Text: S.748 — 116th Congress (2019-2020)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (03/12/2019)


116th CONGRESS
1st Session
S. 748


To amend the Children’s Online Privacy Protection Act of 1998 to strengthen protections relating to the online collection, use, and disclosure of personal information of children and minors, and for other purposes.


IN THE SENATE OF THE UNITED STATES

March 12, 2019

Mr. Markey (for himself and Mr. Hawley) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation


A BILL

To amend the Children’s Online Privacy Protection Act of 1998 to strengthen protections relating to the online collection, use, and disclosure of personal information of children and minors, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Table of contents.

The table of contents for this Act is as follows:


Sec. 1. Table of contents.

Sec. 2. Definitions.

Sec. 3. Online collection, use, and disclosure of personal information of children and minors.

Sec. 4. Fair Information Practices Principles.

Sec. 5. Digital Marketing Bill of Rights for Minors.

Sec. 6. Targeted marketing to children or minors.

Sec. 7. Removal of content.

Sec. 8. Privacy dashboard for connected devices for children and minors.

Sec. 9. Prohibition on sale of connected devices for children and minors that fail to meet appropriate cybersecurity and data security standards.

Sec. 10. Rule for treatment of users of websites, services, and applications directed to children or minors.

Sec. 11. Study of mobile and online application oversight.

Sec. 12. Youth Privacy and Marketing Division.

Sec. 13. Enforcement and applicability.

SEC. 2. Definitions.

(a) In general.—In this Act:

(1) COMMISSION.—The term “Commission” means the Federal Trade Commission.

(2) STANDARDS.—The term “standards” means benchmarks, guidelines, best practices, methodologies, procedures, and processes.

(b) Other definitions.—The definitions set forth in section 1302 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501), as amended by section 3(a) of this Act, shall apply in this Act, except to the extent the Commission provides otherwise by regulations issued under section 553 of title 5, United States Code.

SEC. 3. Online collection, use, and disclosure of personal information of children and minors.

(a) Definitions.—Section 1302 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501) is amended—

(1) by amending paragraph (2) to read as follows:

“(2) OPERATOR.—The term ‘operator’—

“(A) means any person—

“(i) who, for commercial purposes, in interstate or foreign commerce operates or provides a website on the internet, an online service, an online application, or a mobile application; and

“(ii) who—

“(I) collects or maintains, either directly or through a service provider, personal information from or about the users of that website, service, application, or connected device;

“(II) allows another person to collect personal information directly from users of that website, service, application, or connected device (in which case, the operator is deemed to have collected the information); or

“(III) allows users of that website, service, application, or connected device to publicly disclose personal information (in which case, the operator is deemed to have collected the information); and

“(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).”;

(2) in paragraph (4)—

(A) by amending subparagraph (A) to read as follows:

“(A) the release of personal information collected from a child or minor for any purpose, except where the personal information is provided to a person other than an operator who—

“(i) provides support for the internal operations of the website, online service, online application, or mobile application of the operator, excluding any activity relating to targeted marketing directed to children, minors, or connected devices; and

“(ii) does not disclose or use that personal information for any other purpose; and”; and

(B) in subparagraph (B)—

(i) by inserting “or minor” after “child” each place the term appears;

(ii) by inserting “or minors” after “children”; and

(iii) by striking “website or online service” and inserting “website, online service, online application, or mobile application”;

(3) in paragraph (8), by striking subparagraphs (F) and (G) and inserting the following:

“(F) geolocation information;

“(G) information used for biometric identification, as defined in section 70123 of title 46, United States Code, of an individual;

“(H) information reasonably associated with or attributed to an individual;

“(I) information (including an internet protocol address) that permits the identification of—

“(i) an individual; or

“(ii) any device used by an individual to directly or indirectly access the internet or an online service, online application, or mobile application; or

“(J) information concerning a child or minor or the parents of that child or minor (including any unique or substantially unique identifier, such as a customer number) that an operator collects online from the child or minor and combines with an identifier described in this paragraph.”;

(4) by amending paragraph (9) to read as follows:

“(9) VERIFIABLE CONSENT.—The term ‘verifiable consent’ means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that, in the case of a child, a parent of the child, or, in the case of a minor, the minor—

“(A) receives specific notice of the personal information collection, use, and disclosure practices of the operator; and

“(B) before the personal information of the child or minor is collected, freely and unambiguously authorizes—

“(i) the collection, use, and disclosure, as applicable, of that personal information; and

“(ii) any subsequent use of that personal information.”;

(5) by striking paragraph (10) and redesignating paragraphs (11) and (12) as paragraphs (10) and (11), respectively; and

(6) by adding at the end the following:

“(12) CONNECTED DEVICE.—The term ‘connected device’ means a device that is capable of connecting to the internet, directly or indirectly, or to another connected device.

“(13) ONLINE.—The term ‘online’ means—

“(A) connected to or compatible with the internet; or

“(B) via the internet.

“(14) ONLINE APPLICATION.—The term ‘online application’—

“(A) means an internet-connected software program; and

“(B) includes a service or application offered via a connected device.

“(15) ONLINE SERVICE.—The term ‘online service’—

“(A) means broadband internet access service, as defined in the Report and Order on Remand, Declaratory Ruling, and Order in the matter of protecting and promoting the open internet, adopted by the Federal Communications Commission on February 26, 2015 (FCC 15–24); and

“(B) includes a service or application offered via a connected device.

“(16) DIRECTED TO A CHILD OR MINOR.—

“(A) IN GENERAL.—The terms ‘directed to a child’ or ‘directed to a minor’ means, with respect to a website, online service, online application, or mobile application, the website, online service, online application, or mobile application is targeted to children or minors, as the case may be, as demonstrated by—

“(i) the subject matter of the website, online service, online application, or mobile application;

“(ii) the visual content of the website, online service, online application, or mobile application;

“(iii) the use of animated characters or child-oriented activities for children, or the use of minor-oriented characters or minor-oriented activities for minors, and related incentives on the website, online service, online application, or mobile application;

“(iv) the music or other audio content on the website, online service, online application, or mobile application;

“(v) the age of models on the website, online service, online application, or mobile application;

“(vi) the presence, on the website, online service, online application, or mobile application, of—

“(I) child celebrities;

“(II) celebrities who appeal to children;

“(III) teen celebrities; or

“(IV) celebrities who appeal to minors;

“(vii) the language used on the website, online service, online application, or mobile application;

“(viii) advertising content used on, or used to advertise, the website, online service, online application, or mobile application; or

“(ix) reliable empirical evidence relating to—

“(I) the composition of the audience of the website, online service, online application, or mobile application; and

“(II) the intended audience of the website, online service, online application, or mobile application.

“(B) RULES OF CONSTRUCTION.—

“(i) SERVICES DEEMED DIRECTED TO CHILDREN OR MINORS.—For the purposes of this title, a website, online service, online application, or mobile application shall be deemed to be directed to children or minors if the operator of the website, online service, online application, or mobile application has actual knowledge that the website, online service, online application, or mobile application collects personal information directly from users of any other website, online service, online application, or mobile application that is directed to children or minors under the criteria described in subparagraph (A).

“(ii) SERVICES DEEMED DIRECTED TO MIXED AUDIENCES.—

“(I) IN GENERAL.—A website, online service, online application, or mobile application that is directed to children or minors under the criteria described in subparagraph (A), but that does not target children or minors as the primary audience of the website, online service, online application, or mobile application, shall not be deemed to be directed to children or minors for purposes of this title if the website, online service, online application, or mobile application—

“(aa) does not collect personal information from any user of the website, online service, online application, or mobile application before verifying age information of the user; and

“(bb) does not, without first complying with any relevant notice and consent provision under this title, collect, use, or disclose personal information of any user who identifies themselves to the website, online service, online application, or mobile application as an individual who is under the age of 16.

“(II) USE OF CERTAIN TOOLS.—For purposes of this title, a website, online service, online application, or mobile application, shall not be deemed directed to children or minors solely because the website, online service, online application, or mobile application refers or links to any other website, online service, online application, or mobile application directed to children or minors by using information location tools, including—

“(aa) a directory;

“(bb) an index;

“(cc) a reference;

“(dd) a pointer; or

“(ee) a hypertext link.

“(17) MOBILE APPLICATION.—The term ‘mobile application’—

“(A) means a software program that runs on the operating system of—

“(i) a cellular telephone;

“(ii) a tablet computer; or

“(iii) a similar portable computing device that transmits data over a wireless connection; and

“(B) includes a service or application offered via a connected device.

“(18) GEOLOCATION INFORMATION.—The term ‘geolocation information’ means information sufficient to identify a street name and name of a city or town.

“(19) MINOR.—The term ‘minor’ means an individual over the age of 12 and under the age of 16.

“(20) TARGETED MARKETING.—The term ‘targeted marketing’ means advertising or any other effort to market a product or service that is directed to a specific individual or device—

“(A) based on—

“(i) the personal information of—

“(I) the individual; or

“(II) a group of individuals who are similar in gender, age, income level, race, or ethnicity to the specific individual to whom the product or service is marketed;

“(ii) psychological profiling; or

“(iii) a unique identifier of the device; and

“(B) as a result of use by the individual, access by any device of the individual, or use by a group of individuals who are similar to the specific individual, of—

“(i) a website;

“(ii) an online service;

“(iii) an online application;

“(iv) a mobile application; or

“(v) an operating system.”.

(b) Online collection, use, and disclosure of personal information of children and minors.—Section 1303 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6502) is amended—

(1) by striking the heading and inserting the following: “Online collection, use, and disclosure of personal information of children and minors.”;

(2) in subsection (a)—

(A) by amending paragraph (1) to read as follows:

“(1) IN GENERAL.—It is unlawful for an operator of a website, online service, online application, or mobile application directed to a child or minor, or an operator having constructive knowledge that personal information being collected is from a child or minor, to collect personal information from a child or minor in a manner that violates the regulations prescribed under subsection (b).”; and

(B) in paragraph (2)—

(i) by striking “of such a website or online service”; and

(ii) by striking “subsection (b)(1)(B)(iii) to the parent of a child” and inserting “subsection (b)(1)(A)(iii) to the parent of a child or under subsection (b)(1)(A)(iv) to a minor”; and

(3) in subsection (b)—

(A) by amending paragraph (1) to read as follows:

“(1) REGULATIONS.—

“(A) IN GENERAL.—Not later than 1 year after the date of the enactment of the Act entitled ‘An Act to amend the Children’s Online Privacy Protection Act of 1998 to strengthen protections relating to the online collection, use, and disclosure of personal information of children and minors, and for other purposes’, the Commission shall promulgate, under section 553 of title 5, United States Code, regulations to require an operator of a website, online service, online application, or mobile application directed to children or minors, or an operator having constructive knowledge that personal information being collected is from a child or minor—

“(i) to provide clear and conspicuous notice in clear and plain language of—

“(I) the types of personal information the operator collects;

“(II) how the operator uses the information;

“(III) whether and why the operator discloses the information; and

“(IV) the procedures or mechanisms the operator uses to ensure that personal information is not collected from children or minors except in accordance with the regulations promulgated under this paragraph;

“(ii) to obtain verifiable consent for the collection, use, or disclosure of personal information of a child or minor;

“(iii) to provide to a parent whose child has provided personal information to the operator, upon request by and proper identification of the parent—

“(I) a description of the specific types of personal information collected from the child by the operator;

“(II) the opportunity at any time to delete personal information collected from the child; and

“(III) a means that is reasonable under the circumstances for the parent to obtain any personal information collected from the child, if such information is available to the operator at the time the parent makes the request;

“(iv) to provide to a minor who has provided personal information to the operator, upon request by and proper identification of the minor—

“(I) a description of the specific types of personal information collected from the minor by the operator;

“(II) the opportunity at any time to delete personal information collected from the minor; and

“(III) a means that is reasonable under the circumstances for the minor to obtain any personal information collected from the minor, if such information is available to the operator at the time the minor makes the request;

“(v) not to condition participation in a game, or use of a website, service, or application, by a child or minor on the provision by the child or minor of more personal information than is reasonably required to participate in the game or use the website, service, or application; and

“(vi) to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children and minors.

“(B) UPDATES.—Not less frequently than once every 4 years after the date on which regulations are promulgated under subparagraph (A), the Commission shall update those regulations as necessary.”;

(B) in paragraph (2)—

(i) in the matter preceding subparagraph (A), by striking “verifiable parental consent” and inserting “verifiable consent”;

(ii) in subparagraph (A)—

(I) by inserting “or minor” after “collected from a child”;

(II) by inserting “or minor” after “request from the child”; and

(III) by inserting “or minor or to contact a different child or minor” after “to recontact the child”;

(iii) in subparagraph (B)—

(I) by striking “parent or child” and inserting “parent, child, or minor”; and

(II) by striking “parental consent” each place the term appears and inserting “verifiable consent”;

(iv) in subparagraph (C)—

(I) in the matter preceding clause (i), by inserting “or minor” after “child” each place the term appears;

(II) in clause (i)—

(aa) by inserting “or minor” after “child” each place the term appears; and

(bb) by inserting “or minor, as applicable,” after “parent” each place the term appears; and

(III) in clause (ii)—

(aa) by inserting “or minor, as applicable,” after “parent”; and

(bb) by inserting “or minor” after “child” each place the term appears; and

(v) in subparagraph (D)—

(I) in the matter preceding clause (i), by inserting “or minor” after “child” each place the term appears;

(II) in clause (ii), by inserting “or minor” after “child”; and

(III) in the flush text following clause (iii)—

(aa) by inserting “or minor, as applicable,” after “parent” each place the term appears; and

(bb) by inserting “or minor” after “child”; and

(C) by amending paragraph (3) to read as follows:

“(3) CONTINUATION OF SERVICE.—The regulations shall prohibit an operator from discontinuing service provided to a child or minor on the basis of a request by the parent of the child or by the minor, under the regulations prescribed under clauses (iii)(II) and (iv)(II), respectively, of paragraph (1)(A) to delete personal information collected from the child or minor, to the extent that the operator is capable of providing such service without such information.”.

(c) Safe harbors.—Section 1304 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6503) is amended—

(1) in subsection (b)(1), by inserting “and minors” after “children”; and

(2) by adding at the end the following:

“(d) Publication.—The Commission shall publish on the internet website of the Commission any report or documentation required by regulation to be submitted to the Commission to carry out this section, except to the extent that the report or documentation contains proprietary information, which the Commission may in its discretion redact.”.

(d) Administration and applicability of Act.—Section 1306 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is amended—

(1) in subsection (b)—

(A) in paragraph (1), by striking “, in the case of” and all that follows and inserting the following: “by the appropriate Federal banking agency, with respect to any insured depository institution (as those terms are defined in section 3 of that Act (12 U.S.C. 1813));”; and

(B) by striking paragraph (2) and redesignating paragraphs (3) through (6) as paragraphs (2) through (5), respectively; and

(2) by adding at the end the following new subsection:

“(f) Telecommunications carriers and cable operators.—

“(1) ENFORCEMENT BY COMMISSION.—Notwithstanding section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)), compliance with the requirements imposed under this title shall be enforced by the Commission with respect to any telecommunications carrier (as defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153)).

“(2) RELATIONSHIP TO OTHER LAW.—To the extent that section 222, 338(i), or 631 of the Communications Act of 1934 (47 U.S.C. 222; 338(i); 551) is inconsistent with this title, this title controls.”.

SEC. 4. Fair Information Practices Principles.

The Fair Information Practices Principles described in this section are the following:

(1) COLLECTION LIMITATION PRINCIPLE.—Except as provided in paragraph (3), personal information should be collected from a child or minor only when collection of the personal information is—

(A) consistent with the context of a particular transaction or service or the relationship of the child or minor with the operator, including collection necessary to fulfill a transaction or provide a service requested by the child or minor; or

(B) required or specifically authorized by law.

(2) DATA QUALITY PRINCIPLE.—The personal information of a child or minor should be accurate, complete, and kept up-to-date to the extent necessary to fulfill the purposes described in subparagraphs (A) through (D) of paragraph (3).

(3) PURPOSE SPECIFICATION PRINCIPLE.—The purposes for which personal information is collected should be specified to the parent of a child or to a minor not later than at the time of the collection of the information. The subsequent use or disclosure of the information should be limited to—

(A) fulfillment of the transaction or service requested by the child or minor;

(B) support for the internal operations of the website, service, or application, as described in section 312.2 of title 16, Code of Federal Regulations, excluding any activity relating to targeted marketing directed to children, minors, or a device of a child or minor;

(C) compliance with legal process or other purposes expressly authorized under specific legal authority; or

(D) other purposes—

(i) that are specified in a notice to the child or minor; and

(ii) to which the child or minor has consented under paragraph (7) before the information is used or disclosed for such other purposes.

(4) RETENTION LIMITATION PRINCIPLE.—

(A) IN GENERAL.—The personal information of a child or minor should not be retained for longer than is necessary to fulfill a transaction or provide a service requested by the child or minor or such other purposes specified in subparagraphs (A) through (D) of paragraph (3).

(B) DATA DISPOSAL.—The operator should implement a reasonable and appropriate data disposal policy based on the nature and sensitivity of personal information described in subparagraph (A).

(5) SECURITY SAFEGUARDS PRINCIPLE.—The personal information of a child or minor should be protected by reasonable and appropriate security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure.

(6) OPENNESS PRINCIPLE.—

(A) GENERAL PRINCIPLE.—The operator should maintain a general policy of openness about developments, practices, and policies with respect to the personal information of a child or minor.

(B) PROVISION OF INFORMATION.—The operator should provide to each parent of a child, or to each minor, using the website, online service, online application, or mobile application of the operator with a clear and prominent means—

(i) to identify and contact the operator, by, at a minimum, disclosing, clearly and prominently, the identity of the operator and—

(I) in the case of an operator who is an individual, the address of the principal residence of the operator and an email address and telephone number for the operator; or

(II) in the case of any other operator, the address of the principal place of business of the operator and an email address and telephone number for the operator;

(ii) to determine whether the operator possesses any personal information of the child or minor, the nature of any such information, and the purposes for which the information was collected and is being retained;

(iii) to obtain any personal information of the child or minor that is in the possession of the operator from the operator, or from a person specified by the operator, within a reasonable time after making a request, at a charge (if any) that is not excessive, in a reasonable manner, and in a form that is readily intelligible to the child or minor;

(iv) to challenge the accuracy of personal information of the child or minor that is in the possession of the operator;

(v) to determine if the child or minor has established the inaccuracy of personal information in a challenge under clause (iv) in order to have such information erased, corrected, completed, or otherwise amended; and

(vi) to determine the method by which the operator obtains data relevant to the child or minor.

(C) LIMITATION.—Nothing in this paragraph shall be construed to permit an operator to erase or otherwise modify personal information requested by a law enforcement agency pursuant to legal authority.

(7) INDIVIDUAL PARTICIPATION PRINCIPLE.—The operator should—

(A) obtain consent from a parent of a child or from a minor before using or disclosing the personal information of the child or minor for any purpose other than the purposes described in subparagraphs (A) through (C) of paragraph (3); and

(B) obtain affirmative express consent from a parent of a child or from a minor before using or disclosing previously collected personal information of the child or minor for purposes that constitute a material change in practice from the original purposes specified to the child or minor under paragraph (3).

(8) RACIAL AND SOCIOECONOMIC PROFILING.—The personal information of a child or minor shall not be used to direct content to the child or minor, or a group of individuals similar to the child or minor, on the basis of race, socioeconomic factors, or any proxy thereof.

SEC. 5. Digital Marketing Bill of Rights for Minors.

(a) Acts prohibited.—

(1) PROHIBITION.—

(A) IN GENERAL.—Except as provided in subparagraph (B), it shall be unlawful for an operator of a website, online service, online application, or mobile application to collect personal information from a minor if—

(i) (I) the minor is a user of the website, online service, online application, or mobile application; and

(II) the operator has constructive knowledge that the minor is a minor; or

(ii) the website, online service, online application, or mobile application is directed to minors.

(B) EXCEPTION.—Subparagraph (A) shall not apply to an operator that has adopted and complies with a Digital Marketing Bill of Rights for Minors that is consistent with the Fair Information Practices Principles described in section 4.

(2) EFFECTIVE DATE.—This subsection shall take effect on the date that is 180 days after the promulgation of regulations under subsection (b).

(b) Regulations.—

(1) IN GENERAL.—Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate, under section 553 of title 5, United States Code, regulations to implement this section, including regulations further defining the Fair Information Practices Principles described in section 4.

(2) UPDATES.—Not less frequently than once every 4 years after the date on which regulations are promulgated under paragraph (1), the Commission shall update those regulations as necessary.

SEC. 6. Targeted marketing to children or minors.

(a) Acts prohibited.—

(1) CHILDREN.—It shall be unlawful for an operator of a website, online service, online application, or mobile application to use, disclose to third parties, or compile personal information of a child for purposes of targeted marketing if—

(A) (i) the child is a user of the website, online service, online application, or mobile application; and

(ii) the operator has constructive knowledge that the child is a child; or

(B) the website, online service, online application, or mobile application is directed to a child.

(2) MINORS.—

(A) PROHIBITION.—Except as provided in subparagraph (B), it shall be unlawful for an operator of a website, online service, online application, or mobile application to use, disclose to third parties, or compile personal information of a minor for purposes of targeted marketing if—

(i) (I) the minor is a user of the website, online service, online application, or mobile application; and

(II) the operator has constructive knowledge that the minor is a minor; or

(ii) the website, online service, online application, or mobile application is directed to a minor.

(B) EXCEPTION.—Subparagraph (A) shall not apply to an operator that has obtained the verifiable consent of the relevant minor.

(3) EFFECTIVE DATE.—This subsection shall take effect on the date that is 180 days after the promulgation of regulations under subsection (b).

(b) Regulations.—

(1) IN GENERAL.—Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate, under section 553 of title 5, United States Code, regulations to implement this section.

(2) UPDATES.—Not less frequently than once every 4 years after the date on which regulations are promulgated under paragraph (1), the Commission shall update those regulations as necessary.

SEC. 7. Removal of content.

(a) Acts prohibited.—It is unlawful for an operator to make publicly available through a website, online service, online application, or mobile application content or information that contains or displays personal information of children or minors in a manner that violates subsection (b).

(b) Requirement.—

(1) IN GENERAL.—An operator, to the extent technologically feasible, shall—

(A) implement mechanisms that permit a user of the website, online service, online application, or mobile application of the operator to erase or otherwise eliminate content or information that is—

(i) submitted to the website, online service, online application, or mobile application by that user;

(ii) publicly available through the website, online service, online application, or mobile application; and

(iii) contains or displays personal information of children or minors; and

(B) take appropriate steps to—

(i) make users aware of the mechanisms described in subparagraph (A); and

(ii) provide notice to users that the mechanisms described in subparagraph (A) do not necessarily provide comprehensive removal of the content or information submitted by users.

(2) EXCEPTIONS.—Paragraph (1) shall not be construed to require an operator or third party to erase or otherwise eliminate content or information that—

(A) any other provision of Federal or State law requires the operator or third party to maintain; or

(B) was submitted to the website, online service, online application, or mobile application of the operator by any person other than the user who is attempting to erase or otherwise eliminate the content or information, including content or information submitted by the user that was republished or resubmitted by another person.

(c) Limitation.—Nothing in this section shall be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.

(d) Effective date.—This section shall take effect on the date that is 180 days after the date of enactment of this Act.

SEC. 8. Privacy dashboard for connected devices for children and minors.

(a) In general.—A manufacturer of a connected device directed to a child or minor shall prominently display on the packaging for the connected device a standardized and easy-to-understand privacy dashboard, detailing whether, what, and how personal information of a child or minor is—

(1) collected from the connected device;

(2) transmitted from the connected device;

(3) retained on the connected device;

(4) retained by the manufacturer or affiliated person;

(5) used by the manufacturer or affiliated person; and

(6) protected.

(b) Features.—A privacy dashboard under subsection (a) shall inform a consumer of—

(1) the extent to which the connected device meets the highest cybersecurity and data security standards, including if and how to obtain security patches;

(2) the extent to which the connected device gives—

(A) a parent meaningful control over the information of a child of the parent; and

(B) a minor meaningful control over the information of the minor;

(3) the extent to which the device minimizes the collection, retention, and use of information from a child or minor;

(4) the location of privacy policies;

(5) the type of personal information the connected device may collect;

(6) the minimum length of time during which a connected device will received security patches and software updates;

(7) whether the connected device can be used without being connected to the internet; and

(8) any other information as the Commission considers appropriate.

(c) Regulations.—

(1) IN GENERAL.—Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate, under section 553 of title 5, United States Code, regulations to implement this section.

(2) UPDATES.—Not less frequently than once every 4 years after the date on which regulations are promulgated under paragraph (1), the Commission shall update those regulations as necessary.

(d) Effective date.—Subsections (a) and (b) shall take effect on the date that is 180 days after the promulgation of regulations under subsection (c).

SEC. 9. Prohibition on sale of connected devices for children and minors that fail to meet appropriate cybersecurity and data security standards.

(a) Prohibition.—Beginning 1 year after the date of enactment of this Act, no person may sell a connected device unless the connected device meets appropriate cybersecurity and data security standards established by the Commission.

(b) Cybersecurity and data security standards.—

(1) IN GENERAL.—The Commission shall promulgate, under section 553 of title 5, United States Code, cybersecurity and data security standards described in subsection (a).

(2) CONSIDERATIONS.—In promulgating cybersecurity and data security standards under paragraph (1), the Commission shall—

(A) create cybersecurity and data security standards for different subsets of connected devices based on the varying degrees of—

(i) cybersecurity and data security risk associated with each subset of connected device;

(ii) sensitivity of information collected, stored, or transmitted by each subset of connected device; and

(iii) functionality of each subset of connected device;

(B) consider incorporating, to the extent practicable, existing cybersecurity and data security standards; and

(C) ensure that the cybersecurity and data security standards—

(i) are consistent with Fair Information Practice Principles described in section 4; and

(ii) promote data minimization.

SEC. 10. Rule for treatment of users of websites, services, and applications directed to children or minors.

For the purposes of this Act, an operator of a website, online service, online application, or mobile application that is directed to children or minors shall treat each user of that website, online service, online application, or mobile application as a child or minor, except as permitted by the Commission pursuant to a regulation promulgated under this Act.

SEC. 11. Study of mobile and online application oversight.

Not later than 2 years after the date of enactment of this Act, the Commission shall submit to each committee of the Senate and each committee of the House of Representatives that has jurisdiction over the Commission a report on the processes of platforms that offer mobile and online applications for ensuring that, of those applications that are directed to children or minors, the applications operate in accordance with—

(1) this Act, the amendments made by this Act, and rules promulgated under this Act;

(2) rules promulgated by the Commission under section 5 of the Federal Trade Commission Act (15 U.S.C. 45) relating to unfair or deceptive acts or practices in marketing; and

(3) any other Federal or State law relating to the privacy of children or minors.

SEC. 12. Youth Privacy and Marketing Division.

(a) Establishment.—There is established within the Commission a division to be known as the Youth Privacy and Marketing Division.

(b) Director.—The Youth Privacy and Marketing Division shall be headed by a Director, who shall be appointed by the Chairman of the Commission.

(c) Duties.—The Youth Privacy and Marketing Division established under subsection (a) shall be responsible for addressing, as it relates to this Act and the amendments made by this Act—

(1) the privacy of children and minors; and

(2) marketing directed at children and minors.

(d) Staff.—The Director of the Youth Privacy and Marketing Division shall hire adequate staff to carry out the duties under subsection (c), including individuals who are experts in data protection, digital advertising, data analytics, and youth development.

(e) Reports.—Not later than 1 year after the date of enactment of this Act, and each year thereafter, the Director of the Youth and Privacy Marketing Division shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that includes—

(1) a description of the work of the Youth Privacy and Marketing Division on emerging concerns relating to youth privacy and marketing practices; and

(2) an assessment of how effectively the Commission has, during the period for which the report is submitted, addressed youth privacy and marketing practices.

SEC. 13. Enforcement and applicability.

(a) Enforcement by the Commission.—

(1) IN GENERAL.—Except as otherwise provided, this Act and the regulations prescribed under this Act shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

(2) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.—Subject to subsection (b), a violation of this Act or a regulation prescribed under this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

(3) ACTIONS BY THE COMMISSION.—

(A) IN GENERAL.—Subject to subsection (b), and except as provided in subsection (d)(1), the Commission shall prevent any person from violating this Act or a regulation prescribed under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act, and any person who violates this Act or such regulation shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

(B) VIOLATIONS.—

(i) IN GENERAL.—In an action brought by the Commission to enforce this Act and the regulations prescribed under this Act, each connected device that fails to meet a standard promulgated under this Act shall be treated as a separate violation.

(ii) CIVIL PENALTY.—Notwithstanding section 5(m) of the Federal Trade Commission Act (15 U.S.C. 45(m)), a civil penalty recovered for a violation of this Act or a regulation prescribed under this Act may be in excess of the amounts provided for in that section as the court finds appropriate to deter violations of this Act and regulations prescribed under this Act.

(iii) FIRST VIOLATIONS.—In an action brought by the Commission to enforce this Act and the regulations prescribed under this Act, the Commission may seek a civil penalty for any violation of this Act or regulation prescribed under this Act, including any violation that is the first violation of this Act or a regulation prescribed under this Act that a person against whom the action is brought has committed.

(b) Enforcement by certain other agencies.—Notwithstanding subsection (a), compliance with the requirements imposed under this Act shall be enforced as follows:

(1) Under section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818) by the appropriate Federal banking agency, with respect to an insured depository institution (as such terms are defined in section 3 of such Act (12 U.S.C. 1813)).

(2) Under the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board, with respect to any Federal credit union.

(3) Under part A of subtitle VII of title 49, United States Code, by the Secretary of Transportation, with respect to any air carrier or foreign air carrier subject to such part.

(4) Under the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et seq.) (except as provided in section 406 of that Act (7 U.S.C. 226; 227)) by the Secretary of Agriculture, with respect to any activities subject to that Act.

(5) Under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration, with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.

(c) Enforcement by State attorneys general.—

(1) IN GENERAL.—

(A) CIVIL ACTIONS.—In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates this Act or a regulation prescribed under this Act, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to—

(i) enjoin that practice;

(ii) enforce compliance with this Act or such regulation;

(iii) obtain damages, restitution, or other compensation on behalf of residents of the State; or

(iv) obtain such other relief as the court may consider to be appropriate.

(B) NOTICE.—

(i) IN GENERAL.—Before filing an action under subparagraph (A), the attorney general of the State involved shall provide to the Commission—

(I) written notice of that action; and

(II) a copy of the complaint for that action.

(ii) EXEMPTION.—

(I) IN GENERAL.—Clause (i) shall not apply with respect to the filing of an action by an attorney general of a State under this paragraph if the attorney general of the State determines that it is not feasible to provide the notice described in that clause before the filing of the action.

(II) NOTIFICATION.—In an action described in subclause (I), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.

(2) INTERVENTION.—

(A) IN GENERAL.—On receiving notice under paragraph (1)(B), the Commission shall have the right to intervene in the action that is the subject of the notice.

(B) EFFECT OF INTERVENTION.—If the Commission intervenes in an action under paragraph (1), it shall have the right—

(i) to be heard with respect to any matter that arises in that action; and

(ii) to file a petition for appeal.

(3) CONSTRUCTION.—For purposes of bringing any civil action under paragraph (1), nothing in this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—

(A) conduct investigations;

(B) administer oaths or affirmations; or

(C) compel the attendance of witnesses or the production of documentary and other evidence.

(4) ACTIONS BY THE COMMISSION.—In any case in which an action is instituted by or on behalf of the Commission for violation of this Act or a regulation prescribed under this Act, no State may, during the pendency of that action, institute an action under paragraph (1) against any defendant named in the complaint in the action instituted by or on behalf of the Commission for that violation.

(5) VENUE; SERVICE OF PROCESS.—

(A) VENUE.—Any action brought under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

(B) SERVICE OF PROCESS.—In an action brought under paragraph (1), process may be served in any district in which the defendant—

(i) is an inhabitant; or

(ii) may be found.

(d) Telecommunications carriers and cable operators.—

(1) ENFORCEMENT BY COMMISSION.—Notwithstanding section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)), compliance with the requirements imposed under this Act shall be enforced by the Commission with respect to any telecommunications carrier (as defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153)).

(2) RELATIONSHIP TO OTHER LAWS.—To the extent that section 222, 338(i), or 631 of the Communications Act of 1934 (47 U.S.C. 222; 338(i); 551) is inconsistent with this Act, this Act controls.

(e) Safe harbors.—

(1) DEFINITION.—In this subsection—

(A) the term “applicable section” means section 5, 6, 7, 8, or 9 of this Act;

(B) the term “covered operator” means an operator subject to guidelines approved under paragraph (2);

(C) the term “requesting entity” means an entity that submits a safe harbor request to the Commission; and

(D) the term “safe harbor request” means a request to have self-regulatory guidelines described in paragraph (2)(A) approved under that paragraph.

(2) GUIDELINES.—

(A) IN GENERAL.—An operator may satisfy the requirements of regulations issued under an applicable section by following a set of self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, that, after notice and an opportunity for comment, are approved by the Commission upon making a determination that the guidelines meet the requirements of the regulations issued under that applicable section.

(B) EXPEDITED RESPONSE TO REQUESTS.—Not later than 180 days after the date on which a safe harbor request is filed under subparagraph (A), the Commission shall act upon the request set forth in writing the conclusions of the Commission with regard to the request.

(C) APPEALS.—A requesting entity may appeal the final action of the Commission under subparagraph (B), or a failure by the Commission to act in the period described in that paragraph, to a district court of the United States of appropriate jurisdiction, as provided for in section 706 of title 5, United States Code.

(3) INCENTIVES.—

(A) SELF-REGULATORY INCENTIVES.—In prescribing regulations under an applicable section, the Commission shall provide incentives for self-regulation by covered operators to implement the protections afforded children and minors, as applicable, under the regulatory requirements described in those sections.

(B) DEEMED COMPLIANCE.—The incentives under subparagraph (A) shall include provisions for ensuring that a covered operator will be deemed to be in compliance with the requirements of the regulations under an applicable section if that person complies with guidelines approved under paragraph (2).

(4) REGULATIONS.—In prescribing regulations relating to safe harbor guidelines under an applicable section, the Commission shall—

(A) establish criteria for the approval of guidelines that will ensure that a covered operator provides substantially the same or greater protections for children and minors, as applicable, as those contained in the regulations issued under the applicable section; and

(B) require that any report or documentation required to be submitted to the Commission by a covered operator or requesting entity will be published on the internet website of the Commission, except to the extent that the report or documentation contains proprietary information, which the Commission may in its discretion redact.

(5) REPORT BY THE INSPECTOR GENERAL.—

(A) IN GENERAL.—Not later than 2 years after the date of enactment of this Act, and once each 2 years thereafter, the Inspector General of the Commission shall submit to the Commission and each committee of the Senate and each committee of the House of Representatives that has jurisdiction over the Commission a report regarding the safe harbor provisions under this subparagraph, which shall include—

(i) an analysis of whether the safe harbor provisions are—

(I) operating fairly and effectively; and

(II) effectively protecting the interests of children and minors; and

(ii) proposals for policy changes that would improve the effectiveness of the safe harbor provisions.

(B) PUBLICATION.—Not later than 10 days after the date on which a report under subparagraph (A) is submitted, the Commission shall publish the report on the internet website of the Commission.

(f) Effective date.—This section shall take effect on the date that is 90 days after the date of enactment of this Act.