[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2801 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 2801

To amend the Children's Online Privacy Protection Act of 1998 to update 
      and expand the coverage of such Act, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 24, 2023

Ms. Castor of Florida introduced the following bill; which was referred 
                to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
To amend the Children's Online Privacy Protection Act of 1998 to update 
      and expand the coverage of such Act, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Protecting the 
Information of our Vulnerable Adolescents, Children, and Youth Act'' or 
the ``Kids PRIVACY Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Requirements for processing of covered information of children 
                            or teenagers.
Sec. 4. Repeal of safe harbors provision.
Sec. 5. Administration and applicability of Act.
Sec. 6. Review.
Sec. 7. Private right of action.
Sec. 8. Relationship to other law.
Sec. 9. Additional conforming amendment.
Sec. 10. Youth Privacy and Marketing Division.
Sec. 11. Commission defined.
Sec. 12. Effective date.

SEC. 2. DEFINITIONS.

    Section 1302 of the Children's Online Privacy Protection Act of 
1998 (15 U.S.C. 6501) is amended--
            (1) by striking paragraphs (5) and (10);
            (2) by redesignating paragraphs (2), (3), (4), (6), (7), 
        (8), and (9) as paragraphs (3), (5), (6), (7), (8), (9), and 
        (10), respectively;
            (3) by inserting after paragraph (1) the following:
            ``(2) Teenager.--The term `teenager' means an individual 
        over the age of 12 and under the age of 18.'';
            (4) by striking paragraph (3) (as so redesignated) and 
        inserting the following:
            ``(3) Covered entity.--The term `covered entity' means--
                    ``(A) any person over which the Commission has 
                authority under section 5(a)(2) of the Federal Trade 
                Commission Act (15 U.S.C. 45(a)(2));
                    ``(B) any organization not organized to carry on 
                business for its own profit or that of its members; and
                    ``(C) any common carrier subject to the 
                Communications Act of 1934 (47 U.S.C. 151 et seq.) and 
                all Acts amendatory thereof and supplementary thereto.
            ``(4) Operator.--The term `operator' means, with respect to 
        a digital service, the covered entity that operates such 
        service, to the extent the covered entity is engaged in 
        operating such service or in processing covered information 
        obtained in connection with such service.'';
            (5) by amending paragraph (6) (as so redesignated) to read 
        as follows:
            ``(6) Disclose.--The term `disclose' means, with respect to 
        covered information, to intentionally or unintentionally 
        release, transfer, sell, disseminate, share, publish, lease, 
        license, make available, allow access to, fail to restrict 
        access to, or otherwise communicate such information.'';
            (6) by amending paragraph (9) (as so redesignated) to read 
        as follows:
            ``(9) Covered information.--The term `covered 
        information'--
                    ``(A) means any information that is linked or 
                reasonably linkable to a specific teenager or child or 
                to a specific consumer device used mainly by a teenager 
                or child;
                    ``(B) may include--
                            ``(i) a name, alias, home or other physical 
                        address, online identifier, Internet Protocol 
                        address, email address, account name, Social 
                        Security number, physical characteristics or 
                        description, telephone number, State 
                        identification card number, driver's license 
                        number, passport number, or other similar 
                        identifier;
                            ``(ii) actual or perceived race, religion, 
                        sex, sexual orientation, sexual behavior, 
                        familial status, gender identity, disability, 
                        age, political affiliation, or national origin;
                            ``(iii) commercial information, including 
                        records relating to personal property, products 
                        or services purchased, obtained, or considered, 
                        or other purchasing or consuming histories, 
                        interests, or tendencies;
                            ``(iv) biometric information;
                            ``(v) device identifiers, online 
                        identifiers, persistent identifiers, or digital 
                        fingerprinting information;
                            ``(vi) internet or other electronic network 
                        activity information, including browsing 
                        history, search history, and information 
                        regarding a teenager's or child's interaction 
                        with an internet website, application, or 
                        advertisement;
                            ``(vii) geolocation information;
                            ``(viii) audio, electronic, visual, 
                        thermal, olfactory, or similar information;
                            ``(ix) education information;
                            ``(x) health information;
                            ``(xi) facial recognition information;
                            ``(xii) contents of, attachments to, and 
                        parties to information, including with respect 
                        to electronic mail, text messages, picture 
                        messages, voicemails, audio conversations, and 
                        video conversations;
                            ``(xiii) financial information, including 
                        bank account numbers, credit card numbers, 
                        debit card numbers, or insurance policy 
                        numbers; and
                            ``(xiv) inferences drawn from any of the 
                        information described in this paragraph to 
                        create a profile about a teenager or child 
                        reflecting the teenager's or child's 
                        preferences, characteristics, psychological 
                        trends, predispositions, behavior, attitudes, 
                        intelligence, abilities, or aptitudes; and
                    ``(C) does not include--
                            ``(i) information that is processed solely 
                        for the purpose of employment of a teenager; or
                            ``(ii) de-identified information.'';
            (7) by amending paragraph (10) (as so redesignated) to read 
        as follows:
            ``(10) Verifiable consent.--The term `verifiable consent' 
        means express, affirmative consent freely given by a teenager, 
        or by the parent of a child, to the processing of covered 
        information of that teenager or child, respectively--
                    ``(A) that is specific, informed, and unambiguous, 
                taking into account the age and the developmental and 
                cognitive needs and capabilities of teenagers or 
                parents of children, as applicable;
                    ``(B) that is given separately for each unrelated 
                processing activity;
                    ``(C) where the teenager or parent of a child, as 
                applicable, has not received any financial or other 
                incentive in exchange for such consent;
                    ``(D) that is given before any processing occurs, 
                at a time and in a context in which the teenager or 
                parent of a child, as applicable, would reasonably 
                expect to make choices concerning such processing;
                    ``(E) that is not obtained through the use of a 
                design, modification, or manipulation of a user 
                interface with the purpose or substantial effect of 
                obscuring, subverting, or impairing user autonomy, 
                decision making, or choice; and
                    ``(F) that, in the case of consent to the 
                processing of covered information of a child, is 
                obtained in a manner that is reasonably calculated to 
                ensure that the individual giving consent is the parent 
                of the child.''; and
            (8) by adding at the end the following:
            ``(13) Process.--The term `process' means to perform any 
        operation or set of operations on covered information, whether 
        or not by automated means, including collecting, creating, 
        acquiring, disclosing, sharing, classifying, sorting, 
        recording, deriving, inferring, obtaining, assembling, 
        organizing, structuring, storing, retaining, adapting or 
        altering, using, or retrieving covered information.
            ``(14) De-identified information; re-identify.--
                    ``(A) De-identified information.--The term `de-
                identified information' means information that cannot 
                reasonably be used to infer information about, or 
                otherwise be linked to, a specific teenager or child or 
                specific consumer device of a teenager or child, if the 
                covered entity that possesses the information--
                            ``(i) takes reasonable measures to ensure 
                        that the information cannot be associated with 
                        a teenager or child;
                            ``(ii) publicly commits to maintain and use 
                        the information in de-identified form and not 
                        to attempt to re-identify the information, 
                        except for the purpose of testing the 
                        sufficiency of the de-identification measures; 
                        and
                            ``(iii) contractually obligates any entity 
                        to which the covered entity discloses the 
                        information to comply with clauses (i) and 
                        (ii).
                    ``(B) Re-identify.--The term `re-identify' means to 
                link information that has been de-identified to a 
                specific teenager or child or specific consumer device 
                of a teenager or child.
            ``(15) State.--The term `State' means each of the several 
        States, the District of Columbia, each territory of the United 
        States, and each federally recognized Indian Tribe.
            ``(16) Service provider.--The term `service provider' means 
        a covered entity that--
                    ``(A) processes covered information at the 
                direction of, and for the sole benefit of, another 
                covered entity; and
                    ``(B) is contractually or legally prohibited from 
                processing such covered information for any other 
                purpose.
            ``(17) Digital service.--The term `digital service' means a 
        website, online service, online application, mobile 
        application, or any other service that processes covered 
        information digitally.
            ``(18) Children's service.--The term `children's service' 
        means--
                    ``(A) a digital service or portion thereof that is 
                directed to children; or
                    ``(B) any other digital service or portion thereof, 
                if the operator of the service decides to treat all 
                users of the service or portion, as the case may be, as 
                children.
            ``(19) Privacy risk.--The term `privacy risk' means 
        potential adverse consequences to an individual, group of 
        individuals, or society arising from the processing of covered 
        information, including--
                    ``(A) physical harm;
                    ``(B) psychological or emotional harm;
                    ``(C) negative or harmful outcomes or decisions 
                with respect to an individual's eligibility for rights, 
                benefits, or opportunities;
                    ``(D) reputational and dignity harm;
                    ``(E) financial harm, including price 
                discrimination;
                    ``(F) inconvenience or expenditure of time;
                    ``(G) disruption and intrusion from unwanted 
                communications or contacts;
                    ``(H) other effects that limit an individual's 
                choices, influence an individual's responses, or 
                predetermine results or outcomes for that individual; 
                and
                    ``(I) other demonstrable adverse consequences that 
                affect an individual's private life, including private 
                family matters, actions, and communications within an 
                individual's home or similar physical, online, or 
                digital location.
            ``(20) Privacy and security impact assessment and 
        mitigation (psiam).--
                    ``(A) In general.--The terms `privacy and security 
                impact assessment and mitigation' and `PSIAM' mean, 
                with respect to a digital service, an assessment and 
                mitigation by the operator of the service of risks to 
                the children and teenagers who access the service that 
                arise from the processing of covered information, 
                taking into account privacy risks, security risks, the 
                rights and best interests of children and teenagers, 
                differing ages, capacities, and developmental needs of 
                children and teenagers, and any significant internal or 
                external emerging risks, and ensuring that the PSIAM 
                builds in risk mitigation and compliance with the other 
                requirements of this title.
                    ``(B) Requirements.--In conducting a PSIAM with 
                respect to a digital service, the operator of the 
                service shall do the following:
                            ``(i) Embed the PSIAM into the design 
                        process of the service and complete the PSIAM 
                        before the launch of the service and on an 
                        ongoing basis, and before making significant 
                        changes to the processing of covered 
                        information.
                            ``(ii) Publicly disclose the nature, scope, 
                        context, and purposes of the processing of 
                        covered information.
                            ``(iii) Depending on the size of the 
                        service and level of risks identified--
                                    ``(I) seek and document the views 
                                of children, teenagers, and parents (or 
                                their representatives), as well as 
                                experts in children's and teenagers' 
                                developmental needs; and
                                    ``(II) take such views into account 
                                in the design of the service.
                            ``(iv) Publicly disclose an explanation of 
                        why the operator's processing of covered 
                        information is necessary and proportionate vis 
                        a vis the risks for the service, and how the 
                        operator complies with the requirements of this 
                        title.
                            ``(v) Assess any processing of covered 
                        information that is not in the best interests 
                        of children or teenagers or that can be 
                        detrimental to their well-being and safety, 
                        whether physical, emotional, developmental, or 
                        material.
                            ``(vi) Identify, assess, and mitigate high-
                        risk processing of covered information.
                            ``(vii) Identify measures taken to mitigate 
                        the risks identified under clause (vi) and 
                        comply with the other requirements of this 
                        title.
                            ``(viii) Provide for regular internal 
                        reporting on the effectiveness of controls and 
                        residual risks of the operator.
                    ``(C) Auditable by commission.--The Commission may 
                audit a PSIAM conducted by an operator as the 
                Commission considers necessary.
            ``(21) Directed to children.--
                    ``(A) In general.--The term `directed to children' 
                means, with respect to a digital service, that the 
                digital service is targeted to children, as 
                demonstrated by--
                            ``(i) the subject matter of the digital 
                        service;
                            ``(ii) the visual content of the digital 
                        service;
                            ``(iii) the use of animated characters or 
                        child-oriented activities for children, and 
                        related incentives, on the digital service;
                            ``(iv) the music or other audio content on 
                        the digital service;
                            ``(v) the age of models on the digital 
                        service;
                            ``(vi) the presence on the digital service 
                        of--
                                    ``(I) child celebrities; or
                                    ``(II) celebrities who appeal to 
                                children;
                            ``(vii) the language used on the digital 
                        service;
                            ``(viii) advertising content or promotional 
                        materials used on, or used to advertise or 
                        promote, the digital service;
                            ``(ix) reliable empirical evidence relating 
                        to--
                                    ``(I) the composition of the 
                                audience of the digital service, 
                                including--
                                            ``(aa) data the operator of 
                                        the digital service may 
                                        directly or indirectly collect, 
                                        use, profile, buy, sell, 
                                        classify, or analyze (via 
                                        algorithms or other forms of 
                                        data analytics, including look-
                                        alike modeling) about a user or 
                                        groups of users to estimate, 
                                        identify, or classify the age 
                                        or age range (or a proxy 
                                        thereof) of such user or groups 
                                        of users;
                                            ``(bb) advertising 
                                        information or results, such as 
                                        data, reporting, or information 
                                        from the internal 
                                        communications of the operator 
                                        of the digital service, 
                                        including documentation about 
                                        its advertising practices, such 
                                        as an advertisement insertion 
                                        order, or other promotional 
                                        material to marketers, that 
                                        indicates that covered 
                                        information is being collected 
                                        from children that are using 
                                        the digital service;
                                            ``(cc) data or reporting 
                                        from the general or trade press 
                                        of the digital service 
                                        indicating that children are 
                                        using the digital service;
                                            ``(dd) complaints from 
                                        parents or other third parties 
                                        about child users using the 
                                        digital service, whether 
                                        through the complaint mechanism 
                                        of the digital service, by 
                                        email, or by other means; and
                                            ``(ee) data or reporting 
                                        from a privacy and security 
                                        impact assessment and 
                                        mitigation, compliance program, 
                                        or other compliance, risk 
                                        management, or internal process 
                                        that documents privacy risks 
                                        and controls related to 
                                        children's privacy, including 
                                        the existence of data analytics 
                                        controlled by the operator of 
                                        the digital service, including 
                                        those of service providers, and 
                                        content analytics capabilities 
                                        and functions or outputs; and
                                    ``(II) the intended audience of the 
                                digital service, including data the 
                                operator of the digital service 
                                directly or indirectly collects, uses, 
                                profiles, buys, sells, classifies, or 
                                analyzes (via algorithms or other forms 
                                of data analytics, including look-alike 
                                modeling) about the nature of the 
                                content of the digital service that 
                                estimates, identifies, or classifies 
                                the content as child-directed or 
                                similarly estimates, identifies, or 
                                classifies the intended or likely 
                                audience for the content;
                            ``(x) representations to third parties 
                        relating to the composition of the audience or 
                        the intended audience of the digital service;
                            ``(xi) actual knowledge that the digital 
                        service is processing the covered information 
                        of children; or
                            ``(xii) any other evidence or circumstances 
                        the Commission determines appropriate.
                    ``(B) Covered information from other services.--A 
                digital service shall be deemed to be directed to 
                children if the operator of the digital service has 
                actual or constructive knowledge that the digital 
                service collects covered information from users of any 
                other digital service that is directed to children 
                under the criteria described in subparagraph (A).
                    ``(C) Signals from third parties.--A digital 
                service shall be deemed directed to children if the 
                digital service receives a signal, such as a flag or 
                other formal industry standard or convention, from 
                another digital service on which the digital service 
                receiving the signal is embedded, indicating that the 
                digital service sending the signal is intended for 
                children or likely to appeal to children.
                    ``(D) Limitation.--A digital service that does not 
                target children as its primary audience shall not be 
                deemed directed to children if the digital service--
                            ``(i) does not collect covered information 
                        from any visitor prior to collecting age 
                        information; and
                            ``(ii) prevents the collection, use, or 
                        disclosure of covered information from visitors 
                        who identify themselves as under age 13 without 
                        first complying with the notice and parental 
                        consent provisions of this title and the 
                        regulations promulgated under this title.
                    ``(E) Further limitation.--A digital service shall 
                not be deemed directed to children solely because the 
                digital service refers or links to another digital 
                service that is directed to children by using 
                information location tools, including a directory, 
                index, reference, pointer, or hypertext link.
                    ``(F) Determination regarding a portion of a 
                digital service.--For purposes of determining whether a 
                portion of a digital service is directed to children, 
                any reference in this paragraph to a digital service 
                shall be considered to refer to such portion.
            ``(22) Likely to be accessed by children or teenagers.--The 
        term `likely to be accessed by children or teenagers' means, 
        with respect to a digital service, that the possibility of more 
        than a de minimis number of children or teenagers accessing the 
        digital service is more probable than not. In determining 
        whether a digital service is likely to be accessed by children 
        or teenagers, the operator of the service shall consider 
        whether the service has particular appeal to children or 
        teenagers and whether effective measures are in place that 
        prevent children or teenagers from gaining access to the 
        service.
            ``(23) Age assurance.--The term `age assurance' means a 
        verifiable process to estimate or determine the age of a user 
        of a digital service with a given and documented degree of 
        certainty.''.

SEC. 3. REQUIREMENTS FOR PROCESSING OF COVERED INFORMATION OF CHILDREN 
              OR TEENAGERS.

    (a) In General.--Section 1303 of the Children's Online Privacy 
Protection Act of 1998 (15 U.S.C. 6502) is amended to read as follows:

``SEC. 1303. REQUIREMENTS FOR PROCESSING OF COVERED INFORMATION OF 
              CHILDREN OR TEENAGERS.

    ``(a) Requirements for Children's Services.--
            ``(1) Data minimization.--An operator of a children's 
        service shall process covered information under the principle 
        of data minimization, requiring the operator to process only 
        the minimum amount necessary for each purpose for which the 
        covered information is processed.
            ``(2) Transparency.--An operator of a children's service 
        shall develop and make publicly available, at all times and in 
        a machine-readable format, a privacy policy, in a manner that 
        is clear, easily understood, and written in plain and concise 
        language, that includes, with respect to operating the 
        children's service--
                    ``(A) the categories of covered information that 
                the operator processes about teenagers and children;
                    ``(B) how and under what circumstances covered 
                information is collected directly from a teenager or 
                child;
                    ``(C) the categories and the sources of any covered 
                information processed by the operator that is not 
                collected directly from a teenager or child;
                    ``(D) a description of the purposes for which the 
                operator processes covered information, including--
                            ``(i) a description of whether and how the 
                        operator customizes products or services for 
                        teenagers or children, or adjusts the prices of 
                        products or services for teenagers or children, 
                        based in any part on processing of covered 
                        information;
                            ``(ii) a description of whether and how the 
                        operator, or the operator's affiliates or 
                        service providers, de-identify information, 
                        including the methods used to de-identify such 
                        information; and
                            ``(iii) a description of whether and how 
                        the operator, or the operator's affiliates or 
                        service providers, generate or use any consumer 
                        score to make decisions concerning a teenager 
                        or child, and the source or sources of any such 
                        consumer score;
                    ``(E) a description of how long and the 
                circumstances under which the operator retains covered 
                information;
                    ``(F) a description of all of the purposes for 
                which the operator discloses covered information to 
                service providers and, on a biennial basis, the 
                categories of service providers;
                    ``(G) a description of whether and for what 
                purposes the operator discloses covered information to 
                third parties, and the categories of covered 
                information disclosed;
                    ``(H) a description of the categories of third 
                parties to which covered information described in 
                subparagraph (G) is disclosed, by category or 
                categories of covered information for each category of 
                third party to which the covered information is 
                disclosed;
                    ``(I) whether the operator discloses covered 
                information to third parties that sell or plan to sell 
                such covered information;
                    ``(J) whether the operator collects covered 
                information about teenagers or children over time and 
                across different digital services if a teenager or 
                child uses the operator's digital service;
                    ``(K) how a teenager or a parent of a child can 
                exercise their rights to access, correct, and delete 
                such teenager's or child's covered information as set 
                forth in paragraph (6);
                    ``(L) a listing of all possible consents that may 
                be obtained by the operator for the processing of 
                covered information, how a teenager or the parent of a 
                child can grant, withhold, withdraw, or modify any such 
                consent, and the consequences of withholding, 
                withdrawing, or modifying any such consent;
                    ``(M) the effective date of the privacy policy; and
                    ``(N) how the operator will communicate material 
                changes to the privacy policy to the teenager or the 
                parent of a child.
            ``(3) Consent required.--
                    ``(A) In general.--An operator of a children's 
                service shall--
                            ``(i) provide clear and concise notice to a 
                        teenager or the parent of a child of the items 
                        of covered information about such teenager or 
                        child, respectively, that are processed by such 
                        operator and how such operator processes such 
                        covered information;
                            ``(ii) obtain verifiable consent for such 
                        processing; and
                            ``(iii) if such operator determines, 
                        including through actual or constructive 
                        knowledge, that such operator has not obtained 
                        verifiable consent for any specific processing 
                        of covered information about a teenager or 
                        child, not later than 48 hours after such 
                        determination--
                                    ``(I) obtain verifiable consent; or
                                    ``(II) delete all covered 
                                information about such teenager or 
                                child.
                    ``(B) When consent not required.--Verifiable 
                consent under this paragraph is not required in the 
                case of--
                            ``(i) online contact information collected 
                        from a teenager or child that--
                                    ``(I) is used only to respond 
                                directly on a one-time basis to a 
                                specific request from the teenager or 
                                child;
                                    ``(II) is not used to re-contact 
                                the teenager or child; and
                                    ``(III) is not retained by the 
                                operator after responding as described 
                                in subclause (I);
                            ``(ii) a request for the name or online 
                        contact information of a teenager or the parent 
                        of a child that is used for the sole purpose of 
                        obtaining verifiable consent or providing 
                        notice under subparagraph (A)(i), where such 
                        information is not retained by the operator if 
                        verifiable consent is not obtained within 48 
                        hours; or
                            ``(iii) the processing of covered 
                        information that is necessary--
                                    ``(I) to respond to judicial 
                                process; or
                                    ``(II) to the extent permitted 
                                under other provisions of law, to 
                                provide information to law enforcement 
                                agencies or for an investigation on a 
                                matter related to public safety.
                    ``(C) Withdrawal of consent.--
                            ``(i) Mechanism for withdrawal.--An 
                        operator of a children's service shall provide 
                        a teenager or the parent of a child, as 
                        applicable--
                                    ``(I) a mechanism to withdraw 
                                consent to the processing of covered 
                                information at any time in a manner 
                                that is as easy as the mechanism to 
                                give consent; and
                                    ``(II) clear and conspicuous notice 
                                of the mechanism required by subclause 
                                (I).
                            ``(ii) Effect of withdrawal on prior 
                        processing.--Withdrawal of consent to the 
                        processing of covered information shall not be 
                        construed to affect the lawfulness of any 
                        processing of covered information based on 
                        verifiable consent that was in effect before 
                        such withdrawal.
                    ``(D) Prohibition on limiting or discontinuing 
                service.--An operator of a children's service may not 
                refuse to provide a service, or discontinue a service 
                provided, to a teenager or child, if the teenager or 
                parent of the child, as applicable, refuses to consent, 
                or withdraws consent, to the processing of any covered 
                information not technically required for the operator 
                to provide such service.
            ``(4) Retention of data.--
                    ``(A) Retention limitations.--Subject to the 
                exceptions provided in subparagraph (B), an operator of 
                a children's service may not keep, retain, or otherwise 
                store covered information for longer than is reasonably 
                necessary for the purposes for which the covered 
                information is processed.
                    ``(B) Exceptions.--Further retention of covered 
                information does not violate subparagraph (A) if the 
                processing of the covered information is necessary and 
                done solely for the purposes of--
                            ``(i) compliance with--
                                    ``(I) requirements to document 
                                compliance under this title; or
                                    ``(II) other laws, regulations, or 
                                legal obligations;
                            ``(ii) preventing risks to the health or 
                        safety of a child or teenager or groups of 
                        children or teenagers; or
                            ``(iii) repairing errors that impair the 
                        existing (as of the time when the repairs are 
                        made) functionality of the children's service.
            ``(5) Limitation on disclosing covered information to third 
        parties.--
                    ``(A) Disclosures.--Subject to the exceptions 
                provided in subparagraph (C), an operator of a 
                children's service may not disclose covered information 
                to a third party unless the operator has a written 
                agreement with such third party that--
                            ``(i) specifies all of the purposes for 
                        which the third party may process the covered 
                        information for which the operator has 
                        verifiable consent;
                            ``(ii) prohibits the third party from 
                        processing covered information for any purpose 
                        other than the purposes specified under clause 
                        (i); and
                            ``(iii) requires the third party to provide 
                        at least the same level of privacy and security 
                        protections as the operator.
                    ``(B) Responsibilities of operators regarding third 
                parties.--An operator of a children's service--
                            ``(i) shall perform reasonable due 
                        diligence in selecting any third party with 
                        which to enter into an agreement described in 
                        subparagraph (A) and shall exercise reasonable 
                        oversight over all such third parties to assure 
                        compliance with the requirements of this title 
                        and the regulations promulgated under this 
                        title; and
                            ``(ii) if the operator has actual or 
                        constructive knowledge that a third party has 
                        violated an agreement described in subparagraph 
                        (A), shall--
                                    ``(I) to the extent practicable, 
                                promptly take steps to ensure 
                                compliance with such agreement; and
                                    ``(II) promptly report to the 
                                Commission that such a violation 
                                occurred.
                    ``(C) Exceptions.--An operator of a children's 
                service may disclose covered information to a third 
                party other than under an agreement described in 
                subparagraph (A) if such disclosure is necessary and 
                done solely for the purposes of--
                            ``(i) compliance with--
                                    ``(I) requirements to document 
                                compliance under this title; or
                                    ``(II) other laws, regulations, or 
                                legal obligations;
                            ``(ii) preventing risks to the health or 
                        safety of a child or teenager or groups of 
                        children or teenagers; or
                            ``(iii) repairing errors that impair the 
                        existing (as of the time when the repairs are 
                        made) functionality of the children's service.
            ``(6) Right to access, correct, and delete covered 
        information.--
                    ``(A) Access.--An operator of a children's service, 
                subject to the exceptions in subparagraph (D), shall, 
                upon request of a teenager or the parent of a child and 
                after proper identification of such teenager or parent, 
                promptly provide to such teenager or parent, as 
                applicable--
                            ``(i) access to all covered information 
                        processed by the operator pertaining to such 
                        teenager or child, including a description of--
                                    ``(I) each type of covered 
                                information processed by the operator 
                                pertaining to the teenager or child, as 
                                applicable;
                                    ``(II) each purpose for which the 
                                operator processes each category of 
                                covered information pertaining to the 
                                teenager or child, as applicable;
                                    ``(III) the names of each third 
                                party to which the operator disclosed 
                                the covered information;
                                    ``(IV) each source other than the 
                                teenager or child, as applicable, from 
                                which the operator obtained covered 
                                information pertaining to that teenager 
                                or child, as applicable;
                                    ``(V) how long the covered 
                                information will be retained or stored 
                                by the operator and, if not known, the 
                                criteria the operator uses to determine 
                                how long the covered information will 
                                be retained or stored by the operator; 
                                and
                                    ``(VI) with respect to any consumer 
                                score of the teenager or child, as 
                                applicable, processed by the operator--
                                            ``(aa) how such score is 
                                        used by the operator to make 
                                        decisions with respect to that 
                                        teenager or child, as 
                                        applicable; and
                                            ``(bb) the source that 
                                        created the score if not 
                                        created by the operator; and
                            ``(ii) a simple and reasonable mechanism by 
                        which a teenager or parent of a child may 
                        request access to the information described 
                        under clause (i), as applicable.
                    ``(B) Deletion.--An operator of a children's 
                service, subject to the exceptions in subparagraph (D), 
                shall--
                            ``(i) establish a simple, publicly and 
                        easily accessible, and reasonable mechanism by 
                        which a teenager or parent of a child with 
                        respect to whom the operator processes covered 
                        information may request the operator to delete 
                        any such covered information (or any component 
                        thereof), including publicly available covered 
                        information submitted to the service by the 
                        child or teenager; and
                            ``(ii) delete such covered information not 
                        later than 45 days after receiving such 
                        request.
                    ``(C) Correction.--An operator of a children's 
                service, subject to the exceptions in subparagraph (D), 
                shall--
                            ``(i) provide each teenager or parent of a 
                        child with respect to whom the operator 
                        processes covered information, as applicable, a 
                        simple, publicly and easily accessible, and 
                        reasonable mechanism by which that teenager or 
                        parent may submit a request to the operator--
                                    ``(I) to dispute the accuracy or 
                                completeness of that covered 
                                information, or part or component 
                                thereof; and
                                    ``(II) to request that such covered 
                                information, or part or component 
                                thereof, be corrected for accuracy or 
                                completeness; and
                            ``(ii) not later than 45 days after 
                        receiving a request under clause (i)--
                                    ``(I) determine whether the covered 
                                information disputed or requested to be 
                                corrected is inaccurate or incomplete; 
                                and
                                    ``(II) correct the accuracy or 
                                completeness of any covered information 
                                determined by the operator to be 
                                inaccurate or incomplete.
                    ``(D) Exceptions.--An operator of a children's 
                service may deny a request made under subparagraph (A), 
                (B), or (C) if--
                            ``(i) the operator is unable to verify the 
                        identity of the teenager or parent of a child 
                        making the request after making a reasonable 
                        effort to verify the identity of such teenager 
                        or parent;
                            ``(ii) with respect to the request made, 
                        the operator determines that--
                                    ``(I) the operator is limited from 
                                fulfilling the request by law, legally 
                                recognized privilege, or other legal 
                                obligation; or
                                    ``(II) fulfilling the request would 
                                create a legitimate risk to the 
                                privacy, security, or safety of someone 
                                other than the teenager or child, as 
                                applicable;
                            ``(iii) with respect to a request to delete 
                        covered information made under subparagraph (B) 
                        or a request to correct covered information 
                        made under subparagraph (C), the operator 
                        determines that the retention of the covered 
                        information is necessary to--
                                    ``(I) complete the transaction with 
                                the teenager or child, as applicable, 
                                for which the covered information was 
                                collected;
                                    ``(II) provide a product or service 
                                affirmatively requested by the teenager 
                                or parent of a child, as applicable;
                                    ``(III) perform a contract with the 
                                teenager or a parent of a child, as 
                                applicable, including a contract for 
                                billing, financial reporting, or 
                                accounting;
                                    ``(IV) keep a record of the covered 
                                information for law enforcement 
                                purposes; or
                                    ``(V) repair errors that impair the 
                                existing (as of the time when the 
                                repairs are made) functionality of the 
                                children's service; or
                            ``(iv) the covered information is used in 
                        public or peer-reviewed scientific, medical, or 
                        statistical research in the public interest 
                        that adheres to commonly accepted ethical 
                        standards or laws, with informed consent 
                        consistent with section 50.20 of title 21, Code 
                        of Federal Regulations, if the research is 
                        already in progress at the time when the 
                        request to access, delete, or correct is made 
                        under subparagraph (A), (B), or (C).
                    ``(E) Prohibition on limiting or discontinuing 
                service.--An operator of a children's service may not 
                refuse to provide a service, or discontinue a service 
                provided, to a teenager or child on the basis of the 
                exercise by the teenager or the parent of the child, as 
                applicable, of any of the rights set forth in this 
                paragraph.
            ``(7) Additional prohibited practices with respect to 
        teenagers and children.--
                    ``(A) In general.--An operator of a children's 
                service may not--
                            ``(i) process any covered information in a 
                        manner that is inconsistent with what a 
                        reasonable teenager or parent of a child would 
                        expect in the context of a particular 
                        transaction or the teenager's or parent's 
                        relationship with such operator, or seek to 
                        obtain verifiable consent for such processing;
                            ``(ii) process any covered information in a 
                        manner that is harmful or has been shown to be 
                        detrimental to the well-being of children or 
                        teenagers;
                            ``(iii) process covered information for the 
                        purpose of providing for targeted personalized 
                        advertising or engage in other marketing to a 
                        specific child or teenager or group of children 
                        or teenagers based on--
                                    ``(I) using the covered 
                                information, online behavior, or group 
                                identifiers of such child or teenager 
                                or of the children or teenagers in such 
                                group; or
                                    ``(II) using the covered 
                                information or online behavior of 
                                children or teenagers who share 
                                characteristics with such child or 
                                teenager or with the children or 
                                teenagers in such group, including 
                                income level or protected 
                                characteristics or proxies thereof;
                            ``(iv) condition the participation of a 
                        child or teenager in a game, sweepstakes, or 
                        other contest on consenting to the processing 
                        of more covered information than is necessary 
                        for such child or teenager to participate;
                            ``(v) engage in cross-device tracking of a 
                        child or teenager unless the child or teenager 
                        is logged in to a specific service, for the 
                        sole purpose of facilitating the primary 
                        purpose of the service or a specific feature 
                        thereof;
                            ``(vi) engage in algorithmic processes that 
                        harmfully discriminate on the basis of race, 
                        age, gender, ability, or other protected 
                        characteristics;
                            ``(vii) disclose biometric information, 
                        except to a service provider of the operator;
                            ``(viii) disclose geolocation information, 
                        except to a service provider of the operator; 
                        or
                            ``(ix) collect geolocation information by 
                        default or without disclosing clearly when 
                        geolocation tracking is in effect.
                    ``(B) Exceptions.--Nothing in subparagraph (A) 
                shall prohibit an operator from processing covered 
                information if the processing of the covered 
                information is necessary and done solely for the 
                purposes of--
                            ``(i) compliance with--
                                    ``(I) requirements to document 
                                compliance under this title; or
                                    ``(II) other laws, regulations, or 
                                legal obligations;
                            ``(ii) preventing risks to the health or 
                        safety of a child or teenager or groups of 
                        children or teenagers; or
                            ``(iii) repairing errors that impair the 
                        existing (as of the time when the repairs are 
                        made) functionality of the children's service.
            ``(8) Security requirements.--
                    ``(A) In general.--An operator of a children's 
                service shall establish, implement, and maintain 
                reasonable security policies, practices, and procedures 
                for the protection of covered information, taking into 
                consideration--
                            ``(i) the size, nature, scope, and 
                        complexity of the activities engaged in by such 
                        operator;
                            ``(ii) the sensitivity of any covered 
                        information at issue; and
                            ``(iii) the cost of implementing such 
                        policies, practices, and procedures.
                    ``(B) Specific requirements.--The policies, 
                practices, and procedures established by an operator 
                under subparagraph (A) shall include the following:
                            ``(i) A written security policy with 
                        respect to the processing of such covered 
                        information.
                            ``(ii) The identification of an officer or 
                        other individual as the point of contact with 
                        responsibility for the management of 
                        information security.
                            ``(iii) A process for identifying and 
                        assessing any reasonably foreseeable 
                        vulnerabilities in the system or systems 
                        maintained by such operator that contain such 
                        covered information, including regular 
                        monitoring for a breach of security of such 
                        system or systems.
                            ``(iv) A process for taking preventive and 
                        corrective action to mitigate against any 
                        vulnerabilities identified in the process 
                        required by clause (iii), which may include--
                                    ``(I) implementing any changes to 
                                the security practices, architecture, 
                                installation, or implementation of 
                                network or operating software; and
                                    ``(II) regular testing or otherwise 
                                monitoring the effectiveness of the 
                                safeguards.
                            ``(v) A process for determining if the 
                        covered information is no longer needed and 
                        deleting such covered information by shredding, 
                        permanently erasing, or otherwise modifying the 
                        covered information to make such covered 
                        information permanently unreadable or 
                        indecipherable.
                            ``(vi) A process for overseeing persons 
                        (other than users of the children's service) 
                        who have access to covered information, 
                        including through internet-connected devices, 
                        by--
                                    ``(I) taking reasonable steps to 
                                select and retain persons that are 
                                capable of maintaining appropriate 
                                safeguards for the covered information 
                                or internet-connected devices at issue; 
                                and
                                    ``(II) requiring all such persons 
                                to implement and maintain such 
                                safeguards.
                            ``(vii) A process for employee training and 
                        supervision for implementation of the policies, 
                        practices, and procedures required by this 
                        subsection.
                            ``(viii) A written plan or protocol for 
                        internal and public response in the event of a 
                        breach of security.
                    ``(C) Periodic assessment and consumer privacy and 
                data security modernization.--An operator of a 
                children's service shall, not less frequently than 
                every 12 months, monitor, evaluate, and adjust, as 
                appropriate, the policies, practices, and procedures of 
                such operator in light of any relevant changes in--
                            ``(i) technology;
                            ``(ii) internal or external threats and 
                        vulnerabilities to covered information; and
                            ``(iii) the changing business arrangements 
                        of the operator.
                    ``(D) Submission of policies to the ftc.--An 
                operator of a children's service shall submit the 
                policies, practices, and procedures established by the 
                operator under subparagraph (A) to the Commission in 
                conjunction with a notification of a breach of security 
                required by any Federal or State statute or regulation 
                or upon request of the Commission.
    ``(b) Rulemaking Regarding Requirements for Digital Services Likely 
To Be Accessed by Children or Teenagers.--
            ``(1) In general.--The Commission shall promulgate 
        regulations under section 553 of title 5, United States Code, 
        that contain requirements for operators of digital services 
        that are not children's services but are likely to be accessed 
        by children or teenagers, which shall be based on the 
        requirements of subsection (a) but modified as the Commission 
        considers appropriate given a risk-based approach to determine 
        age and to determine and mitigate privacy risks and security 
        risks to the child or teenager, and given differing 
        developmental needs and cognitive capacities of children or 
        teenagers. The Commission may include in such regulations 
        different requirements for operators of different types of such 
        services.
            ``(2) Best interests of child or teenager.--The regulations 
        promulgated under paragraph (1) shall require an operator to 
        make the best interests of children and teenagers a primary 
        design consideration when designing its service, including by 
        conducting a privacy and security impact assessment and 
        mitigation for the service.
            ``(3) Risk-based approach to determining age of user.--
                    ``(A) In general.--The regulations promulgated 
                under paragraph (1) shall require a risk-based approach 
                to determining the age of a specific user of a digital 
                service under which higher privacy risks and security 
                risks from the processing of covered information 
                require a higher certainty of age assurance.
                    ``(B) Age assurance.--The regulations promulgated 
                under paragraph (1) shall require an operator to 
                conduct an age assurance to determine the age of each 
                specific user.
                    ``(C) Approval of age assurance mechanisms.--The 
                Commission shall establish in the regulations 
                promulgated under paragraph (1) a process under which 
                an operator may obtain the approval of the Commission 
                of particular mechanisms of age assurance as meeting 
                the age assurance requirements of such regulations for 
                particular levels of privacy risks.
                    ``(D) Data minimization.--The regulations required 
                by paragraph (1) shall provide that any data collected 
                for age assurance shall be the minimal amount necessary 
                and destroyed immediately or as determined by the 
                Commission, but consistent with standards that still 
                allow for auditing and compliance.
    ``(c) Prohibition on Certain Advertising or Marketing for Digital 
Services Likely To Be Accessed by Children or Teenagers.--An operator 
of a digital service that is likely to be accessed by children or 
teenagers may not process covered information for the purpose of 
providing for targeted personalized advertising or engage in other 
marketing to a specific child or teenager or group of children or 
teenagers based on--
            ``(1) using the covered information, online behavior, or 
        group identifiers of such child or teenager or of the children 
        or teenagers in such group; or
            ``(2) using the covered information or online behavior of 
        children or teenagers who share characteristics with such child 
        or teenager or with the children or teenagers in such group, 
        including income level or protected characteristics or proxies 
        thereof.
    ``(d) Implementing Regulations.--
            ``(1) In general.--Not later than 1 year after the date of 
        the enactment of the Protecting the Information of our 
        Vulnerable Adolescents, Children, and Youth Act, the Commission 
        shall promulgate, under section 553 of title 5, United States 
        Code, such regulations as may be necessary to carry out this 
        section, including the regulations required by subsection (b).
            ``(2) Review and revision.--Not later than 10 years after 
        the date on which the Commission promulgates the regulations 
        required by paragraph (1), the Commission shall review such 
        regulations and, if the Commission considers revisions to such 
        regulations appropriate, promulgate such revisions under 
        section 553 of title 5, United States Code.
    ``(e) Enforcement.--Subject to section 1306, a violation of this 
section or a regulation promulgated under this section shall be treated 
as a violation of a rule defining an unfair or deceptive act or 
practice prescribed under section 18(a)(1)(B) of the Federal Trade 
Commission Act (15 U.S.C. 57a(a)(1)(B)).''.
    (b) Conforming Amendments.--Section 1305 of the Children's Online 
Privacy Protection Act of 1998 (15 U.S.C. 6504) is amended--
            (1) in subsection (a)(1)--
                    (A) by striking ``any regulation of the Commission 
                prescribed under section 1303(b)'' and inserting 
                ``section 1303 or a regulation promulgated under such 
                section''; and
                    (B) in subparagraph (B), by striking ``the 
                regulation'' and inserting ``such section or such 
                regulation''; and
            (2) in subsection (d)--
                    (A) by striking ``any regulation prescribed under 
                section 1303'' and inserting ``section 1303 or a 
                regulation promulgated under such section''; and
                    (B) by striking ``that regulation'' and inserting 
                ``such section or such regulation''.

SEC. 4. REPEAL OF SAFE HARBORS PROVISION.

    (a) In General.--Section 1304 of the Children's Online Privacy 
Protection Act of 1998 (15 U.S.C. 6503) is repealed.
    (b) Conforming Amendment.--Section 1305(b) of the Children's Online 
Privacy Protection Act of 1998 (15 U.S.C. 6504(b)) is amended by 
striking paragraph (3).

SEC. 5. ADMINISTRATION AND APPLICABILITY OF ACT.

    (a) Enforcement by Federal Trade Commission.--Section 1306(d) of 
the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 
6505(d)) is amended to read as follows:
    ``(d) Actions by the Commission.--
            ``(1) In general.--Except as provided in paragraphs (2) and 
        (3), the Commission shall prevent any person from violating 
        section 1303 or a regulation promulgated under such section in 
        the same manner, by the same means, and with the same 
        jurisdiction, powers, and duties as though all applicable terms 
        and provisions of the Federal Trade Commission Act (15 U.S.C. 
        41 et seq.) were incorporated into and made a part of this 
        title, and any person who violates such section or such 
        regulation shall be subject to the penalties and entitled to 
        the privileges and immunities provided in the Federal Trade 
        Commission Act in the same manner, by the same means, and with 
        the same jurisdiction, power, and duties as though all 
        applicable terms and provisions of the Federal Trade Commission 
        Act were incorporated into and made a part of this title.
            ``(2) Increased civil penalty amount.--In the case of a 
        civil penalty under subsection (l) or (m) of section 5 of the 
        Federal Trade Commission Act (15 U.S.C. 45) relating to acts or 
        practices in violation of section 1303 or a regulation 
        promulgated under such section, the maximum dollar amount per 
        violation shall be $63,795.
            ``(3) Nonprofit organizations and common carriers.--
        Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade 
        Commission Act (15 U.S.C. 44; 45(a)(2); 46) or any other 
        jurisdictional limitation of the Commission, the Commission 
        shall also enforce section 1303 or a regulation promulgated 
        under such section in the same manner as otherwise provided in 
        this title with respect to--
                    ``(A) any organization not organized to carry on 
                business for its own profit or that of its members; and
                    ``(B) any common carrier subject to the 
                Communications Act of 1934 (47 U.S.C. 151 et seq.) and 
                all Acts amendatory thereof and supplementary 
                thereto.''.
    (b) Enforcement by Certain Other Agencies.--Section 1306 of the 
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6505) is 
amended--
            (1) in subsection (b)--
                    (A) in paragraph (1), by striking ``, in the case 
                of'' and all that follows and inserting the following: 
                ``by the appropriate Federal banking agency, with 
                respect to any insured depository institution (as those 
                terms are defined in section 3 of that Act (12 U.S.C. 
                1813));'';
                    (B) in paragraph (6), by striking ``Federal land 
                bank, Federal land bank association, Federal 
                intermediate credit bank, or production credit 
                association'' and inserting ``Farm Credit Bank, 
                Agricultural Credit Bank (to the extent exercising the 
                authorities of a Farm Credit Bank), Federal Land Credit 
                Association, or agricultural credit association''; and
                    (C) by striking paragraph (2) and redesignating 
                paragraphs (3) through (6) as paragraphs (2) through 
                (5), respectively; and
            (2) in subsection (c), by striking ``subsection (a)'' each 
        place it appears and inserting ``subsection (b)''.

SEC. 6. REVIEW.

    Section 1307 of the Children's Online Privacy Protection Act of 
1998 (15 U.S.C. 6506) is amended--
            (1) in the matter preceding paragraph (1), by striking 
        ``the regulations initially issued under section 1303'' and 
        inserting ``the regulations required by subsection (d)(1) of 
        section 1303, as amended by the Protecting the Information of 
        our Vulnerable Adolescents, Children, and Youth Act''; and
            (2) by amending paragraph (1) to read as follows:
            ``(1) review the implementation of this title, including 
        the effect of the implementation of this title on practices 
        relating to the processing of covered information about 
        teenagers or children and teenager's and children's ability to 
        obtain access to information of their choice online; and''.

SEC. 7. PRIVATE RIGHT OF ACTION.

    The Children's Online Privacy Protection Act of 1998 (15 U.S.C. 
6501 et seq.) is amended--
            (1) by redesignating sections 1307 and 1308 as sections 
        1308 and 1309, respectively; and
            (2) by inserting after section 1306 the following:

``SEC. 1307. PRIVATE RIGHT OF ACTION.

    ``(a) Right of Action.--Any parent of a teenager or parent of a 
child alleging a violation of section 1303 or a regulation promulgated 
under such section with respect to the covered information of such 
teenager or child may bring a civil action in any court of competent 
jurisdiction.
    ``(b) Injury in Fact.--A violation of section 1303 or a regulation 
promulgated under such section with respect to the covered information 
of a teenager or child constitutes an injury in fact to that teenager 
or child.
    ``(c) Relief.--In a civil action brought under subsection (a) in 
which the plaintiff prevails, the court may award--
            ``(1) injunctive relief;
            ``(2) actual damages;
            ``(3) punitive damages;
            ``(4) reasonable attorney's fees and costs; and
            ``(5) any other relief that the court determines 
        appropriate.
    ``(d) Pre-Dispute Arbitration Agreements.--
            ``(1) In general.--No pre-dispute arbitration agreement or 
        pre-dispute joint-action waiver shall be valid or enforceable 
        with respect to any claim arising under section 1303 or a 
        regulation promulgated under such section.
            ``(2) Determination.--A determination as to whether and how 
        this title or a regulation promulgated under this title applies 
        to an arbitration agreement shall be determined under Federal 
        law by the court, rather than the arbitrator, irrespective of 
        whether the party opposing arbitration challenges such 
        agreement specifically or in conjunction with any other term of 
        the contract containing such agreement.
            ``(3) Definitions.--As used in this subsection--
                    ``(A) the term `pre-dispute arbitration agreement' 
                means any agreement to arbitrate a dispute that has not 
                arisen at the time of the making of the agreement; and
                    ``(B) the term `pre-dispute joint-action waiver' 
                means an agreement, whether or not part of a pre-
                dispute arbitration agreement, that would prohibit, or 
                waive the right of, one of the parties to the agreement 
                to participate in a joint, class, or collective action 
                in a judicial, arbitral, administrative, or other 
                forum, concerning a dispute that has not yet arisen at 
                the time of the making of the agreement.
    ``(e) Non-Waiveability.--The rights and remedies provided under 
this title may not be waived or limited by contract or otherwise.''.

SEC. 8. RELATIONSHIP TO OTHER LAW.

    Section 1306 of the Children's Online Privacy Protection Act of 
1998 (15 U.S.C. 6505) is further amended by adding at the end the 
following:
    ``(f) Relationship to Other Law.--
            ``(1) Other federal privacy or security provisions.--
        Nothing in this title or a regulation promulgated under this 
        title may be construed to modify, limit, or supersede the 
        operation of any privacy or security provision in any other 
        Federal statute or regulation.
            ``(2) State law.--Nothing in this title or a regulation 
        promulgated under this title may be construed to preempt, 
        displace, or supplant any State common law or statute, except 
        to the extent that any such common law or statute specifically 
        and directly conflicts with the provisions of this title or a 
        regulation promulgated under this title, and then only to the 
        extent of the specific and direct conflict. Any such common law 
        or statute is not in specific and direct conflict if it affords 
        a greater level of protection to a child or teenager than the 
        provisions of this title or a regulation promulgated under this 
        title.
            ``(3) Section 230 of the communications act of 1934.--
        Nothing in section 230 of the Communications Act of 1934 (47 
        U.S.C. 230) may be construed to impair or limit the provisions 
        of this title or a regulation promulgated under this title.''.

SEC. 9. ADDITIONAL CONFORMING AMENDMENT.

    The heading of title XIII of division C of the Omnibus Consolidated 
and Emergency Supplemental Appropriations Act, 1999 (Public Law 105-
277; 112 Stat. 2681-728) is amended by inserting ``AND TEENAGER'S'' 
after ``CHILDREN'S''.

SEC. 10. YOUTH PRIVACY AND MARKETING DIVISION.

    (a) Establishment.--There is established within the Commission a 
division to be known as the Youth Privacy and Marketing Division.
    (b) Director.--The Youth Privacy and Marketing Division shall be 
headed by a Director, who shall be appointed by the Chairman of the 
Commission.
    (c) Duties.--The Youth Privacy and Marketing Division shall be 
responsible for assisting the Commission in addressing, as it relates 
to this Act and the amendments made by this Act--
            (1) the privacy of children and teenagers; and
            (2) marketing directed at children and teenagers.
    (d) Staff.--The Youth Privacy and Marketing Division shall be 
comprised of adequate staff to carry out the duties under subsection 
(c), including individuals who are experts in data protection, digital 
advertising, data analytics, and youth development.
    (e) Reports.--Not later than 1 year after the date of the enactment 
of this Act, and every 2 years thereafter, the Director of the Youth 
Privacy and Marketing Division shall submit to the Committee on 
Commerce, Science, and Transportation of the Senate and the Committee 
on Energy and Commerce of the House of Representatives a report that 
includes--
            (1) a description of the work of the Youth Privacy and 
        Marketing Division on emerging concerns relating to youth 
        privacy and marketing practices; and
            (2) an assessment of how effectively the Commission has, 
        during the period for which the report is submitted, addressed 
        youth privacy and marketing practices.
    (f) Definitions.--In this section, the terms ``child'' and 
``teenager'' have the meanings given such terms in section 1302 of the 
Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501), as 
amended by this Act.

SEC. 11. COMMISSION DEFINED.

    In this Act, the term ``Commission'' means the Federal Trade 
Commission.

SEC. 12. EFFECTIVE DATE.

    The amendments made by this Act, except for subsection (d)(1) of 
section 1303 of the Children's Online Privacy Protection Act of 1998 
(15 U.S.C. 6502), shall take effect on the date that is 1 year after 
the date on which the Commission promulgates the regulations required 
by such subsection (d)(1).
                                 <all>