an applicable law or regulation.
(b) App Developer Requests.--An app developer may request age
category data or verifiable parental consent--
(1) no more than once during each 12-month period to verify
the accuracy of user age verification data or continued account
use within the verified age category;
(2) when there is reasonable suspicion of account transfer
or misuse outside the verified age category; or
(3) at the time a user creates a new account with the app
developer.
(c) Permissible Uses.--An app developer may use age category data
to--
(1) enforce any app developer-created age-related
restrictions;
(2) ensure compliance with applicable laws and regulations;
and
(3) implement any app developer-created features or
defaults.
(d) Restrictions.--An app developer may not--
(1) enforce a contract or terms of service against a minor
unless the app developer has verified through the covered app
store provider that verifiable parental consent has been
obtained;
(2) knowingly misrepresent any material information in the
parental consent disclosure; or
(3) share age category data with an unaffiliated third
party that is not a service provider or processor.
(e) App Age Rating.--If an app developer provides an age rating or
description of an app's content to a covered app store or user, the age
rating or description must be in plain and concise language.
(f) Covered App Store Provider Signal.--
(1) In general.--Each app developer shall use a covered app
store provider's signal to determine the age category of a
user.
(2) Rule of construction.--Receipt of a covered app store
provider's signal serves as actual knowledge of a user's age
category.
SEC. 5. COMPLIANCE.
(a) Guidance.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Commission shall issue guidance to
assist covered app store providers and app developers in
complying with the requirements of this Act.
(2) Limitations.--
(A) No conferring of rights or binding effect.--Any
guidance issued by the Commission with respect to this
Act shall not confer any rights on any person, State,
or locality, nor shall such guidance operate to bind
the Commission or any person to the approach
recommended in such guidance.
(B) Basis of enforcement actions.--In any
enforcement action brought pursuant to this Act, the
Commission shall allege a specific violation of a
provision of this Act. The Commission may not base an
enforcement action on, or execute a consent order based
on, practices that are alleged to be inconsistent with
any such guidelines, unless the practices allegedly
violate sections 3 or 4.
(b) Mechanism To Certify Compliance.--
(1) In general.--The Commission shall--
(A) establish a mechanism, in such form and manner
as the Commission determines is appropriate, for any
covered app store provider to submit a request for the
Commission to review their policies relevant to the
requirements under section 3; and
(B) not later than 30 days after receiving such a
request--
(i) review such policies to determine
whether the covered app store provider that
submitted such request is compliant with such
requirements; and
(ii) if the Commission determines that such
provider is compliant with such requirements
and does not permit or is able to quickly
remedy any method of circumventing such
requirements, submit to Congress and make
publicly available on the website of the
Commission a notice certifying that such
provider is compliant with such requirements.
(2) Notification of significant changes.--If a covered app
store provider that the Commission certifies is compliant with
the requirements of section 3 makes a significant change to any
policy of such provider that is relevant to such requirements,
such provider shall notify the Commission of such change to
ensure that the change does not impact the certification of
compliance under paragraph (1).
(3) Period of eligibility.--A certification of compliance
under paragraph (1) shall be valid for 1 year after the date of
the issuance of such certification.
(c) Complaints.--
(1) In general.--The Commission shall establish a mechanism
to receive complaints regarding the compliance of any covered
app store provider with the requirements described in section
3.
(2) Review.--The Commission shall regularly review any
complaints received through the mechanism described in
paragraph (1) and, if necessary, evaluate the covered app store
provider's certification of compliance under subsection (b)(1).
SEC. 6. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
(a) Unfair or Deceptive Acts or Practices.--A violation of this Act
or a regulation promulgated thereunder shall be treated as a violation
of a rule defining an unfair or deceptive act or practice under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
(b) Powers of the Commission.--
(1) In general.--The Commission shall enforce this Act in
the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all applicable terms
and provisions of the Federal Trade Commission Act (15 U.S.C.
41 et seq.) were incorporated into and made a part of this Act.
(2) Privileges and immunities.--Any person who violates
this Act or a regulation promulgated thereunder shall be
subject to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission Act (15
U.S.C. 41 et seq.).
(3) Authority preserved.--Nothing in this Act shall be
construed to limit the authority of the Commission under any
other provision of law.
SEC. 7. ENFORCEMENT BY STATES.
(a) In General.--
(1) Civil actions.--In any case in which the attorney
general of a State has reason to believe that an interest of
the residents of that State has been or is threatened or
adversely affected by the engagement of any person in a
practice that violates this Act, the State, as parens patriae,
may bring a civil action on behalf of the residents of the
State in a district court of the United States of appropriate
jurisdiction to--
(A) enjoin that practice;
(B) enforce compliance with the regulation;
(C) obtain damages, restitution, or other
compensation on behalf of residents of the State; or
(D) obtain such other relief as the court may
consider to be appropriate.
(2) Notice.--
(A) In general.--Before filing an action under
paragraph (1), the attorney general of the State
involved shall provide to the Commission--
(i) a written notice of that action; and
(ii) a copy of the complaint for that
action.
(B) Exemption.--
(i) In general.--Subparagraph (A) shall not
apply with respect to the filing of an action
by an attorney general of a State under this
subsection, if the attorney general determines
that it is not feasible to provide the notice
described in that subparagraph before the
filing of the action.
(ii) Notification.--In an action described
in clause (i), the attorney general of a State
shall provide notice and a copy of the
complaint to the Commission at the same time as
the attorney general files the action.
(b) Intervention.--
(1) In general.--On receiving notice under subsection
(a)(2), the Commission shall have the right to intervene in the
action that is the subject of the notice.
(2) Effect of intervention.--If the Commission intervenes
in an action under subsection (a), it shall have the right--
(A) to be heard with respect to any matter that
arises in that action; and
(B) to file a petition for appeal.
(c) Construction.--For purposes of bringing any civil action under
subsection (a), nothing in this chapter shall be construed to prevent
an attorney general of a State from exercising the powers conferred on
the attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of
documentary and other evidence.
(d) Actions by the Commission.--In any case in which an action is
instituted by or on behalf of the Commission for a violation of this
Act, no State may, during the pendency of that action, institute an
action under subsection (a) against any defendant named in the
complaint in that action for such violation.
(e) Venue; Service of Process.--
(1) Venue.--Any action brought under subsection (a) may be
brought in the district court of the United States that meets
applicable requirements relating to venue under section 1391 of
title 28, United States Code.
(2) Service of process.--In an action brought under
subsection (a), process may be served in any district in which
the defendant--
(A) is an inhabitant; or
(B) may be found.
SEC. 8. SAFE HARBOR.
(a) In General.--An app developer is deemed not liable for a
violation of this Act if the app developer demonstrates it has--
(1) relied in good faith on age verification data provided
by a covered app store provider or it obtained a signal from a
covered app store provider that indicates the user is a minor;
(2) complied with the requirements of section 4; and
(3) reasonably conforms to widely accepted industry
standards or best practices, or to standards or best practices
identified by the Commission, for age ratings and app content
descriptions and applies those standards or best practices
consistently and in good faith.
(b) Limitations.--The safe harbor described in this section applies
only to actions brought under this Act and does not limit the liability
of an app developer under any other applicable law.
SEC. 9. PREEMPTION.
(a) In General.--No State or political subdivision of a State may
maintain, enforce, prescribe, or continue in effect any law, rule,
regulation, requirement, standard, or other provision having the force
and effect of law of any State, or political subdivision of a State,
related to the provisions of this Act.
(b) Rule of Construction.--Nothing in this subsection shall be
construed as preempting, displacing, or supplanting contract or tort
law.
SEC. 10. SEVERABILITY.
If any provision of this Act, or the application thereof to any
person or circumstance, is held invalid, the remainder of this Act, and
the application of such provision to other persons not similarly
situated or to other circumstances, shall not be affected by the
invalidation.
SEC. 11. EFFECTIVE DATE.
Except as otherwise provided in this Act, this Act shall take
effect on the date that is 1 year after the date of enactment of this
Act.
<all>