


117 HR 4801 IH: Protecting the Information of our Vulnerable Children and Youth Act
U.S. House of Representatives
2021-07-29
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



I
117th CONGRESS1st Session
H. R. 4801
IN THE HOUSE OF REPRESENTATIVES

July 29, 2021
Ms. Castor of Florida introduced the following bill; which was referred to the Committee on Energy and Commerce

A BILL
To amend the Children’s Online Privacy Protection Act of 1998 to update and expand the coverage of such Act, and for other purposes.


1.Short title; table of contents
(a)Short titleThis Act may be cited as the Protecting the Information of our Vulnerable Children and Youth Act or the Kids PRIVCY Act. (b)Table of contentsThe table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Requirements for processing of covered information of children or teenagers.
Sec. 4. Repeal of safe harbors provision.
Sec. 5. Administration and applicability of Act.
Sec. 6. Review.
Sec. 7. Private right of action.
Sec. 8. Relationship to other law.
Sec. 9. Additional conforming amendment.
Sec. 10. Implementing regulations.
Sec. 11. Youth Privacy and Marketing Division.
Sec. 12. Commission defined.
Sec. 13. Effective date.
2.DefinitionsSection 1302 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501) is amended— (1)by striking paragraphs (5) and (10);
(2)by redesignating paragraphs (2), (3), (4), (6), (7), (8), and (9) as paragraphs (3), (5), (6), (7), (8), (9), and (10), respectively; (3)by inserting after paragraph (1) the following:

(2)TeenagerThe term teenager means an individual over the age of 12 and under the age of 18.; (4)by striking paragraph (3) (as so redesignated) and inserting the following:

(3)Covered entityThe term covered entity means— (A)any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2));
(B)notwithstanding section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)), common carriers; and (C)notwithstanding sections 4 and 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 44 and 45(a)(2)), any nonprofit organization, including any organization described in section 501(c) of the Internal Revenue Code of 1986 that is exempt from taxation under section 501(a) of the Internal Revenue Code of 1986.
(4)OperatorThe term operator means, with respect to a digital service, the covered entity that operates such service, to the extent the covered entity is engaged in operating such service or in processing covered information obtained in connection with such service.;  (5)by amending paragraph (6) (as so redesignated) to read as follows:

(6)DiscloseThe term disclose means to intentionally or unintentionally release, transfer, sell, disseminate, share, publish, lease, license, make available, allow access to, fail to restrict access to, or otherwise communicate covered information.; (6)by amending paragraph (9) (as so redesignated) to read as follows:

(9)Covered informationThe term covered information— (A)means any information, linked or reasonably linkable to a specific teenager or child, or specific consumer device of a teenager or child;
(B)may include— (i)a name, alias, home or other physical address, online identifier, Internet Protocol address, email address, account name, Social Security number, physical characteristics or description, telephone number, State identification card number, driver’s license number, passport number, or other similar identifier;
(ii)actual or perceived race, religion, sex, sexual orientation, sexual behavior, familial status, gender identity, disability, age, political affiliation, or national origin; (iii)commercial information, including records relating to personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories, interests, or tendencies;
(iv)biometric information; (v)device identifiers, online identifiers, persistent identifiers, or digital fingerprinting information;
(vi)internet or other electronic network activity information, including browsing history, search history, and information regarding a teenager’s or child’s interaction with an internet website, application, or advertisement; (vii)geolocation information;
(viii)audio, electronic, visual, thermal, olfactory, or similar information; (ix)education information;
(x)health information; (xi)facial recognition information;
(xii)contents of, attachments to, and parties to information, including with respect to electronic mail, text messages, picture messages, voicemails, audio conversations, and video conversations; (xiii)financial information, including bank account numbers, credit card numbers, debit card numbers, or insurance policy numbers; and
(xiv)inferences drawn from any of the information described in this paragraph to create a profile about a teenager or child reflecting the teenager’s or child’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes; and (C)does not include—
(i)information that is processed solely for the purpose of employment of a teenager; or (ii)de-identified information.;
(7)by amending paragraph (10) (as so redesignated) to read as follows:  (10)Verifiable consentThe term verifiable consent means express, affirmative consent freely given by a teenager, or by the parent of a child, to the processing of covered information of that teenager or child, respectively—
(A)that is specific, informed, and unambiguous, taking into account the age and the developmental or cognitive needs and capabilities of the teenager or parent of a child, as applicable; (B)that is given separately for each processing activity;
(C)where the teenager or parent of a child, as applicable, has not received any financial or other incentive in exchange for such consent;  (D)that is given before any processing occurs, at a time and in a context in which the teenager or parent of a child, as applicable, would reasonably expect to make choices concerning such processing; and
(E)that is not obtained through the use of a design, modification, or manipulation of a user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision making, or choice.; and (8)by adding at the end the following:

(13)ProcessThe term process means to perform any operation or set of operations on covered information, whether or not by automated means, including collecting, creating, acquiring, disclosing, sharing, classifying, sorting, recording, deriving, inferring, obtaining, assembling, organizing, structuring, storing, retaining, adapting or altering, using, or retrieving covered information. (14)De-identified information; re-identify (A)De-identified informationThe term de-identified information means information that cannot reasonably be used to infer information about, or otherwise be linked to, a specific teenager or child or specific consumer device of a teenager or child, if the covered entity that possesses the information—
(i)takes reasonable measures to ensure that the information cannot be associated with a teenager or child; (ii)publicly commits to maintain and use the information in de-identified form and not to attempt to re-identify the information, except for the purpose of testing the sufficiency of the de-identification measures; and
(iii)contractually obligates any recipients of the information to comply with clauses (i) and (ii). (B)Re-identifyThe term re-identify means to link information that has been de-identified to a specific teenager or child or specific consumer device of a teenager or child.
(15)StateThe term State means each of the several States, the District of Columbia, each territory of the United States, and each federally recognized Indian Tribe. (16)Service providerThe term service provider means a covered entity that processes covered information at the direction of, and for the sole benefit of, another covered entity, and—
(A)is contractually or legally prohibited from processing such covered information for any other purpose; and (B)complies with all of the requirements of this title and the regulations promulgated under this title.
(17)Digital serviceThe term digital service means a website, online service, online application, mobile application, or any other service that processes covered information digitally. (18)Children’s serviceThe term children’s service means—
(A)a digital service or portion thereof that is directed to children; or (B)any other digital service or portion thereof, if the operator of the service decides to treat all users of the service or portion, as the case may be, as children.
(19)Privacy riskThe term privacy risk means potential adverse consequences to an individual, group of individuals, or society arising from the processing of covered information, including— (A)physical harm;
(B)psychological or emotional harm; (C)negative or harmful outcomes or decisions with respect to an individual’s eligibility for rights, benefits, or opportunities;
(D)reputational and dignity harm; (E)financial harm, including price discrimination;
(F)inconvenience or expenditure of time; (G)disruption and intrusion from unwanted communications or contacts;
(H)other effects that limit an individual’s choices, influence an individual’s responses, or predetermine results or outcomes for that individual; and (I)other demonstrable adverse consequences that affect an individual’s private life, including private family matters, actions, and communications within an individual’s home or similar physical, online, or digital location.
(20)Privacy and security impact assessment and mitigation (PSIAM)
(A)In generalThe terms privacy and security impact assessment and mitigation and PSIAM mean, with respect to a digital service, an assessment and mitigation by the operator of the service of risks to the children and teenagers who access the service that arise from the processing of covered information, taking into account privacy risks, security risks, the rights and best interests of children and teenagers, differing ages, capacities, and developmental needs of children and teenagers, and any significant internal or external emerging risks, and ensuring that the PSIAM builds in risk mitigation and compliance with the other requirements of this title. (B)RequirementsIn conducting a PSIAM with respect to a digital service, the operator of the service shall do the following:
(i)Embed the PSIAM into the design process of the service and complete the PSIAM before the launch of the service and on an ongoing basis, and before making significant changes to the processing of covered information. (ii)Publicly disclose the nature, scope, context, and purposes of the processing of covered information.
(iii)Depending on the size of the service and level of risks identified— (I)seek and document the views of children, teenagers, and parents (or their representatives), as well as experts in children’s and teenagers’ developmental needs; and
(II)take such views into account in the design of the service. (iv)Publicly disclose an explanation of why the operator’s processing of covered information is necessary and proportionate vis a vis the risks for the service, and how the operator complies with the requirements of this title. 
(v)Assess any processing of covered information that is not in the best interests of children or teenagers or that can be detrimental to their wellbeing and safety, whether physical, emotional, developmental, or material. (vi)Identify, assess, and mitigate high-risk processing of covered information.
(vii)Identify measures taken to mitigate the risks identified under clause (vi) and comply with the other requirements of this title.  (viii)Provide for regular internal reporting on the effectiveness of controls and residual risks of the operator.
(C)Auditable by CommissionThe Commission may audit a PSIAM conducted by an operator as the Commission considers necessary. (21)Directed to children (A)In generalThe term directed to children means, with respect to a digital service, that the digital service is targeted to or attractive to children, as demonstrated by—
(i)the subject matter of the digital service; (ii)the visual content of the digital service;
(iii)the use of animated characters or child-oriented activities for children, and related incentives, on the digital service; (iv)the music or other audio content on the digital service;
(v)the age of models on the digital service; (vi)the presence on the digital service of—
(I)child celebrities; or (II)celebrities who appeal to children; 
(vii)the language used on the digital service;  (viii)advertising content used on, or used to advertise, the digital service;
(ix)reliable empirical evidence relating to— (I)the composition of the audience of the digital service, including—
(aa)data the operator of the digital service may directly or indirectly collect, use, profile, buy, sell, classify, or analyze (via algorithms or other forms of data analytics, including look-alike modeling) about a user or groups of users to estimate, identify, or classify the age or age range (or a proxy thereof) of such user or groups of users;  (bb)advertising information or results, such as data, reporting, or information from the internal communications of the operator of the digital service, including documentation about its advertising practices, such as an advertisement insertion order, or other promotional material to marketers, that indicates that covered information is being collected from children that are using the digital service;
(cc)data or reporting from the general or trade press of the digital service indicating that children are using the digital service; (dd)complaints from parents or other third parties about child users using the digital service, whether through the complaint mechanism of the digital service, by email, or by other means; and
(ee)data or reporting from a privacy and security impact assessment and mitigation, compliance program, or other compliance, risk management, or internal process that documents privacy risks and controls related to children’s privacy, including the existence of data analytics controlled by the operator of the digital service, including those of service providers, and content analytics capabilities and functions or outputs; and (II)the intended audience of the digital service, including data the operator of the digital service directly or indirectly collects, uses, profiles, buys, sells, classifies, or analyzes (via algorithms or other forms of data analytics, including look-alike modeling) about the nature of the content of the digital service that estimates, identifies, or classifies the content as child-directed or similarly estimates, identifies, or classifies the intended or likely audience for the content; or
(x)any other evidence or circumstances the Commission determines appropriate. (B)Covered information from other servicesA digital service shall be deemed to be directed to children if the operator of the digital service has actual or constructive knowledge that the digital service collects covered information directly from users of any other digital service that is directed to children under the criteria described in subparagraph (A).
(C)Signals from third partiesA digital service shall be deemed directed to children if the digital service receives a signal from a third party indicating that the digital service is intended for children or likely to appeal to children, whether directly or using a flag or other formal industry standard or convention. (D)LimitationA digital service that does not target children as its primary audience shall not be deemed directed to children if the digital service—
(i)does not collect covered information from any visitor prior to collecting age information; and (ii)prevents the collection, use, or disclosure of covered information from visitors who identify themselves as under age 13 without first complying with the notice and parental consent provisions of this title and the regulations promulgated under this title.
(E)Further limitationA digital service shall not be deemed directed to children solely because the digital service refers or links to another digital service that is directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. (F)Determination regarding a portion of a digital serviceFor purposes of determining whether a portion of a digital service is directed to children, any reference in this paragraph to a digital service shall be considered to refer to such portion.
(22)Likely to be accessed by children or teenagersThe term likely to be accessed by children or teenagers means, with respect to a digital service, that the possibility of more than a de minimis number of children or teenagers accessing the digital service is more probable than not. In determining whether a digital service is likely to be accessed by children or teenagers, the operator of the service shall consider whether the service has particular appeal to children or teenagers and whether effective measures (such as age gating) are in place that prevent children or teenagers from gaining access to the service. (23)Age assuranceThe term age assurance means a verifiable process to estimate or determine the age of a user of a digital service with a given and documented degree of certainty.
(24)Age gateThe term age gate means to use a verifiable process that meets a documented degree of certainty to restrict or block access to a digital service for users that do not meet an age requirement. . 3.Requirements for processing of covered information of children or teenagers (a)In generalSection 1303 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6502) is amended to read as follows:

1303.Requirements for processing of covered information of children or teenagers
(a)Requirements for children’s services
(1)Data minimizationAn operator of a children’s service shall process covered information under the principle of data minimization, requiring the operator to only process the minimum amount necessary for a specified purpose. (2)TransparencyAn operator of a children’s service shall develop and make publicly available, at all times and in a machine-readable format, a privacy policy, in a manner that is clear, easily understood, and written in plain and concise language, that includes—
(A)the categories of covered information that the operator processes about teenagers and children; (B)how and under what circumstances covered information is collected directly from a teenager or child;
(C)the categories and the sources of any covered information processed by the operator that is not collected directly from a teenager or child; (D)a description of the purposes for which the operator processes covered information, including—
(i)a description of whether and how the operator customizes products or services, or adjusts the prices of products or services for teenagers or children or based in any part on processing of covered information; (ii)a description of whether and how the operator, or the operator’s affiliates or service providers, de-identifies information, including the methods used to de-identify such information; and
(iii)a description of whether and how the operator, or the operator’s affiliates or service providers, generates or uses any consumer score to make decisions concerning a teenager or child, and the source or sources of any such consumer score; (E)a description of how long and the circumstances under which the operator retains covered information;
(F)a description of all of the purposes for which the operator discloses covered information to service providers and, on a biennial basis, the categories of service providers; (G)a description of whether and for what purposes the operator discloses covered information to third parties, and the categories of covered information disclosed;
(H)a description of the categories of third parties to which covered information described in subparagraph (G) is disclosed, by category or categories of covered information for each category of third party to which the covered information is disclosed; (I)whether the operator discloses covered information to data brokers;
(J)whether the operator collects covered information about teenagers or children over time and across different digital services when a teenager or child uses the operator’s digital service; (K)how a teenager or a parent of a child can exercise their rights to access, correct, and delete such teenager’s or child’s covered information as set forth in paragraph (6);
(L)a listing of all possible consents that may be obtained by the operator for the processing of covered information, how a teenager or the parent of a child can grant, withhold, withdraw, or modify any such consent, and the consequences of withholding, withdrawing, or modifying any such consent; (M)the effective date of the notice; and
(N)how the operator will communicate material changes of the privacy policy to the teenager or the parent of a child. (3)Consent required (A)In generalAn operator of a children’s service shall—
(i)provide clear and concise notice to a teenager or the parent of a child of the items of covered information about such teenager or child, respectively, that is processed by such operator and how such operator processes such covered information and obtain verifiable consent for such processing; and (ii)if such operator determines, including through actual or constructive knowledge, that such operator has not obtained verifiable consent for any specific processing of covered information about a teenager or child, not later than 48 hours after such determination—
(I)obtain verifiable consent; or (II)delete all covered information about such teenager or child.
(B)When consent not requiredVerifiable consent under this paragraph is not required in the case of— (i)online contact information collected from a teenager or child that—
(I)is used only to respond directly on a one-time basis to a specific request from the teenager or child; (II)is not used to re-contact the teenager or child; and
(III)is not retained by the operator after responding as described in subclause (I); (ii)a request for the name or online contact information of a teenager or the parent of a child that is used for the sole purpose of obtaining verifiable consent or providing notice under subparagraph (A)(i), where such information is not retained by the operator if verifiable consent is not obtained within 48 hours; or
(iii)the processing of covered information that is necessary— (I)to respond to judicial process; or
(II)to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety. (C)Withdrawal of consent (i)Mechanism for withdrawalAn operator of a children’s service shall provide a teenager or the parent of a child, as applicable—
(I)a mechanism to withdraw consent to the processing of covered information at any time in a manner that is as easy as the mechanism to give consent; and (II)clear and conspicuous notice of the mechanism required by subclause (I).
(ii)Effect of withdrawal on prior processingWithdrawal of consent to the processing of covered information shall not be construed to affect the lawfulness of any processing of covered information based on verifiable consent that was in effect before such withdrawal. (D)Prohibition on limiting or discontinuing serviceAn operator of a children’s service may not refuse to provide a service, or discontinue a service provided, to a teenager or child, if the teenager or parent of the child, as applicable, refuses to consent, or withdraws consent, to the processing of any covered information not technically required for the operator to provide such service.
(4)Retention of data
(A)Retention limitationsSubject to the exceptions provided in subparagraph (B), an operator of a children’s service may not keep, retain, or otherwise store covered information for longer than is reasonably necessary for the purposes for which the covered information is processed. (B)ExceptionsFurther retention of covered information shall not be considered to be incompatible with the purposes of processing described in subparagraph (A) if such processing is necessary and done solely for the purposes of—
(i)compliance with— (I)requirements to document compliance under this title; or
(II)other laws, regulations, or legal obligations; (ii)preventing risks to the health or safety of a child or teenager or groups of children or teenagers; or
(iii)repairing errors that impair existing functionality. (5)Limitation on disclosing covered information to third parties (A)DisclosuresAn operator of a children’s service may not disclose covered information to a third party unless the operator has a written agreement with such third party that—
(i)specifies all of the purposes for which the third party may process the covered information for which the operator has verifiable consent; (ii)prohibits the third party from processing covered information for any purpose other than the purposes specified under clause (i); and
(iii)requires the third party to provide at least the same privacy and security protections as the operator. (B)Responsibilities of operators regarding third partiesAn operator of a children’s service—
(i)shall perform reasonable due diligence in selecting any third party with which to enter into an agreement described in subparagraph (A) and shall exercise reasonable oversight over all such third parties to assure compliance with the requirements of this title and the regulations promulgated under this title; and (ii)if the operator has actual or constructive knowledge that a third party has violated an agreement described in subparagraph (A), shall—
(I)to the extent practicable, promptly take steps to ensure compliance with such agreement; and (II)promptly report to the Commission that such a violation occurred.
(6)Right to access, correct, and delete covered information
(A)AccessAn operator of a children’s service, subject to the exceptions in subparagraph (D), shall, upon request of a teenager or the parent of a child and after proper identification of such teenager or parent, promptly provide to such teenager or parent, as applicable— (i)access to all covered information processed by the operator pertaining to such teenager or child, including a description of—
(I)each type of covered information processed by the operator pertaining to the teenager or child, as applicable; (II)each purpose for which the operator processes each category of covered information pertaining to the teenager or child, as applicable;
(III)the names of each third party to which the operator disclosed the covered information; (IV)each source other than the teenager or child, as applicable, from which the operator obtained covered information pertaining to that teenager or child, as applicable;
(V)how long the covered information will be retained or stored by the operator and, if not known, the criteria the operator uses to determine how long the covered information will be retained or stored by the operator; and (VI)with respect to any score of the teenager or child, as applicable, processed by the operator—
(aa)how such score is used by the operator to make decisions with respect to that teenager or child, as applicable; and (bb)the source that created the score if not created by the operator; and
(ii)a simple and reasonable mechanism by which a teenager or parent of a child may request access to the information described under clause (i), as applicable. (B)DeletionAn operator of a children’s service, subject to the exceptions in subparagraph (D), shall—
(i)establish a simple, publicly and easily accessible, and reasonable mechanism by which a teenager or parent of a child with respect to whom the operator processes covered information may request the operator to delete any such covered information (or any component thereof), including publicly available covered information submitted to the service by the child or teenager; and (ii)delete such covered information not later than 45 days after receiving such request.
(C)CorrectionAn operator of a children’s service, subject to the exceptions in subparagraph (D), shall— (i)provide each teenager or parent of a child with respect to whom the operator processes covered information, as applicable, a simple, publicly and easily accessible, and reasonable mechanism by which that teenager or parent may submit a request to the operator—
(I)to dispute the accuracy or completeness of that covered information, or part or component thereof; and (II)to request that such covered information, or part or component thereof, be corrected for accuracy or completeness; and
(ii)not later than 45 days after receiving a request under clause (i)— (I)determine whether the covered information disputed or requested to be corrected is inaccurate or incomplete; and
(II)correct the accuracy or completeness of any covered information determined by the operator to be inaccurate or incomplete. (D)ExceptionsAn operator of a children’s service may deny a request made under subparagraph (A), (B), or (C) if—
(i)the operator is unable to verify the identity of the teenager or parent of a child making the request after making a reasonable effort to verify the identity of such teenager or parent; (ii)with respect to the request made, the operator determines that—
(I)the operator is limited from fulfilling the request by law, legally recognized privilege, or other legal obligation; or (II)fulfilling the request would create a legitimate risk to the privacy, security, or safety of someone other than the teenager or child, as applicable;
(iii)with respect to a request to delete covered information made under subparagraph (B) or a request to correct covered information made under subparagraph (C), the operator determines that the retention of the covered information is necessary to— (I)complete the transaction with the teenager or child, as applicable, for which the covered information was collected;
(II)provide a product or service affirmatively requested by the teenager or parent of a child, as applicable; (III)perform a contract with the teenager or a parent of a child, as applicable, including a contract for billing, financial reporting, or accounting;
(IV)keep a record of the covered information for law enforcement purposes; or (V)identify and repair errors that impair the functionality of the children’s service; or
(iv)the covered information is used in public or peer-reviewed scientific, medical, or statistical research in the public interest that adheres to commonly accepted ethical standards or laws, with informed consent consistent with section 50.20 of title 21, Code of Federal Regulations, if the research is already in progress at the time when the request to access, delete, or correct is made under subparagraph (A), (B), or (C). (E)Prohibition on limiting or discontinuing serviceAn operator of a children’s service may not refuse to provide a service, or discontinue a service provided, to a teenager or child, if the teenager or parent of the child, as applicable, exercises any of the rights set forth in this paragraph.
(7)Additional prohibited practices with respect to teenagers and children
(A)In generalAn operator of a children’s service may not— (i)process any covered information in a manner that is inconsistent with what a reasonable teenager or parent of a child would expect in the context of a particular transaction or the teenager’s or parent’s relationship with such operator, or seek to obtain verifiable consent for such processing;
(ii)process any covered information in a manner that is harmful or has been shown to be detrimental to the well-being of children or teenagers; (iii)process covered information for the purpose of providing for targeted personalized advertising or engage in other marketing to a specific child or teenager or group of children or teenagers based on—
(I)using the covered information, online behavior, or group identifiers of such child or teenager or of the children or teenagers in such group; or (II)using the covered information or online behavior of children or teenagers who share characteristics with such child or teenager or with the children or teenagers in such group, including income level or protected characteristics or proxies thereof;
(iv)condition the participation of a child or teenager in a game, sweepstakes, or other contest on consenting to the processing of more covered information than is necessary for such child or teenager to participate; (v)engage in cross-device tracking of a child or teenager unless the child or teenager is logged-in to a specific service, for the sole purpose of facilitating the primary purpose of the good or service or a specific feature thereof; 
(vi)engage in algorithmic processes that discriminate on the basis of race, age, gender, ability, or other protected characteristics; (vii)disclose biometric information; 
(viii)disclose geolocation information; or (ix)collect geolocation information by default or without making it clear to a user when geolocation tracking is in effect.
(B)ExceptionsNothing in subparagraph (A) shall prohibit an operator from processing covered information if necessary solely for purposes of— (i)detecting and preventing security incidents;
(ii)preventing imminent danger to the personal safety of an individual or group of individuals; (iii)identifying and repairing errors that impair the core functionality of the children’s service; or
(iv)complying with any Federal, State, or local law, rule, regulation, or other legal obligation, including civil, criminal, or regulatory inquiries, investigations, subpoenas, or court orders or other properly executed compulsory process requiring the disclosure of information. (8)Security Requirements (A)In generalAn operator of a children’s service shall establish and implement reasonable security policies, practices, and procedures for the treatment and protection of covered information, taking into consideration—
(i)the size, nature, scope, and complexity of the activities engaged in by such operator; (ii)the sensitivity of any covered information at issue;
(iii)the state of the art in administrative, technical, and physical safeguards for protecting such information; and (iv)the cost of implementing such policies, practices, and procedures.
(B)Specific requirementsThe policies, practices, and procedures established by an operator under subparagraph (A) shall include the following: (i)A written security policy with respect to the processing of such covered information.
(ii)The identification of an officer or other individual as the point of contact with responsibility for the management of information security. (iii)A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system or systems maintained by such operator that contains such covered information, including regular monitoring for a breach of security of such system or systems.
(iv)A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by clause (iii), which may include— (I)implementing any changes to the security practices, architecture, installation, or implementation of network or operating software; and
(II)regular testing or otherwise monitoring the effectiveness of the safeguards. (v)A process for determining if the covered information is no longer needed and deleting such covered information by shredding, permanently erasing, or otherwise modifying the covered information to make such covered information permanently unreadable or indecipherable.
(vi)A process for overseeing persons who have access to covered information, including through internet-connected devices, by— (I)taking reasonable steps to select and retain persons that are capable of maintaining appropriate safeguards for the covered information or internet-connected devices at issue; and
(II)requiring all such persons to implement and maintain such security measures. (vii)A process for employee training and supervision for implementation of the policies, practices, and procedures required by this subsection.
(viii)A written plan or protocol for internal and public response in the event of a breach of security. (C)Periodic assessment and consumer privacy and data security modernizationAn operator of a children’s service shall, not less frequently than every 12 months, monitor, evaluate, and adjust, as appropriate, the policies, practices, and procedures of such operator in light of any relevant changes in—
(i)technology; (ii)internal or external threats and vulnerabilities to covered information; and
(iii)the changing business arrangements of the operator. (D)Submission of policies to the FTCAn operator of a children’s service shall submit the policies, practices, and procedures established by the operator under subparagraph (A) to the Commission in conjunction with a notification of a breach of security required by any Federal or State statute or regulation or upon request of the Commission.
(b)Rulemaking regarding requirements for digital services likely To be accessed by children or teenagers
(1)In generalThe Commission shall promulgate regulations under section 553 of title 5, United States Code, that contain requirements for operators of digital services that are not children’s services but are likely to be accessed by children or teenagers, which shall be based on the requirements of subsection (a) but modified as the Commission considers appropriate given a risk-based approach to determine age and to determine and mitigate privacy risks and security risks to the child or teenager, and given differing developmental needs and cognitive capacities of children or teenagers. The Commission may include in such regulations different requirements for operators of different types of such services. (2)Best interests of child or teenagerThe regulations promulgated under paragraph (1) shall require an operator to make the best interests of children and teenagers a primary design consideration when designing its service, including by conducting a privacy and security impact assessment and mitigation for the service, addressing all privacy risks to children and teenagers which arise from the processing of covered information, taking into account the best interests of children and teenagers.
(3)Risk-based approach to determining age of user
(A)In generalThe regulations promulgated under paragraph (1) shall require a risk-based approach to determining the age of a specific user of a digital service under which higher privacy risks and security risks from the processing of covered information require a higher certainty of age assurance. (B)Age assuranceThe regulations promulgated under paragraph (1) shall require an operator to conduct an age assurance to determine the age of each specific user.
(C)Approval of age assurance mechanismsThe Commission shall establish in the regulations promulgated under paragraph (1) a process under which an operator may obtain the approval of the Commission of particular mechanisms of age assurance as meeting the age assurance requirements of such regulations for particular levels of privacy risks. (D)Data minimizationThe regulations required by paragraph (1) shall provide that any data collected for age assurance shall be the minimal amount necessary and destroyed immediately or as determined by the Commission, but consistent with standards that still allow for auditing and compliance.
(c)Prohibition on certain advertising or marketing for digital services likely To be accessed by children or teenagersAn operator of a digital service that is likely to be accessed by children or teenagers may not process covered information for the purpose of providing for targeted personalized advertising or engage in other marketing to a specific child or teenager or group of children or teenagers based on— (1)using the covered information, online behavior, or group identifiers of such child or teenager or of the children or teenagers in such group; or
(2)using the covered information or online behavior of children or teenagers who share characteristics with such child or teenager or with the children or teenagers in such group, including income level or protected characteristics or proxies thereof. (d)EnforcementSubject to section 1306, a violation of this section or a regulation promulgated under this section shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B))..
(b)Conforming amendmentsSection 1305 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6504) is amended— (1)in subsection (a)(1)—
(A)by striking any regulation of the Commission prescribed under section 1303(b) and inserting section 1303 or a regulation promulgated under such section; and (B)in subparagraph (B), by striking the regulation and inserting such section or such regulation; and
(2)in subsection (d)— (A)by striking any regulation prescribed under section 1303 and inserting section 1303 or a regulation promulgated under such section; and
(B)by striking that regulation and inserting such section or such regulation. 4.Repeal of safe harbors provision (a)In generalSection 1304 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6503) is repealed.
(b)Conforming amendmentSection 1305(b) of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6504(b)) is amended by striking paragraph (3). 5.Administration and applicability of Act (a)Enforcement by Federal Trade CommissionSection 1306(d) of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6505(d)) is amended to read as follows:

(d)Actions by the Commission
(1)In generalExcept as provided in paragraphs (2) and (3), the Commission shall prevent any person from violating section 1303 or a regulation promulgated under such section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this title, and any entity that violates such section or such regulation shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this title. (2)Increased civil penalty amountIn the case of a civil penalty under subsection (l) or (m) of section 5 of the Federal Trade Commission Act (15 U.S.C. 45) relating to acts or practices in violation of section 1303 or a regulation promulgated under such section, the maximum dollar amount per violation shall be $63,795.
(3)Nature of relief availableIn any action commenced by the Commission under subsection (a) of section 19 of the Federal Trade Commission Act (15 U.S.C. 57b) to enforce section 1303 of this title or a regulation promulgated under such section, the Commission shall seek all appropriate relief described in subsection (b) of such section 19, and may, notwithstanding such subsection, seek any exemplary or punitive damages.. (b)Enforcement by certain other agenciesSection 1306 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is amended—
(1)in subsection (b)— (A)in paragraph (1), by striking , in the case of and all that follows and inserting the following: by the appropriate Federal banking agency, with respect to any insured depository institution (as those terms are defined in section 3 of that Act (12 U.S.C. 1813));;
(B)in paragraph (6), by striking Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association and inserting Farm Credit Bank, Agricultural Credit Bank (to the extent exercising the authorities of a Farm Credit Bank), Federal Land Credit Association, or agricultural credit association; and (C)by striking paragraph (2) and redesignating paragraphs (3) through (6) as paragraphs (2) through (5), respectively; and
(2)in subsection (c), by striking subsection (a) each place it appears and inserting subsection (b). 6.ReviewSection 1307 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6506) is amended—
(1)in the matter preceding paragraph (1), by striking the regulations initially issued under section 1303 and inserting the regulations issued under section 10(a) of the Protecting the Information of our Vulnerable Children and Youth Act (relating to the implementation of the amendments made by such Act to this title); and (2)by amending paragraph (1) to read as follows:

(1)review the implementation of this title, including the effect of the implementation of this title on practices relating to the processing of covered information about teenagers or children and teenager’s and children’s ability to obtain access to information of their choice online; and. 7.Private right of actionThe Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.) is amended—
(1)by redesignating sections 1307 and 1308 as sections 1308 and 1309, respectively; and (2)by inserting after section 1306 the following:

1307.Private right of action
(a)Right of actionAny parent of a teenager or parent of a child alleging a violation of section 1303 or a regulation promulgated under such section with respect to the covered information of such teenager or child may bring a civil action in any court of competent jurisdiction. (b)Injury in factA violation of section 1303 or a regulation promulgated under such section with respect to the covered information of a teenager or child constitutes an injury in fact to that teenager or child.
(c)ReliefIn a civil action brought under subsection (a) in which the plaintiff prevails, the court may award— (1)injunctive relief;
(2)actual damages; (3)punitive damages;
(4)reasonable attorney’s fees and costs; and (5)any other relief that the court determines appropriate.
(d)Pre-Dispute arbitration agreements
(1)In generalNo pre-dispute arbitration agreement or pre-dispute joint-action waiver shall be valid or enforceable with respect to any claim arising under section 1303 or a regulation promulgated under such section. (2)DeterminationA determination as to whether and how this title or a regulation promulgated under this title applies to an arbitration agreement shall be determined under Federal law by the court, rather than the arbitrator, irrespective of whether the party opposing arbitration challenges such agreement specifically or in conjunction with any other term of the contract containing such agreement.
(3)DefinitionsAs used in this subsection— (A)the term pre-dispute arbitration agreement means any agreement to arbitrate a dispute that has not arisen at the time of the making of the agreement; and
(B)the term pre-dispute joint-action waiver means an agreement, whether or not part of a pre-dispute arbitration agreement, that would prohibit, or waive the right of, one of the parties to the agreement to participate in a joint, class, or collective action in a judicial, arbitral, administrative, or other forum, concerning a dispute that has not yet arisen at the time of the making of the agreement. (e)Non-WaiveabilityThe rights and remedies provided under this title may not be waived or limited by contract or otherwise..
8.Relationship to other lawSection 1306 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is further amended by adding at the end the following:  (f)Relationship to other law (1)Other Federal privacy or security provisionsNothing in this title or a regulation promulgated under this title may be construed to modify, limit, or supersede the operation of any privacy or security provision in any other Federal statute or regulation.
(2)State lawNothing in this title or a regulation promulgated under this title may be construed to preempt, displace, or supplant any State common law or statute, except to the extent that any such common law or statute specifically and directly conflicts with the provisions of this title or a regulation promulgated under this title, and then only to the extent of the specific and direct conflict. Any such common law or statute is not in specific and direct conflict if it affords a greater level of protection to a child or teenager than the provisions of this title or a regulation promulgated under this title. (3)Section 230 of the Communications Act of 1934Nothing in section 230 of the Communications Act of 1934 (47 U.S.C. 230) may be construed to impair or limit the provisions of this title or a regulation promulgated under this title. .
9.Additional conforming amendmentThe heading of title XIII of division C of the Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1999 (Public Law 105–277; 112 Stat. 2681–728) is amended by inserting and Teenager’s after Children’s. 10.Implementing regulations (a)In generalNot later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to implement the amendments made by this Act, including the regulations required by subsection (b) of section 1303 of the Children’s Online Privacy Protection Act of 1998, as amended by this Act.
(b)Review and revisionNot later than 10 years after the date on which the Commission promulgates the regulations required by subsection (a), the Commission shall review such regulations and, if the Commission considers revisions to such regulations appropriate, promulgate such revisions under section 553 of title 5, United States Code. 11.Youth Privacy and Marketing Division (a)EstablishmentThere is established within the Commission a division to be known as the Youth Privacy and Marketing Division.
(b)DirectorThe Youth Privacy and Marketing Division shall be headed by a Director, who shall be appointed by the Chairman of the Commission. (c)DutiesThe Youth Privacy and Marketing Division shall be responsible for addressing, as it relates to this Act and the amendments made by this Act—
(1)the privacy of children and teenagers; and (2)marketing directed at children and teenagers.
(d)StaffThe Director of the Youth Privacy and Marketing Division shall hire adequate staff to carry out the duties under subsection (c), including individuals who are experts in data protection, digital advertising, data analytics, and youth development. (e)ReportsNot later than 1 year after the date of the enactment of this Act, and each year thereafter, the Director of the Youth Privacy and Marketing Division shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that includes—
(1)a description of the work of the Youth Privacy and Marketing Division on emerging concerns relating to youth privacy and marketing practices; and (2)an assessment of how effectively the Commission has, during the period for which the report is submitted, addressed youth privacy and marketing practices.
(f)DefinitionsIn this section, the terms child and teenager have the meanings given such terms in section 1302 of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501), as amended by this Act. 12.Commission definedIn this Act, the term Commission means the Federal Trade Commission. 
13.Effective dateThe amendments made by this Act shall take effect on the date that is 1 year after the Commission promulgates the regulations required by section 10(a).  