Bill Text: TX HB4948 | 2023-2024 | 88th Legislature | Introduced


Bill Title: Relating to the regulation of Internet products, services, and features accessed by children; providing a civil penalty.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced - Dead) 2023-03-23 - Referred to Youth Health & Safety, Select [HB4948 Detail]

Download: Texas-2023-HB4948-Introduced.html
  88R7481 MLH-D
 
  By: Martinez Fischer H.B. No. 4948
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the regulation of Internet products, services, and
  features accessed by children; providing a civil penalty.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subtitle C, Title 5, Business & Commerce Code, is
  amended by adding Chapter 121 to read as follows:
  CHAPTER 121.  INTERNET PRODUCTS, SERVICES, AND FEATURES ACCESSED
  BY CHILDREN
  SUBCHAPTER A.  GENERAL PROVISIONS
         Sec. 121.001.  DEFINITIONS. In this chapter:
               (1)  "Child" means an individual younger than 18 years
  of age.
               (2)  "Consumer" has the meaning assigned by Section
  20.01.
               (3)  "Personal identifying information" has the
  meaning assigned by Section 521.002.
  SUBCHAPTER B. DUTIES AND PROHIBITIONS
         Sec. 121.051.  DATA PROTECTION IMPACT ASSESSMENT REQUIRED.
  (a)  Except as provided by Subsection (d), a person shall conduct a
  data protection impact assessment to assess and mitigate risks
  posed to a child who accesses a product, service, or feature
  provided by the person if the person:
               (1)  provides a product, service, or feature to a
  consumer in this state through an Internet website that is likely to
  be accessed by a child;
               (2)  collects a consumer's personal identifying
  information; and
               (3)  in the preceding year:
                     (A)  generated more than $25 million in annual
  gross revenue;
                     (B)  collected or used the personal identifying
  information of more than 50,000 consumers; or
                     (C)  generated more than half of the person's
  annual gross revenue from the collection and sale of a consumer's
  personal identifying information.
         (b)  An assessment under this section must:
               (1)  identify:
                     (A)  the purpose of the product, service, or
  feature;
                     (B)  the manner in which the product, service, or
  feature uses personal identifying information; and
                     (C)  any risks to children posed by the manner in
  which the product, service, or feature uses personal identifying
  information; and
               (2)  assess:
                     (A)  whether the product, service, or feature
  poses a risk of exposing a child to harmful content;
                     (B)  whether the algorithms or advertising
  systems used by the product, service, or feature pose a risk of
  exposing a child to harmful content; and
                     (C)  the manner in which the product, service, or
  feature:
                           (i)  uses design features to increase or
  extend use of the product by a child; and
                           (ii)  collects and processes the child's
  personal identifying information.
         (c)  For the purposes of this section:
               (1)  a product, service, or feature is considered
  likely to be accessed by a child if the product, service, or
  feature:
                     (A)  is intended, wholly or partly, to be used by a
  child;
                     (B)  is routinely accessed by children;
                     (C)  is substantially similar to another product,
  service, or feature that is routinely accessed by children;
                     (D)  is marketed to children; or
                     (E)  has design elements that are known to
  interest children, including games, cartoons, music, and content
  pertaining to celebrities of interest to children; and
               (2)  content is considered harmful if the content is
  reasonably likely to have a detrimental impact on a child's
  physical, mental, or emotional health.
         (d)  This section does not apply to a person who:
               (1)  is required to maintain and disseminate a privacy
  policy under the Health Insurance Portability and Accountability
  Act of 1996 (42 U.S.C. Section 1320d et seq.); or
               (2)  provides a product, service, or feature to a
  consumer through an Internet website if the product, service, or
  feature is:
                     (A)  a broadband service;
                     (B)  a telecommunications service; or
                     (C)  a service that involves the delivery or use
  of a physical product.
         Sec. 121.052.  IMPACT MANAGEMENT PLAN REQUIRED. A person
  required to conduct a data protection impact assessment under
  Section 121.051 shall develop an impact management plan to mitigate
  or eliminate any risks identified in the assessment.  The plan must
  include defined goals and a timeline to achieve those goals.
         Sec. 121.053.  PROVISION OF ASSESSMENT TO ATTORNEY GENERAL.
  (a)  On the request of the attorney general, a person required to
  conduct a data protection impact assessment under Section 121.051
  shall, not later than the third business day after the person
  receives the request, provide a list of data protection impact
  assessments conducted by the person under Section 121.051.  The
  list must include the product, service, or feature assessed and the
  date of the assessment.
         (b)  On the request of the attorney general, a person
  required to conduct a data protection impact assessment under
  Section 121.051 shall, not later than the fifth business day after
  the person receives the request, provide a copy of a data protection
  impact assessment conducted by the person.
         (c)  Production of a data protection impact assessment under
  this section does not constitute a waiver of attorney-client
  privilege or attorney work product protection.
         Sec. 121.054.  PROTECTION OF PERSONAL IDENTIFYING
  INFORMATION. (a)  A person required to conduct a data protection
  impact assessment under Section 121.051 shall:
               (1)  estimate the age of an individual using a product,
  service, or feature, and, in the case of a child:
                     (A)  configure default settings of a product,
  service, or feature to a high level of privacy, unless the person
  can demonstrate a compelling reason that alternate settings are in
  the best interest of a child; and
                     (B)  provide privacy information, terms of
  service, policies, and community standards for a product, service,
  or feature in a clear and concise manner able to be understood by a
  child; or
               (2)  apply the requirements of Subdivisions (1)(A) and
  (B) to all users of the product, service, or feature.
         (b)  If a product, service, or feature allows for another
  person to monitor or track a child, a person required to conduct a
  data protection impact assessment under Section 121.051 shall
  ensure the product, service, or feature provides an obvious signal
  to a child when the product, service, or feature is monitoring or
  tracking the child.
         (c)  A person required to conduct a data protection impact
  assessment under Section 121.051 shall enforce any terms, policies,
  and community standards established by the person, including any
  policies concerning use of a product by a child.
         (d)  A person required to conduct a data protection impact
  assessment under Section 121.051 shall provide tools to help a
  child or the child's parent or guardian exercise privacy rights and
  report concerns relating to privacy.  A tool under this subsection
  must be prominently displayed, easily accessible, and responsive to
  requests by a child or the child's parent or guardian.
         Sec. 121.055.  IMPROPER USE OF PERSONAL IDENTIFYING
  INFORMATION. (a)  A person required to conduct a data protection
  impact assessment under Section 121.051 may not use a child's
  personal identifying information for any purpose that is not:
               (1)  necessary to provide a product, service, or
  feature; or
               (2)  the reason for which the person collected the
  personal identifying information.
         (b)  A person required to conduct a data protection impact
  assessment under Section 121.051 may not use a child's personal
  identifying information in a manner that could:
               (1)  expose the child to harmful content, as described
  by Section 121.051(c); or
               (2)  be detrimental to the physical or mental health
  and well-being of the child.
         (c)  This section does not affect the ability of a person to
  which this chapter applies to disclose personal identifying
  information in a manner necessary to comply with a request by a
  governmental entity or law enforcement.
         Sec. 121.056.  IMPROPER PROFILING OF CHILD. (a)  In this
  section, "profile" means the automated process of using personal
  identifying information to analyze specific aspects of an
  individual's demographic characteristics.
         (b)  A person required to conduct a data protection impact
  assessment under Section 121.051 may not profile a child unless:
               (1)  the profiling is either:
                     (A)  necessary to provide a product, service, or
  feature; or
                     (B)  in the best interests of the child; and
               (2)  the person has implemented safeguards to prevent
  the child from accessing harmful content, as described by Section
  121.051(c).
         Sec. 121.057.  IMPROPER USE OF GEOLOCATION DATA. (a)  A
  person required to conduct a data protection impact assessment
  under Section 121.051 may not collect the precise geolocation data
  of a child unless the business's product, service, or feature
  provides an obvious sign to the child for the duration of the
  collection process that the child's precise geolocation data is
  being collected.
         (b)  A person required to conduct a data protection impact
  assessment under Section 121.051 may not collect, use, or sell the
  precise geolocation data of a child unless the collection, use, or
  sale is necessary for the person to provide a product, service, or
  feature to the child.
         Sec. 121.058.  USE OF DECEPTIVE DESIGN ELEMENTS PROHIBITED.
  A person required to conduct a data protection impact assessment
  under Section 121.051 may not use deceptive design elements
  intended to induce a child to provide more personal identifying
  information than is necessary under this chapter.
  SUBCHAPTER C. DATA PROTECTION WORK GROUP
         Sec. 121.101.  DATA PROTECTION WORK GROUP. (a)  In this
  section, "work group" means the work group established under this
  section.
         (b)  The consumer protection division of the attorney
  general's office shall establish a work group to promote business
  practices that protect the personal identifying information of
  consumers. The work group consists of:
               (1)  two members appointed by the governor;
               (2)  two members appointed by the lieutenant governor;
               (3)  two members appointed by the speaker of the house
  of representatives; and
               (4)  two members appointed by the attorney general.
         (c)  To be eligible to serve as a member of the work group, a
  person must have expertise in two or more of the following areas:
               (1)  children's data privacy;
               (2)  physical health;
               (3)  mental health and well-being;
               (4)  computer science; or
               (5)  children's rights.
         (d)  A member of the work group receives no compensation for
  serving on the work group but may be reimbursed for travel or other
  expenses incurred while conducting the business of the work group.
         (e)  The work group shall solicit input from stakeholders and
  prepare recommendations for the legislature on ways to protect the
  personal identifying information of children in this state.
         (f)  Not later than January 1 of each odd-numbered year, the
  work group shall submit to the legislature a report of the work
  group's findings and recommendations.  The report must:
               (1)  identify products likely to be used by children;
               (2)  evaluate and prioritize the best interests of
  children;
               (3)  evaluate the manner in which the best interests of
  children may be furthered by the products in Subdivision (1);
               (4)  evaluate whether the risks posed by the products
  in Subdivision (1) are proportional to the safeguards put in place
  by businesses;
               (5)  suggest ways to assess and mitigate risks to
  children that arise from the products identified under Subdivision
  (1); and
               (6)  identify best methods of publishing privacy
  information, terms of service, policies, and community standards
  for a product in a clear and concise manner able to be understood by
  a child.
         (g)  This section expires on January 1, 2033.
  SUBCHAPTER D. ENFORCEMENT
         Sec. 121.151.  CIVIL PENALTY. (a)  A person who violates
  this chapter is liable to the state for a civil penalty in an amount
  not to exceed:
               (1)  $2,500 for each child exposed to harmful content
  as described by Section 121.051(c) as a result of a negligent
  violation; and
               (2)  $7,500 for each child exposed to harmful content
  as described by Section 121.051(c) as a result of an intentional
  violation.
         (b)  The attorney general may bring suit to recover a civil
  penalty imposed under this section.  The attorney general may
  recover attorney's fees and costs incurred in bringing an action
  under this section.
         (c)  The action may be brought in a district court in:
               (1)  Travis County; or
               (2)  a county in which any part of the violation or
  threatened violation occurs.
         (d)  The attorney general shall deposit a civil penalty
  collected under this section in the state treasury to the credit of
  the general revenue fund.
         Sec. 121.152.  REQUIRED NOTICE. (a)  If a person who
  violates this chapter is in substantial compliance with the
  requirements under Sections 121.051, 121.052, and 121.053, the
  attorney general shall, before bringing suit under Section 121.151,
  issue a notice to the person identifying the provisions of this
  chapter that the attorney general alleges to have been violated by
  the person.
         (b)  It shall be a complete defense to suit under Section
  121.151 if, not later than the 90th day after receiving a notice
  under Subsection (a), a person cures any violation of this chapter
  and provides notice to the attorney general of the measures taken to
  cure the violation and prevent further violations.
         Sec. 121.153.  NO PRIVATE CAUSE OF ACTION. Nothing in this
  chapter may be construed to create a private cause of action for a
  violation of this chapter.
         Sec. 121.154.  RULES. The attorney general shall adopt
  rules to implement this chapter.
         SECTION 2.  This Act takes effect September 1, 2023.
feedback