[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 1628 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
1st Session
S. 1628
To amend the Children's Online Privacy Protection Act of 1998 to
strengthen protections relating to the online collection, use, and
disclosure of personal information of children and minors, and for
other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 13, 2021
Mr. Markey (for himself and Mr. Cassidy) introduced the following bill;
which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To amend the Children's Online Privacy Protection Act of 1998 to
strengthen protections relating to the online collection, use, and
disclosure of personal information of children and minors, and for
other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Children and
Teens' Online Privacy Protection Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Table of contents.
Sec. 2. Definitions.
Sec. 3. Online collection, use, and disclosure of personal information
of children and minors.
Sec. 4. Fair Information Practices Principles.
Sec. 5. Digital Marketing Bill of Rights for Minors.
Sec. 6. Targeted marketing to children or minors.
Sec. 7. Removal of content.
Sec. 8. Privacy dashboard for connected devices for children and
minors.
Sec. 9. Prohibition on sale of connected devices for children and
minors that fail to meet appropriate
cybersecurity and data security standards.
Sec. 10. Rule for treatment of users of websites, services, and
applications directed to children or
minors.
Sec. 11. Study of mobile and online application oversight.
Sec. 12. Youth Privacy and Marketing Division.
Sec. 13. Enforcement and applicability.
SEC. 2. DEFINITIONS.
(a) In General.--In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Constructive knowledge.--
(A) In general.--The term ``constructive
knowledge'' means that knowledge that a minor is a
minor under section 5(a)(1)(A)(i)(II) shall be imputed,
at a minimum, to an operator if--
(i) the operator directly or indirectly
collects, uses, profiles, buys, sells,
classifies, or analyzes (using an algorithm or
other form of data analytics) data about a user
or groups of users to estimate, identify, or
classify the age, age range, or proxy thereof;
(ii) the operator directly or indirectly
collects, uses, profiles, buys, sells,
classifies or analyzes (using an algorithm or
other form of data analytics) data about the
nature of the content of the website, online
service, online application, or mobile
application that estimates, identifies, or
classifies the content as directed to users of
a particular age range or similarly estimates,
identifies, or classifies the intended or
likely audience for the content;
(iii) the operator has or receives data or
reporting related to the age of users on the
website, online service, online application, or
mobile application under the self-regulatory
guidelines described in section 1304 of the
Children's Online Privacy Protection Act of
1998 (15 U.S.C. 6503) that documents risks and
controls, including the existence of operator-
controlled data analytics and content analytics
capabilities and functions or outputs;
(iv) the operator has or receives
complaints from parents or other third parties
about the age of users using its service,
whether through the operators' complaint
mechanism, by email, or other means
conveniently accessible by the user;
(v) the operator has or receives data or
reporting or information from the operator's
internal communications, including
documentation about its advertising practices,
such as an advertisement insertion order, or
other promotional material to marketers, that
indicates that data is being collected from
users of a particular age range that are using
the product or service;
(vi) the operator has publicly available
data or reporting regarding the operator's
product or service indicating that users of a
particular age range are using the product or
service; or
(vii) a content provider on the operator's
website, online service, online application, or
mobile application communicates to an ad-
network that the content is intended for users
of a particular age range or likely to appeal
to users of a particular age range, whether
directly or indirectly.
(B) Additional factors.--The Commission may issue
guidance or promulgate rules that indicate factors, in
addition to those described in subparagraph (A), that
should be considered to be constructive knowledge for
purposes of this Act.
(3) Standards.--The term ``standards'' means benchmarks,
guidelines, best practices, methodologies, procedures, and
processes.
(b) Other Definitions.--The definitions set forth in section 1302
of the Children's Online Privacy Protection Act of 1998 (15 U.S.C.
6501), as amended by section 3(a) of this Act, shall apply in this Act,
except to the extent the Commission provides otherwise by regulations
issued under section 553 of title 5, United States Code.
SEC. 3. ONLINE COLLECTION, USE, AND DISCLOSURE OF PERSONAL INFORMATION
OF CHILDREN AND MINORS.
(a) Definitions.--Section 1302 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6501) is amended--
(1) by amending paragraph (2) to read as follows:
``(2) Operator.--The term `operator'--
``(A) means any person--
``(i) who, for commercial purposes, in
interstate or foreign commerce operates or
provides a website on the internet, an online
service, an online application, or a mobile
application; and
``(ii) who--
``(I) collects or maintains, either
directly or through a service provider,
personal information from or about the
users of that website, service,
application, or connected device;
``(II) allows another person to
collect personal information directly
from users of that website, service,
application, or connected device (in
which case, the operator is deemed to
have collected the information); or
``(III) allows users of that
website, service, application, or
connected device to publicly disclose
personal information (in which case,
the operator is deemed to have
collected the information); and
``(B) does not include any nonprofit entity that
would otherwise be exempt from coverage under section 5
of the Federal Trade Commission Act (15 U.S.C. 45).'';
(2) in paragraph (4)--
(A) by amending subparagraph (A) to read as
follows:
``(A) the release of personal information collected
from a child or minor for any purpose, except where the
personal information is provided to a person other than
an operator who--
``(i) provides support for the internal
operations of the website, online service,
online application, or mobile application of
the operator, excluding any activity relating
to targeted marketing directed to children,
minors, or connected devices; and
``(ii) does not disclose or use that
personal information for any other purpose;
and''; and
(B) in subparagraph (B)--
(i) by inserting ``or minor'' after
``child'' each place the term appears;
(ii) by inserting ``or minors'' after
``children''; and
(iii) by striking ``website or online
service'' and inserting ``website, online
service, online application, or mobile
application'';
(3) in paragraph (8), by striking subparagraphs (F) and (G)
and inserting the following:
``(F) geolocation information;
``(G) information used for biometric
identification, as defined in section 70123 of title
46, United States Code, of an individual;
``(H) information reasonably associated with or
attributed to an individual;
``(I) information (including an internet protocol
address) that permits the identification of--
``(i) an individual; or
``(ii) any device used by an individual to
directly or indirectly access the internet or
an online service, online application, or
mobile application; or
``(J) information concerning a child or minor or
the parents of that child or minor (including any
unique or substantially unique identifier, such as a
customer number) that an operator collects online from
the child or minor and combines with an identifier
described in this paragraph.'';
(4) by amending paragraph (9) to read as follows:
``(9) Verifiable consent.--The term `verifiable consent'
means any reasonable effort (taking into consideration
available technology), including a request for authorization
for future collection, use, and disclosure described in the
notice, to ensure that, in the case of a child, a parent of the
child, or, in the case of a minor, the minor--
``(A) receives specific notice of the personal
information collection, use, and disclosure practices
of the operator; and
``(B) before the personal information of the child
or minor is collected, freely and unambiguously
authorizes--
``(i) the collection, use, and disclosure,
as applicable, of that personal information;
and
``(ii) any subsequent use of that personal
information.'';
(5) by striking paragraph (10) and redesignating paragraphs
(11) and (12) as paragraphs (10) and (11), respectively; and
(6) by adding at the end the following:
``(12) Connected device.--The term `connected device' means
a device that is capable of connecting to the internet,
directly or indirectly, or to another connected device.
``(13) Online.--The term `online' means--
``(A) connected to or compatible with the internet;
or
``(B) via the internet.
``(14) Online application.--The term `online application'--
``(A) means an internet-connected software program;
and
``(B) includes a service or application offered via
a connected device.
``(15) Online service.--The term `online service'--
``(A) means broadband internet access service, as
defined in the Report and Order on Remand, Declaratory
Ruling, and Order in the matter of protecting and
promoting the open internet, adopted by the Federal
Communications Commission on February 26, 2015 (FCC 15-
24); and
``(B) includes a service or application offered via
a connected device.
``(16) Directed to a child or minor.--
``(A) In general.--The terms `directed to a child'
or `directed to a minor' means, with respect to a
website, online service, online application, or mobile
application, the website, online service, online
application, or mobile application is targeted to
children or minors, as the case may be, as demonstrated
by--
``(i) the subject matter of the website,
online service, online application, or mobile
application;
``(ii) the visual content of the website,
online service, online application, or mobile
application;
``(iii) the use of animated characters or
child-oriented activities for children, or the
use of minor-oriented characters or minor-
oriented activities for minors, and related
incentives on the website, online service,
online application, or mobile application;
``(iv) the music or other audio content on
the website, online service, online
application, or mobile application;
``(v) the age of models on the website,
online service, online application, or mobile
application;
``(vi) the presence, on the website, online
service, online application, or mobile
application, of--
``(I) child celebrities;
``(II) celebrities who appeal to
children;
``(III) teen celebrities; or
``(IV) celebrities who appeal to
minors;
``(vii) the language used on the website,
online service, online application, or mobile
application;
``(viii) advertising content used on, or
used to advertise, the website, online service,
online application, or mobile application; or
``(ix) reliable empirical evidence relating
to--
``(I) the composition of the
audience of the website, online
service, online application, or mobile
application; and
``(II) the intended audience of the
website, online service, online
application, or mobile application.
``(B) Rules of construction.--
``(i) Services deemed directed to children
or minors.--For the purposes of this title, a
website, online service, online application, or
mobile application shall be deemed to be
directed to children or minors if the operator
of the website, online service, online
application, or mobile application has
constructive knowledge that the website, online
service, online application, or mobile
application collects personal information
directly from users of any other website,
online service, online application, or mobile
application that is directed to children or
minors under the criteria described in
subparagraph (A).
``(ii) Services deemed directed to mixed
audiences.--
``(I) In general.--A website,
online service, online application, or
mobile application that is directed to
children or minors under the criteria
described in subparagraph (A), but that
does not target children or minors as
the primary audience of the website,
online service, online application, or
mobile application, shall not be deemed
to be directed to children or minors
for purposes of this title if the
website, online service, online
application, or mobile application--
``(aa) does not collect
personal information from any
user of the website, online
service, online application, or
mobile application before
verifying age information of
the user; and
``(bb) does not, without
first complying with any
relevant notice and consent
provision under this title,
collect, use, or disclose
personal information of any
user who identifies themselves
to the website, online service,
online application, or mobile
application as an individual
who is under the age of 16.
``(II) Use of certain tools.--For
purposes of this title, a website,
online service, online application, or
mobile application, shall not be deemed
directed to children or minors solely
because the website, online service,
online application, or mobile
application refers or links to any
other website, online service, online
application, or mobile application
directed to children or minors by using
information location tools, including--
``(aa) a directory;
``(bb) an index;
``(cc) a reference;
``(dd) a pointer; or
``(ee) a hypertext link.
``(17) Mobile application.--The term `mobile application'--
``(A) means a software program that runs on the
operating system of--
``(i) a cellular telephone;
``(ii) a tablet computer; or
``(iii) a similar portable computing device
that transmits data over a wireless connection;
and
``(B) includes a service or application offered via
a connected device.
``(18) Geolocation information.--The term `geolocation
information' means information sufficient to identify a street
name and name of a city or town.
``(19) Minor.--The term `minor' means an individual over
the age of 12 and under the age of 16.
``(20) Targeted marketing.--The term `targeted marketing'
means advertising or any other effort to market a product or
service that is directed to a specific individual or device--
``(A) based on--
``(i) the personal information of--
``(I) the individual; or
``(II) a group of individuals who
are similar in gender, age, income
level, race, or ethnicity to the
specific individual to whom the product
or service is marketed;
``(ii) psychological profiling; or
``(iii) a unique identifier of the device;
or
``(B) as a result of use by the individual, access
by any device of the individual, or use by a group of
individuals who are similar to the specific individual,
of--
``(i) a website;
``(ii) an online service;
``(iii) an online application;
``(iv) a mobile application; or
``(v) an operating system.''.
(b) Online Collection, Use, and Disclosure of Personal Information
of Children and Minors.--Section 1303 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6502) is amended--
(1) by striking the heading and inserting the following:
``online collection, use, and disclosure of personal
information of children and minors.'';
(2) in subsection (a)--
(A) by amending paragraph (1) to read as follows:
``(1) In general.--It is unlawful for an operator of a
website, online service, online application, or mobile
application directed to a child or minor, or an operator having
constructive knowledge that personal information being
collected is from a child or minor, to collect personal
information from a child or minor in a manner that violates the
regulations prescribed under subsection (b).''; and
(B) in paragraph (2)--
(i) by striking ``of such a website or
online service''; and
(ii) by striking ``subsection
(b)(1)(B)(iii) to the parent of a child'' and
inserting ``subsection (b)(1)(A)(iii) to the
parent of a child or under subsection
(b)(1)(A)(iv) to a minor'';
(3) in subsection (b)--
(A) by amending paragraph (1) to read as follows:
``(1) Regulations.--
``(A) In general.--Not later than 1 year after the
date of the enactment of the Act entitled `An Act to
amend the Children's Online Privacy Protection Act of
1998 to strengthen protections relating to the online
collection, use, and disclosure of personal information
of children and minors, and for other purposes', the
Commission shall promulgate, under section 553 of title
5, United States Code, regulations to require an
operator of a website, online service, online
application, or mobile application directed to children
or minors, or an operator having constructive knowledge
that personal information being collected is from a
child or minor--
``(i) to provide clear and conspicuous
notice in clear and plain language of--
``(I) the types of personal
information the operator collects;
``(II) how the operator uses the
information;
``(III) whether and why the
operator discloses the information; and
``(IV) the procedures or mechanisms
the operator uses to ensure that
personal information is not collected
from children or minors except in
accordance with the regulations
promulgated under this paragraph;
``(ii) to obtain verifiable consent for the
collection, use, or disclosure of personal
information of a child or minor;
``(iii) to provide to a parent whose child
has provided personal information to the
operator, upon request by and proper
identification of the parent--
``(I) a description of the specific
types of personal information collected
from the child by the operator;
``(II) the opportunity at any time
to delete personal information
collected from the child; and
``(III) a means that is reasonable
under the circumstances for the parent
to obtain any personal information
collected from the child, if such
information is available to the
operator at the time the parent makes
the request;
``(iv) to provide to a minor who has
provided personal information to the operator,
upon request by and proper identification of
the minor--
``(I) a description of the specific
types of personal information collected
from the minor by the operator;
``(II) the opportunity at any time
to delete personal information
collected from the minor; and
``(III) a means that is reasonable
under the circumstances for the minor
to obtain any personal information
collected from the minor, if such
information is available to the
operator at the time the minor makes
the request;
``(v) not to condition participation in a
game, or use of a website, service, or
application, by a child or minor on the
provision by the child or minor of more
personal information than is reasonably
required to participate in the game or use the
website, service, or application; and
``(vi) to establish and maintain reasonable
procedures to protect the confidentiality,
security, and integrity of personal information
collected from children and minors.
``(B) Updates.--Not less frequently than once every
4 years after the date on which regulations are
promulgated under subparagraph (A), the Commission
shall update those regulations as necessary.'';
(B) in paragraph (2)--
(i) in the matter preceding subparagraph
(A), by striking ``verifiable parental
consent'' and inserting ``verifiable consent'';
(ii) in subparagraph (A)--
(I) by inserting ``or minor'' after
``collected from a child'';
(II) by inserting ``or minor''
after ``request from the child''; and
(III) by inserting ``or minor or to
contact a different child or minor''
after ``to recontact the child'';
(iii) in subparagraph (B)--
(I) by striking ``parent or child''
and inserting ``parent, child, or
minor''; and
(II) by striking ``parental
consent'' each place the term appears
and inserting ``verifiable consent'';
(iv) in subparagraph (C)--
(I) in the matter preceding clause
(i), by inserting ``or minor'' after
``child'' each place the term appears;
(II) in clause (i)--
(aa) by inserting ``or
minor'' after ``child'' each
place the term appears; and
(bb) by inserting ``or
minor, as applicable,'' after
``parent'' each place the term
appears; and
(III) in clause (ii)--
(aa) by inserting ``or
minor, as applicable,'' after
``parent''; and
(bb) by inserting ``or
minor'' after ``child'' each
place the term appears; and
(v) in subparagraph (D)--
(I) in the matter preceding clause
(i), by inserting ``or minor'' after
``child'' each place the term appears;
(II) in clause (ii), by inserting
``or minor'' after ``child''; and
(III) in the flush text following
clause (iii)--
(aa) by inserting ``or
minor, as applicable,'' after
``parent'' each place the term
appears; and
(bb) by inserting ``or
minor'' after ``child''; and
(C) by amending paragraph (3) to read as follows:
``(3) Continuation of service.--The regulations shall
prohibit an operator from discontinuing service provided to a
child or minor on the basis of a request by the parent of the
child or by the minor, under the regulations prescribed under
clauses (iii)(II) and (iv)(II), respectively, of paragraph
(1)(A) to delete personal information collected from the child
or minor, to the extent that the operator is capable of
providing such service without such information.'';
(4) by redesignating subsections (c) and (d) as subsections
(d) and (e), respectively; and
(5) by inserting after subsection (b) the following:
``(c) Constructive Knowledge.--
``(1) In general.--Constructive knowledge that personal
information being collected is from a child or minor under
subsection (a) or (b) shall be imputed, at a minimum, to an
operator if--
``(A) the operator directly or indirectly collects,
uses, profiles, buys, sells, classifies, or analyzes
(using an algorithm or other form of data analytics)
data about a user or groups of users to estimate,
identify, or classify the age, age range, or proxy
thereof;
``(B) the operator directly or indirectly collects,
uses, profiles, buys, sells, classifies or analyzes
(using an algorithm or other form of data analytics)
data about the nature of the content of the website,
online service, online application, or mobile
application that estimates, identifies, or classifies
the content as child or minor-directed or similarly
estimates, identifies, or classifies the intended or
likely audience for the content;
``(C) the operator has or receives data or
reporting related to the age of users on the website,
online service, online application, or mobile
application under the self-regulatory guidelines
described in section 1304 that documents risks and
controls, including the existence of operator-
controlled data analytics and content analytics
capabilities and functions or outputs;
``(D) the operator has or receives complaints from
parents or other third parties about the age of users
using its service, whether through the operators'
complaint mechanism, by email, or other means
conveniently accessible by the user;
``(E) the operator has or receives data or
reporting or information from the operator's internal
communications, including documentation about its
advertising practices, such as an advertisement
insertion order, or other promotional material to
marketers, that indicates that data is being collected
from children or minors that are using the product or
service;
``(F) the operator has publicly available data or
reporting regarding the operator's product or service
indicating that children or minors are using its
product or service; or
``(G) a content provider on the operator's website,
online service, online application, or mobile
application communicates to an ad-network that the
content is intended for children or minors or likely to
appeal to children or minors, whether directly or
indirectly.
``(2) Additional factors.--The Commission may issue
guidance or promulgate rules that indicate factors, in addition
to those described in paragraph (1), that should be considered
to be constructive knowledge for purposes of this section.''.
(c) Safe Harbors.--Section 1304 of the Children's Online Privacy
Protection Act of 1998 (15 U.S.C. 6503) is amended--
(1) in subsection (b)(1), by inserting ``and minors'' after
``children''; and
(2) by adding at the end the following:
``(d) Publication.--The Commission shall publish on the internet
website of the Commission any report or documentation required by
regulation to be submitted to the Commission to carry out this
section.''.
(d) Administration and Applicability of Act.--Section 1306 of the
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is
amended--
(1) in subsection (b)--
(A) in paragraph (1), by striking ``, in the case
of'' and all that follows and inserting the following:
``by the appropriate Federal banking agency, with
respect to any insured depository institution (as those
terms are defined in section 3 of that Act (12 U.S.C.
1813));''; and
(B) by striking paragraph (2) and redesignating
paragraphs (3) through (6) as paragraphs (2) through
(5), respectively; and
(2) by adding at the end the following new subsection:
``(f) Telecommunications Carriers and Cable Operators.--
``(1) Enforcement by commission.--Notwithstanding section
5(a)(2) of the Federal Trade Commission Act (15 U.S.C.
45(a)(2)), compliance with the requirements imposed under this
title shall be enforced by the Commission with respect to any
telecommunications carrier (as defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153)).
``(2) Relationship to other law.--To the extent that
section 222, 338(i), or 631 of the Communications Act of 1934
(47 U.S.C. 222; 338(i); 551) is inconsistent with this title,
this title controls.''.
SEC. 4. FAIR INFORMATION PRACTICES PRINCIPLES.
The Fair Information Practices Principles described in this section
are the following:
(1) Collection limitation principle.--Except as provided in
paragraph (3), personal information should be collected from a
child or minor only when collection of the personal information
is--
(A) consistent with the context of a particular
transaction or service or the relationship of the child
or minor with the operator, including collection
necessary to fulfill a transaction or provide a service
requested by the child or minor; or
(B) required or specifically authorized by law.
(2) Data quality principle.--The personal information of a
child or minor should be accurate, complete, and kept up-to-
date to the extent necessary to fulfill the purposes described
in subparagraphs (A) through (D) of paragraph (3).
(3) Purpose specification principle.--The purposes for
which personal information is collected should be specified to
the parent of a child or to a minor not later than at the time
of the collection of the information. The subsequent use or
disclosure of the information should be limited to--
(A) fulfillment of the transaction or service
requested by the minor or parent of the child;
(B) support for the internal operations of the
website, service, or application, as described in
section 312.2 of title 16, Code of Federal Regulations,
excluding any activity relating to targeted marketing
directed to children, minors, or a device of a child or
minor if the support for internal operations in
consistent with the interest of the child or minor;
(C) compliance with legal process or other purposes
expressly authorized under specific legal authority; or
(D) other purposes--
(i) that are specified in a notice to the
minor or parent of the child; and
(ii) to which the minor or parent of the
child has consented under paragraph (7) before
the information is used or disclosed for such
other purposes.
(4) Retention limitation principle.--
(A) In general.--The personal information of a
child or minor should not be retained for longer than
is necessary to fulfill a transaction or provide a
service requested by the child or minor or such other
purposes specified in subparagraphs (A) through (D) of
paragraph (3).
(B) Data disposal.--The operator should implement a
reasonable and appropriate data disposal policy based
on the nature and sensitivity of personal information
described in subparagraph (A).
(5) Security safeguards principle.--The personal
information of a child or minor should be protected by
reasonable and appropriate security safeguards against risks
such as loss or unauthorized access, destruction, use,
modification, or disclosure.
(6) Openness principle.--
(A) General principle.--The operator should
maintain a general policy of openness about
developments, practices, and policies with respect to
the personal information of a child or minor.
(B) Provision of information.--The operator should
provide to each parent of a child, or to each minor,
using the website, online service, online application,
or mobile application of the operator with a clear and
prominent means--
(i) to identify and contact the operator,
by, at a minimum, disclosing, clearly and
prominently, the identity of the operator and--
(I) in the case of an operator who
is an individual, the address of the
principal residence of the operator and
an email address and telephone number
for the operator; or
(II) in the case of any other
operator, the address of the principal
place of business of the operator and
an email address and telephone number
for the operator;
(ii) to determine whether the operator
possesses any personal information of the child
or minor, the nature of any such information,
and the purposes for which the information was
collected and is being retained;
(iii) to obtain any personal information of
the child or minor that is in the possession of
the operator from the operator, or from a
person specified by the operator, within a
reasonable time after making a request, at a
charge (if any) that is not excessive, in a
reasonable manner, and in a form that is
readily intelligible to the child or minor;
(iv) to challenge the accuracy of personal
information of the child or minor that is in
the possession of the operator;
(v) to determine if the child or minor has
established the inaccuracy of personal
information in a challenge under clause (iv) in
order to have such information erased,
corrected, completed, or otherwise amended; and
(vi) to determine the method by which the
operator obtains data relevant to the child or
minor.
(C) Limitation.--Nothing in this paragraph shall be
construed to permit an operator to erase or otherwise
modify personal information requested by a law
enforcement agency pursuant to legal authority.
(7) Individual participation principle.--The operator
should--
(A) obtain consent from a parent of a child or from
a minor before using or disclosing the personal
information of the child or minor for any purpose other
than the purposes described in subparagraphs (A)
through (C) of paragraph (3); and
(B) obtain affirmative express consent from a
parent of a child or from a minor before using or
disclosing previously collected personal information of
the child or minor for purposes that constitute a
material change in practice from the original purposes
specified to the child or minor under paragraph (3).
(8) Racial and socioeconomic profiling.--The personal
information of a child or minor shall not be used to direct
content to the child or minor, or a group of individuals
similar to the child or minor, on the basis of race,
socioeconomic factors, or any proxy thereof.
SEC. 5. DIGITAL MARKETING BILL OF RIGHTS FOR MINORS.
(a) Acts Prohibited.--
(1) Prohibition.--
(A) In general.--Except as provided in subparagraph
(B), it shall be unlawful for an operator of a website,
online service, online application, or mobile
application to collect personal information from a
minor if--
(i)(I) the minor is a user of the website,
online service, online application, or mobile
application; and
(II) the operator has constructive
knowledge that personal information is being
collected from a minor or minors; or
(ii) the website, online service, online
application, or mobile application is directed
to minors.
(B) Exception.--Subparagraph (A) shall not apply to
an operator that has adopted and complies with a
Digital Marketing Bill of Rights for Minors that is
consistent with the Fair Information Practices
Principles described in section 4.
(2) Effective date.--This subsection shall take effect on
the date that is 180 days after the promulgation of regulations
under subsection (b).
(b) Regulations.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate, under
section 553 of title 5, United States Code, regulations to
implement this section, including regulations further defining
the Fair Information Practices Principles described in section
4.
(2) Updates.--Not less frequently than once every 4 years
after the date on which regulations are promulgated under
paragraph (1), the Commission shall update those regulations as
necessary.
SEC. 6. TARGETED MARKETING TO CHILDREN OR MINORS.
(a) Acts Prohibited.--
(1) Children.--It shall be unlawful for an operator of a
website, online service, online application, or mobile
application to use, disclose to third parties, or compile
personal information of a child for purposes of targeted
marketing if--
(A)(i) the child is a user of the website, online
service, online application, or mobile application; and
(ii) the operator has constructive knowledge that
personal information is being collected from a child or
children; or
(B) the website, online service, online
application, or mobile application is directed to a
child.
(2) Minors.--
(A) Prohibition.--Except as provided in
subparagraph (B), it shall be unlawful for an operator
of a website, online service, online application, or
mobile application to use, disclose to third parties,
or compile personal information of a minor for purposes
of targeted marketing if--
(i)(I) the minor is a user of the website,
online service, online application, or mobile
application; and
(II) the operator has constructive
knowledge that the minor is a minor; or
(ii) the website, online service, online
application, or mobile application is directed
to a minor.
(B) Exception.--Subparagraph (A) shall not apply to
an operator that has obtained the verifiable consent of
the relevant minor.
(3) Effective date.--This subsection shall take effect on
the date that is 180 days after the promulgation of regulations
under subsection (b).
(b) Regulations.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate, under
section 553 of title 5, United States Code, regulations to
implement this section.
(2) Updates.--Not less frequently than once every 4 years
after the date on which regulations are promulgated under
paragraph (1), the Commission shall update those regulations as
necessary.
SEC. 7. REMOVAL OF CONTENT.
(a) Acts Prohibited.--It is unlawful for an operator to make
publicly available through a website, online service, online
application, or mobile application content or information that contains
or displays personal information of children or minors in a manner that
violates subsection (b).
(b) Requirement.--
(1) In general.--An operator, to the extent technologically
feasible, shall--
(A) implement mechanisms that permit a user of the
website, online service, online application, or mobile
application of the operator to erase or otherwise
eliminate content or information that is--
(i) submitted to the website, online
service, online application, or mobile
application by that user;
(ii) publicly available through the
website, online service, online application, or
mobile application; and
(iii) contains or displays personal
information of children or minors; and
(B) take appropriate steps to--
(i) make users aware of the mechanisms
described in subparagraph (A); and
(ii) provide notice to users that the
mechanisms described in subparagraph (A) do not
necessarily provide comprehensive removal of
the content or information submitted by users.
(2) Exceptions.--Paragraph (1) shall not be construed to
require an operator or third party to erase or otherwise
eliminate content or information that--
(A) any other provision of Federal or State law
requires the operator or third party to maintain; or
(B) was submitted to the website, online service,
online application, or mobile application of the
operator by any person other than the user who is
attempting to erase or otherwise eliminate the content
or information, including content or information
submitted by the user that was republished or
resubmitted by another person.
(c) Limitation.--Nothing in this section shall be construed to
limit the authority of a law enforcement agency to obtain any content
or information from an operator as authorized by law or pursuant to an
order of a court of competent jurisdiction.
(d) Effective Date.--This section shall take effect on the date
that is 180 days after the date of enactment of this Act.
SEC. 8. PRIVACY DASHBOARD FOR CONNECTED DEVICES FOR CHILDREN AND
MINORS.
(a) In General.--A manufacturer of a connected device directed to a
child or minor shall prominently display on the packaging for the
connected device a standardized and easy-to-understand privacy
dashboard, detailing whether, what, and how personal information of a
child or minor is--
(1) collected from the connected device;
(2) transmitted from the connected device;
(3) retained on the connected device;
(4) retained by the manufacturer or affiliated person;
(5) used by the manufacturer or affiliated person; and
(6) protected.
(b) Features.--A privacy dashboard under subsection (a) shall
inform a consumer of--
(1) the extent to which the connected device meets the
highest cybersecurity and data security standards, including if
and how to obtain security patches;
(2) the extent to which the connected device gives--
(A) a parent meaningful control over the
information of a child of the parent; and
(B) a minor meaningful control over the information
of the minor;
(3) the extent to which the device minimizes the
collection, retention, and use of information from a child or
minor;
(4) the location of privacy policies;
(5) the type of personal information the connected device
may collect;
(6) the minimum length of time during which a connected
device will received security patches and software updates;
(7) whether the connected device can be used without being
connected to the internet; and
(8) any other information as the Commission considers
appropriate.
(c) Regulations.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Commission shall promulgate, under
section 553 of title 5, United States Code, regulations to
implement this section.
(2) Updates.--Not less frequently than once every 4 years
after the date on which regulations are promulgated under
paragraph (1), the Commission shall update those regulations as
necessary.
(d) Effective Date.--Subsections (a) and (b) shall take effect on
the date that is 180 days after the promulgation of regulations under
subsection (c).
SEC. 9. PROHIBITION ON SALE OF CONNECTED DEVICES FOR CHILDREN AND
MINORS THAT FAIL TO MEET APPROPRIATE CYBERSECURITY AND
DATA SECURITY STANDARDS.
(a) Prohibition.--Beginning 1 year after the date of enactment of
this Act, no person may sell a connected device unless the connected
device meets appropriate cybersecurity and data security standards
established by the Commission.
(b) Cybersecurity and Data Security Standards.--
(1) In general.--The Commission shall promulgate, under
section 553 of title 5, United States Code, cybersecurity and
data security standards described in subsection (a).
(2) Considerations.--In promulgating cybersecurity and data
security standards under paragraph (1), the Commission shall--
(A) create cybersecurity and data security
standards for different subsets of connected devices
based on the varying degrees of--
(i) cybersecurity and data security risk
associated with each subset of connected
device;
(ii) sensitivity of information collected,
stored, or transmitted by each subset of
connected device; and
(iii) functionality of each subset of
connected device;
(B) consider incorporating, to the extent
practicable, existing cybersecurity and data security
standards; and
(C) ensure that the cybersecurity and data security
standards--
(i) are consistent with Fair Information
Practice Principles described in section 4; and
(ii) promote data minimization.
SEC. 10. RULE FOR TREATMENT OF USERS OF WEBSITES, SERVICES, AND
APPLICATIONS DIRECTED TO CHILDREN OR MINORS.
For the purposes of this Act, an operator of a website, online
service, online application, or mobile application that is directed to
children or minors shall treat each user of that website, online
service, online application, or mobile application as a child or minor,
except as permitted by the Commission pursuant to a regulation
promulgated under this Act.
SEC. 11. STUDY OF MOBILE AND ONLINE APPLICATION OVERSIGHT.
Not later than 2 years after the date of enactment of this Act, the
Commission shall submit to each committee of the Senate and each
committee of the House of Representatives that has jurisdiction over
the Commission a report on the processes of platforms that offer mobile
and online applications for ensuring that, of those applications that
are directed to children or minors, the applications operate in
accordance with--
(1) this Act, the amendments made by this Act, and rules
promulgated under this Act;
(2) rules promulgated by the Commission under section 5 of
the Federal Trade Commission Act (15 U.S.C. 45) relating to
unfair or deceptive acts or practices in marketing; and
(3) any other Federal or State law relating to the privacy
of children or minors.
SEC. 12. YOUTH PRIVACY AND MARKETING DIVISION.
(a) Establishment.--There is established within the Commission a
division to be known as the Youth Privacy and Marketing Division.
(b) Director.--The Youth Privacy and Marketing Division shall be
headed by a Director, who shall be appointed by the Chairman of the
Commission.
(c) Duties.--The Youth Privacy and Marketing Division established
under subsection (a) shall be responsible for addressing, as it relates
to this Act and the amendments made by this Act--
(1) the privacy of children and minors; and
(2) marketing directed at children and minors.
(d) Staff.--The Director of the Youth Privacy and Marketing
Division shall hire adequate staff to carry out the duties under
subsection (c), including individuals who are experts in data
protection, digital advertising, data analytics, and youth development.
(e) Reports.--Not later than 1 year after the date of enactment of
this Act, and each year thereafter, the Director of the Youth and
Privacy Marketing Division shall submit to the Committee on Commerce,
Science, and Transportation of the Senate and the Committee on Energy
and Commerce of the House of Representatives a report that includes--
(1) a description of the work of the Youth Privacy and
Marketing Division on emerging concerns relating to youth
privacy and marketing practices; and
(2) an assessment of how effectively the Commission has,
during the period for which the report is submitted, addressed
youth privacy and marketing practices.
SEC. 13. ENFORCEMENT AND APPLICABILITY.
(a) Enforcement by the Commission.--
(1) In general.--Except as otherwise provided, this Act and
the regulations prescribed under this Act shall be enforced by
the Commission under the Federal Trade Commission Act (15
U.S.C. 41 et seq.).
(2) Unfair or deceptive acts or practices.--Subject to
subsection (b), a violation of this Act or a regulation
prescribed under this Act shall be treated as a violation of a
rule defining an unfair or deceptive act or practice prescribed
under section 18(a)(1)(B) of the Federal Trade Commission Act
(15 U.S.C. 57a(a)(1)(B)).
(3) Actions by the commission.--
(A) In general.--Subject to subsection (b), and
except as provided in subsection (d)(1), the Commission
shall prevent any person from violating this Act or a
regulation prescribed under this Act in the same
manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act, and any person who
violates this Act or such regulation shall be subject
to the penalties and entitled to the privileges and
immunities provided in the Federal Trade Commission
Act.
(B) Violations.--
(i) In general.--In an action brought by
the Commission to enforce this Act and the
regulations prescribed under this Act, each
connected device that fails to meet a standard
promulgated under this Act shall be treated as
a separate violation.
(ii) Civil penalty.--Notwithstanding
section 5(m) of the Federal Trade Commission
Act (15 U.S.C. 45(m)), a civil penalty
recovered for a violation of this Act or a
regulation prescribed under this Act may be in
excess of the amounts provided for in that
section as the court finds appropriate to deter
violations of this Act and regulations
prescribed under this Act.
(iii) First violations.--In an action
brought by the Commission to enforce this Act
and the regulations prescribed under this Act,
the Commission may seek a civil penalty for any
violation of this Act or regulation prescribed
under this Act, including any violation that is
the first violation of this Act or a regulation
prescribed under this Act that a person against
whom the action is brought has committed.
(b) Enforcement by Certain Other Agencies.--Notwithstanding
subsection (a), compliance with the requirements imposed under this Act
shall be enforced as follows:
(1) Under section 8 of the Federal Deposit Insurance Act
(12 U.S.C. 1818) by the appropriate Federal banking agency,
with respect to an insured depository institution (as such
terms are defined in section 3 of such Act (12 U.S.C. 1813)).
(2) Under the Federal Credit Union Act (12 U.S.C. 1751 et
seq.) by the National Credit Union Administration Board, with
respect to any Federal credit union.
(3) Under part A of subtitle VII of title 49, United States
Code, by the Secretary of Transportation, with respect to any
air carrier or foreign air carrier subject to such part.
(4) Under the Packers and Stockyards Act, 1921 (7 U.S.C.
181 et seq.) (except as provided in section 406 of that Act (7
U.S.C. 226; 227)) by the Secretary of Agriculture, with respect
to any activities subject to that Act.
(5) Under the Farm Credit Act of 1971 (12 U.S.C. 2001 et
seq.) by the Farm Credit Administration, with respect to any
Federal land bank, Federal land bank association, Federal
intermediate credit bank, or production credit association.
(c) Enforcement by State Attorneys General.--
(1) In general.--
(A) Civil actions.--In any case in which the
attorney general of a State has reason to believe that
an interest of the residents of that State has been or
is threatened or adversely affected by the engagement
of any person in a practice that violates this Act or a
regulation prescribed under this Act, the State, as
parens patriae, may bring a civil action on behalf of
the residents of the State in a district court of the
United States of appropriate jurisdiction to--
(i) enjoin that practice;
(ii) enforce compliance with this Act or
such regulation;
(iii) obtain damages, restitution, or other
compensation on behalf of residents of the
State; or
(iv) obtain such other relief as the court
may consider to be appropriate.
(B) Notice.--
(i) In general.--Before filing an action
under subparagraph (A), the attorney general of
the State involved shall provide to the
Commission--
(I) written notice of that action;
and
(II) a copy of the complaint for
that action.
(ii) Exemption.--
(I) In general.--Clause (i) shall
not apply with respect to the filing of
an action by an attorney general of a
State under this paragraph if the
attorney general of the State
determines that it is not feasible to
provide the notice described in that
clause before the filing of the action.
(II) Notification.--In an action
described in subclause (I), the
attorney general of a State shall
provide notice and a copy of the
complaint to the Commission at the same
time as the attorney general files the
action.
(2) Intervention.--
(A) In general.--On receiving notice under
paragraph (1)(B), the Commission shall have the right
to intervene in the action that is the subject of the
notice.
(B) Effect of intervention.--If the Commission
intervenes in an action under paragraph (1), it shall
have the right--
(i) to be heard with respect to any matter
that arises in that action; and
(ii) to file a petition for appeal.
(3) Construction.--For purposes of bringing any civil
action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of that State to--
(A) conduct investigations;
(B) administer oaths or affirmations; or
(C) compel the attendance of witnesses or the
production of documentary and other evidence.
(4) Actions by the commission.--In any case in which an
action is instituted by or on behalf of the Commission for
violation of this Act or a regulation prescribed under this
Act, no State may, during the pendency of that action,
institute an action under paragraph (1) against any defendant
named in the complaint in the action instituted by or on behalf
of the Commission for that violation.
(5) Venue; service of process.--
(A) Venue.--Any action brought under paragraph (1)
may be brought in the district court of the United
States that meets applicable requirements relating to
venue under section 1391 of title 28, United States
Code.
(B) Service of process.--In an action brought under
paragraph (1), process may be served in any district in
which the defendant--
(i) is an inhabitant; or
(ii) may be found.
(d) Telecommunications Carriers and Cable Operators.--
(1) Enforcement by commission.--Notwithstanding section
5(a)(2) of the Federal Trade Commission Act (15 U.S.C.
45(a)(2)), compliance with the requirements imposed under this
Act shall be enforced by the Commission with respect to any
telecommunications carrier (as defined in section 3 of the
Communications Act of 1934 (47 U.S.C. 153)).
(2) Relationship to other laws.--To the extent that section
222, 338(i), or 631 of the Communications Act of 1934 (47
U.S.C. 222; 338(i); 551) is inconsistent with this Act, this
Act controls.
(e) Safe Harbors.--
(1) Definition.--In this subsection--
(A) the term ``applicable section'' means section
5, 6, 7, 8, or 9 of this Act;
(B) the term ``covered operator'' means an operator
subject to guidelines approved under paragraph (2);
(C) the term ``requesting entity'' means an entity
that submits a safe harbor request to the Commission;
and
(D) the term ``safe harbor request'' means a
request to have self-regulatory guidelines described in
paragraph (2)(A) approved under that paragraph.
(2) Guidelines.--
(A) In general.--An operator may satisfy the
requirements of regulations issued under an applicable
section by following a set of self-regulatory
guidelines, issued by representatives of the marketing
or online industries, or by other persons, that, after
notice and an opportunity for comment, are approved by
the Commission upon making a determination that the
guidelines meet the requirements of the regulations
issued under that applicable section.
(B) Expedited response to requests.--Not later than
180 days after the date on which a safe harbor request
is filed under subparagraph (A), the Commission shall
act upon the request set forth in writing the
conclusions of the Commission with regard to the
request.
(C) Appeals.--A requesting entity may appeal the
final action of the Commission under subparagraph (B),
or a failure by the Commission to act in the period
described in that paragraph, to a district court of the
United States of appropriate jurisdiction, as provided
for in section 706 of title 5, United States Code.
(3) Incentives.--
(A) Self-regulatory incentives.--In prescribing
regulations under an applicable section, the Commission
shall provide incentives for self-regulation by covered
operators to implement the protections afforded
children and minors, as applicable, under the
regulatory requirements described in those sections.
(B) Deemed compliance.--The incentives under
subparagraph (A) shall include provisions for ensuring
that a covered operator will be deemed to be in
compliance with the requirements of the regulations
under an applicable section if that person complies
with guidelines approved under paragraph (2).
(4) Regulations.--In prescribing regulations relating to
safe harbor guidelines under an applicable section, the
Commission shall--
(A) establish criteria for the approval of
guidelines that will ensure that a covered operator
provides substantially the same or greater protections
for children and minors, as applicable, as those
contained in the regulations issued under the
applicable section; and
(B) require that any report or documentation
required to be submitted to the Commission by a covered
operator or requesting entity will be published on the
internet website of the Commission.
(5) Report by the inspector general.--
(A) In general.--Not later than 2 years after the
date of enactment of this Act, and once each 2 years
thereafter, the Inspector General of the Commission
shall submit to the Commission and each committee of
the Senate and each committee of the House of
Representatives that has jurisdiction over the
Commission a report regarding the safe harbor
provisions under this subparagraph, which shall
include--
(i) an analysis of whether the safe harbor
provisions are--
(I) operating fairly and
effectively; and
(II) effectively protecting the
interests of children and minors; and
(ii) proposals for policy changes that
would improve the effectiveness of the safe
harbor provisions.
(B) Publication.--Not later than 10 days after the
date on which a report under subparagraph (A) is
submitted, the Commission shall publish the report on
the internet website of the Commission.
(f) Effective Date.--This section shall take effect on the date
that is 90 days after the date of enactment of this Act.
<all>