[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5778 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 5778

 To require large social media platform providers to create, maintain, 
 and make available to third-party safety software providers a set of 
real-time application programming interfaces, through which a child or 
  a parent or legal guardian of a child may delegate permission to a 
third-party safety software provider to manage the online interactions, 
 content, and account settings of such child on the large social media 
   platform on the same terms as such child, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 28, 2023

Ms. Wasserman Schultz (for herself, Mr. Carter of Georgia, Ms. Schrier, 
    and Mrs. Miller-Meeks) introduced the following bill; which was 
            referred to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
 To require large social media platform providers to create, maintain, 
 and make available to third-party safety software providers a set of 
real-time application programming interfaces, through which a child or 
  a parent or legal guardian of a child may delegate permission to a 
third-party safety software provider to manage the online interactions, 
 content, and account settings of such child on the large social media 
   platform on the same terms as such child, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Sammy's Law of 2023''.

SEC. 2. SENSE OF CONGRESS.

    It is the sense of Congress that--
            (1) parents and legal guardians should be empowered to use 
        the services of third-party safety software providers to 
        protect the children of such parents and legal guardians from 
        certain harms on large social media platforms; and
            (2) dangers like cyberbullying, human trafficking, illegal 
        drug distribution, sexual harassment, and violence perpetrated, 
        facilitated, or exacerbated through the use of certain large 
        social media platforms have harmed children on such platforms.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Child.--The term ``child'' means any individual under 
        the age of 17 years who has registered an account with a large 
        social media platform.
            (2) Commerce.--The term ``commerce'' has the meaning given 
        such term in section 4 of the Federal Trade Commission Act (15 
        U.S.C. 44).
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Large social media platform.--The term ``large social 
        media platform''--
                    (A) means a service--
                            (i) provided through an internet website or 
                        a mobile application (or both);
                            (ii) the terms of service of which do not 
                        prohibit the use of the service by a child;
                            (iii) with any feature or features that 
                        enable a child to share images, text, or video 
                        through the internet with other users of the 
                        service whom such child has met, identified, or 
                        become aware of solely through the use of the 
                        service; and
                            (iv) that has more than 100,000,000 monthly 
                        global active users or generates more than 
                        $1,000,000,000 in gross revenue per year, 
                        adjusted yearly for inflation; and
                    (B) does not include--
                            (i) a service that primarily serves--
                                    (I) to facilitate--
                                            (aa) the sale or provision 
                                        of professional services; or
                                            (bb) the sale of commercial 
                                        products; or
                                    (II) to provide news or 
                                information, where the service does not 
                                offer the ability for content to be 
                                sent by a user directly to a child; or
                            (ii) a service that--
                                    (I) has a feature that enables a 
                                user who communicates directly with a 
                                child through a message (including a 
                                text, audio, or video message) not 
                                otherwise available to other users of 
                                the service to add other users to that 
                                message that such child may not have 
                                otherwise met, identified, or become 
                                aware of solely through the use of the 
                                service; and
                                    (II) does not have any feature or 
                                features described in subparagraph 
                                (A)(iii).
            (5) Large social media platform provider.--The term ``large 
        social media platform provider'' means any person who, for 
        commercial purposes in or affecting commerce, provides, 
        manages, operates, or controls a large social media platform.
            (6) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each commonwealth, 
        territory, or possession of the United States, and each 
        federally recognized Indian Tribe.
            (7) Third-party safety software provider.--The term 
        ``third-party safety software provider'' means any person who, 
        for commercial purposes in or affecting commerce, is authorized 
        by a child (if the child is 13 years of age or older) or a 
        parent or legal guardian of a child to interact with a large 
        social media platform to manage the online interactions, 
        content, or account settings of such child for the sole purpose 
        of protecting such child from harm, including physical or 
        emotional harm.
            (8) User data.--The term ``user data'' means any 
        information needed to have a profile on a large social media 
        platform or content on a large social media platform, including 
        images, video, audio, or text, that is created by or sent to a 
        child on or through the account of such child with such 
        platform, but only--
                    (A) if the information or content is created by or 
                sent to such child while a delegation under section 
                4(a) is in effect with respect to the account; and
                    (B) during a 30-day period beginning on the date on 
                which the information or content is created by or sent 
                to such child.

SEC. 4. PROVIDING ACCESS TO THIRD-PARTY SAFETY SOFTWARE.

    (a) Duty of Large Social Media Platform Providers.--
            (1) In general.--Not later than 30 days after the effective 
        date of this Act (in the case of a service that is a large 
        social media platform on such effective date) or not later than 
        30 days after a service becomes a large social media platform 
        (in the case of a service that becomes a large social media 
        platform after such effective date), the large social media 
        platform provider shall create, maintain, and make available to 
        any third-party safety software provider registered with the 
        Commission under subsection (b)(1) a set of third-party-
        accessible real-time application programming interfaces, 
        including any information necessary to use such interfaces, by 
        which a child (if the child is 13 years of age or older) or a 
        parent or legal guardian of a child may delegate permission to 
        the third-party safety software provider to--
                    (A) manage the online interactions, content, and 
                account settings of such child on the large social 
                media platform on the same terms as such child; and
                    (B) initiate secure transfers of user data from the 
                large social media platform in a commonly-used and 
                machine-readable format to the third-party safety 
                software provider, where the frequency of such 
                transfers may not be limited by the large social media 
                platform provider to less than once per hour.
            (2) Revocation.--Once a child or a parent or legal guardian 
        of a child makes a delegation under paragraph (1), the large 
        social media platform provider shall make the application 
        programming interfaces and information described in such 
        paragraph available to the third-party safety software provider 
        on an ongoing basis until--
                    (A) the child (if the child made the delegation) or 
                the parent or legal guardian of such child revokes the 
                delegation;
                    (B) the child or a parent or legal guardian of such 
                child revokes or disables the registration of the 
                account of such child with the large social media 
                platform;
                    (C) the third-party safety software provider 
                rejects the delegation; or
                    (D) one or more of the affirmations made by the 
                third-party safety software provider under subsection 
                (b)(1)(A) is no longer true.
            (3) Secure transfer of user data.--A large social media 
        platform provider shall establish and implement reasonable 
        policies, practices, and procedures regarding the secure 
        transfer of user data pursuant to a delegation under paragraph 
        (1) from the large social media platform to a third-party 
        safety software provider in order to mitigate any risks related 
        to user data.
            (4) Disclosure.--In the case of a delegation made by a 
        child or a parent or legal guardian of a child under paragraph 
        (1) with respect to the account of such child with a large 
        social media platform, the large social media platform provider 
        shall--
                    (A) disclose to such child and (if the parent or 
                legal guardian made the delegation) the parent or legal 
                guardian the fact that the delegation has been made;
                    (B) provide to such child and (if such parent or 
                legal guardian made the delegation) such parent or 
                legal guardian a summary of the user data that is 
                transferred to the third-party safety software 
                provider; and
                    (C) update the summary provided under subparagraph 
                (B) as necessary to reflect any change to the user data 
                that is transferred to the third-party safety software 
                provider.
    (b) Registration With Commission.--
            (1) Third-party safety software providers.--
                    (A) Registration.--A third-party safety software 
                provider shall register with the Commission as a 
                condition of accessing an application programming 
                interface and any information under subsection (a). 
                Such registration shall require the third-party safety 
                software provider to affirm that the third-party safety 
                software provider--
                            (i) is a company based in the United 
                        States;
                            (ii) is solely engaged in the business of 
                        internet safety;
                            (iii) will use any user data obtained under 
                        subsection (a) solely for the purpose of 
                        protecting a child from harm;
                            (iv) will only disclose user data obtained 
                        under subsection (a) as permitted by subsection 
                        (f); and
                            (v) will disclose, in an easy-to-
                        understand, human-readable format, to each 
                        child with respect to whose account with a 
                        large social media platform the service of the 
                        third-party safety software provider is 
                        operating and (if a parent or legal guardian of 
                        the child made the delegation under subsection 
                        (a) with respect to the account) to the parent 
                        or legal guardian, sufficient information 
                        detailing the operation of the service and what 
                        information the third-party safety software 
                        provider is collecting to enable such child and 
                        (if applicable) such parent or legal guardian 
                        to make informed decisions regarding the use of 
                        the service.
                    (B) Notification of changes.--Not later than 30 
                days after the date on which there is a change to an 
                affirmation made under subparagraph (A) by a third-
                party safety software provider that is registered under 
                such subparagraph, the provider shall notify the 
                following about such change:
                            (i) The Commission.
                            (ii) Each child with respect to whose 
                        account with a large social media platform the 
                        service of the third-party safety software 
                        provider is operating and (if a parent or legal 
                        guardian of the child made the delegation under 
                        subsection (a) with respect to the account) the 
                        parent or legal guardian.
                    (C) Deregistration by commission.--The Commission 
                shall establish a process to deregister a third-party 
                safety software provider that the Commission 
                determines--
                            (i) has violated or misrepresented the 
                        affirmations made under subparagraph (A); or
                            (ii) has not notified the Commission, a 
                        child, or a parent or legal guardian of a child 
                        of a change to such an affirmation as required 
                        by subparagraph (B).
                    (D) Notification of deregistration.--
                            (i) Notification of large social media 
                        platform providers by commission.--If the 
                        Commission deregisters a third-party safety 
                        software provider under subparagraph (C), the 
                        Commission shall notify each large social media 
                        platform provider of--
                                    (I) the deregistration of the 
                                third-party safety software provider; 
                                and
                                    (II) the specific reason for the 
                                deregistration.
                            (ii) Notification of children and parents 
                        or legal guardians by large social media 
                        platform providers.--A large social media 
                        platform provider that receives a notification 
                        from the Commission under clause (i) that a 
                        third-party safety software provider has been 
                        deregistered by the Commission under 
                        subparagraph (C) shall notify each child with 
                        respect to whose account with the large social 
                        media platform the service of the third-party 
                        safety software provider was operating and (if 
                        a parent or legal guardian of the child made 
                        the delegation under subsection (a) with 
                        respect to the account) the parent or legal 
                        guardian of--
                                    (I) the deregistration of such 
                                third-party safety software provider; 
                                and
                                    (II) the specific reason for such 
                                deregistration provided by the 
                                Commission under clause (i)(II).
            (2) Large social media platforms.--
                    (A) Registration.--Not later than 30 days after the 
                effective date of this Act (in the case of a service 
                that is a large social media platform on such effective 
                date) or not later than 30 days after a service becomes 
                a large social media platform (in the case of a service 
                that becomes a large social media platform after such 
                effective date), the large social media platform 
                provider of the platform shall register the platform 
                with the Commission by submitting to the Commission a 
                statement indicating that the platform is a large 
                social media platform.
                    (B) Deregistration by commission.--The Commission 
                shall establish a process to deregister a service 
                registered under subparagraph (A) if the service is no 
                longer a large social media platform. The Commission 
                shall permit the person who provides, manages, 
                operates, or controls a service registered under 
                subparagraph (A) to submit to the Commission 
                information indicating that the service is no longer a 
                large social media platform.
            (3) Public availability of registration lists.--The 
        Commission shall make publicly available on the internet 
        website of the Commission a list of the third-party safety 
        software providers registered under paragraph (1), a list of 
        the large social media platforms registered under paragraph 
        (2), and a list of the third-party safety software providers 
        deregistered by the Commission under paragraph (1)(C).
    (c) Authentication.--Not later than 180 days after the date of the 
enactment of this Act, the Commission shall issue guidance to 
facilitate the ability of a third-party safety software provider to 
obtain user data or access under subsection (a) in a manner that 
ensures that a request for user data or access on behalf of a child is 
a verifiable request.
    (d) Guidance and Consumer Education.--The Commission shall--
            (1) not later than 180 days after the date of the enactment 
        of this Act, issue guidance for large social media platform 
        providers and third-party safety software providers regarding 
        the maintenance of reasonable safety standards to protect user 
        data; and
            (2) educate consumers regarding the rights of consumers 
        under this Act.
    (e) Indemnification.--In any civil action in Federal or State court 
(other than an action brought by the Commission), a large social media 
platform provider may not be held liable for damages arising out of the 
transfer of user data to a third-party safety software provider under 
subsection (a), if the large social media platform provider has in good 
faith complied with the requirements of this Act and the guidance 
issued by the Commission under this Act.
    (f) User Data Disclosure.--
            (1) Permitted disclosures.--A third-party safety software 
        provider may not disclose any user data obtained under 
        subsection (a) to any other person except--
                    (A) pursuant to a lawful request from a government 
                body, including for law enforcement purposes or for 
                judicial or administrative proceedings by means of a 
                court order or a court-ordered warrant, a subpoena or 
                summons issued by a judicial officer, or a grand jury 
                subpoena;
                    (B) to the extent that such disclosure is required 
                by law and such disclosure complies with and is limited 
                to the relevant requirements of such law;
                    (C) to the child or a parent or legal guardian of 
                the child who made a delegation under such subsection 
                and whose data is at issue, with such third-party 
                safety software provider making a good faith effort to 
                ensure that such disclosure includes only the user data 
                necessary for a reasonable parent or caregiver to 
                understand that such child is experiencing (or is at 
                foreseeable risk to experience) the following harms--
                            (i) suicide;
                            (ii) anxiety;
                            (iii) depression;
                            (iv) eating disorders;
                            (v) violence, including being the victim of 
                        or planning to commit or facilitate assault;
                            (vi) substance abuse;
                            (vii) fraud;
                            (viii) severe forms of trafficking in 
                        persons (as defined in section 103 of the 
                        Trafficking Victims Protection Act of 2000 (22 
                        U.S.C. 7102));
                            (ix) sexual abuse;
                            (x) physical injury;
                            (xi) harassment;
                            (xii) sexually explicit conduct or child 
                        pornography (as defined in section 2256 of 
                        title 18, United States Code);
                            (xiii) terrorism (as defined in section 
                        140(d) of the Foreign Relations Authorization 
                        Act, Fiscal Years 1988 and 1989 (22 U.S.C. 
                        2656f(d))), including communications with or in 
                        support of a foreign terrorist organization (as 
                        designated by the Secretary of State under 
                        section 219(a) of the Immigration and 
                        Nationality Act (8 U.S.C. 1189(a)));
                            (xiv) academic dishonesty, including 
                        cheating, plagiarism, and other forms of 
                        academic dishonesty that are intended to gain 
                        an unfair academic advantage; and
                            (xv) sharing personal information, limited 
                        to--
                                    (I) home address;
                                    (II) phone number;
                                    (III) social security number; and
                                    (IV) personal banking information;
                    (D) in the case of a reasonably foreseeable serious 
                and imminent threat to the health or safety of any 
                individual, if the disclosure is made to a person or 
                persons reasonably able to prevent or lessen the 
                threat; or
                    (E) to a public health authority or other 
                appropriate government authority authorized by law to 
                receive reports of child abuse or neglect.
            (2) Disclosure reporting.--A third-party safety software 
        provider that makes a disclosure permitted by paragraph (1)(A), 
        (1)(B), (1)(D), or (1)(E) shall promptly inform the child with 
        respect to whose account with a large social media platform the 
        delegation was made under subsection (a) and (if a parent or 
        legal guardian of the child made the delegation) the parent or 
        legal guardian that such a disclosure has been or will be made, 
        except if--
                    (A) the third-party safety software provider, in 
                the exercise of professional judgment, believes 
                informing such child or parent or legal guardian would 
                place such child at risk of serious harm; or
                    (B) the third-party safety software provider is 
                prohibited by law (including a valid order by a court 
                or administrative body) from informing such child or 
                parent or legal guardian.

SEC. 5. IMPLEMENTATION AND ENFORCEMENT.

    (a) Enforcement.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this Act shall be treated as a violation of a rule defining an 
        unfair or deceptive act or practice prescribed under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)).
            (2) Powers of commission.--
                    (A) In general.--The Commission shall enforce this 
                Act in the same manner, by the same means, and with the 
                same jurisdiction, powers, and duties as though all 
                applicable terms and provisions of the Federal Trade 
                Commission Act (15 U.S.C. 41 et seq.) were incorporated 
                into and made a part of this Act.
                    (B) Privileges and immunities.--Any person who 
                violates this Act shall be subject to the penalties and 
                entitled to the privileges and immunities provided in 
                the Federal Trade Commission Act (15 U.S.C. 41 et 
                seq.).
            (3) Preservation of authority.--Nothing in this Act may be 
        construed to limit the authority of the Commission under any 
        other provision of law.
    (b) FTC Guidance.--Not later than 180 days after the date of the 
enactment of this Act, the Commission shall issue guidance to assist 
large social media platform providers and third-party safety software 
providers in complying with this Act.
    (c) Compliance Assessment.--The Commission, on a biannual basis, 
shall assess compliance by large social media platform providers and 
third-party safety software providers with the provisions of this Act.
    (d) Complaints.--The Commission shall establish procedures under 
which a child, or the parent or legal guardian of such child, a large 
social media platform provider, or a third-party safety software 
provider may file a complaint alleging that a large social media 
platform provider or a third-party safety software provider has 
violated this Act.

SEC. 6. ONE NATIONAL STANDARD.

    (a) In General.--No State or political subdivision of a State may 
maintain, enforce, prescribe, or continue in effect any law, rule, 
regulation, requirement, standard, or other provision having the force 
and effect of law of the State, or political subdivision of a State, 
related to requiring large social media platform providers to create, 
maintain, and make available to third-party safety software providers a 
set of real-time application programming interfaces, through which a 
child or a parent or legal guardian of a child may delegate permission 
to a third-party safety software provider to manage the online 
interactions, content, and account settings of such child on a large 
social media platform on the same terms as such child.
    (b) Rule of Construction.--This section may not be construed to--
            (1) limit the enforcement of any consumer protection law of 
        a State or political subdivision of a State;
            (2) preempt the applicability of State trespass, contract, 
        or tort law; or
            (3) preempt the applicability of any State law to the 
        extent that the law relates to acts of fraud, unauthorized 
        access to personal information, or notification of unauthorized 
        access to personal information.

SEC. 7. EFFECTIVE DATE.

    This Act shall take effect on the date on which the Commission 
issues guidance under section 5(b).
                                 <all>