Bill Text: TX HB4948 | 2023-2024 | 88th Legislature | Introduced
Bill Title: Relating to the regulation of Internet products, services, and features accessed by children; providing a civil penalty.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2023-03-23 - Referred to Youth Health & Safety, Select [HB4948 Detail]
Download: Texas-2023-HB4948-Introduced.html
| 88R7481 MLH-D | ||
| By: Martinez Fischer | H.B. No. 4948 | |
|
|
||
|
|
||
| relating to the regulation of Internet products, services, and | ||
| features accessed by children; providing a civil penalty. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Subtitle C, Title 5, Business & Commerce Code, is | ||
| amended by adding Chapter 121 to read as follows: | ||
| CHAPTER 121. INTERNET PRODUCTS, SERVICES, AND FEATURES ACCESSED | ||
| BY CHILDREN | ||
| SUBCHAPTER A. GENERAL PROVISIONS | ||
| Sec. 121.001. DEFINITIONS. In this chapter: | ||
| (1) "Child" means an individual younger than 18 years | ||
| of age. | ||
| (2) "Consumer" has the meaning assigned by Section | ||
| 20.01. | ||
| (3) "Personal identifying information" has the | ||
| meaning assigned by Section 521.002. | ||
| SUBCHAPTER B. DUTIES AND PROHIBITIONS | ||
| Sec. 121.051. DATA PROTECTION IMPACT ASSESSMENT REQUIRED. | ||
| (a) Except as provided by Subsection (d), a person shall conduct a | ||
| data protection impact assessment to assess and mitigate risks | ||
| posed to a child who accesses a product, service, or feature | ||
| provided by the person if the person: | ||
| (1) provides a product, service, or feature to a | ||
| consumer in this state through an Internet website that is likely to | ||
| be accessed by a child; | ||
| (2) collects a consumer's personal identifying | ||
| information; and | ||
| (3) in the preceding year: | ||
| (A) generated more than $25 million in annual | ||
| gross revenue; | ||
| (B) collected or used the personal identifying | ||
| information of more than 50,000 consumers; or | ||
| (C) generated more than half of the person's | ||
| annual gross revenue from the collection and sale of a consumer's | ||
| personal identifying information. | ||
| (b) An assessment under this section must: | ||
| (1) identify: | ||
| (A) the purpose of the product, service, or | ||
| feature; | ||
| (B) the manner in which the product, service, or | ||
| feature uses personal identifying information; and | ||
| (C) any risks to children posed by the manner in | ||
| which the product, service, or feature uses personal identifying | ||
| information; and | ||
| (2) assess: | ||
| (A) whether the product, service, or feature | ||
| poses a risk of exposing a child to harmful content; | ||
| (B) whether the algorithms or advertising | ||
| systems used by the product, service, or feature pose a risk of | ||
| exposing a child to harmful content; and | ||
| (C) the manner in which the product, service, or | ||
| feature: | ||
| (i) uses design features to increase or | ||
| extend use of the product by a child; and | ||
| (ii) collects and processes the child's | ||
| personal identifying information. | ||
| (c) For the purposes of this section: | ||
| (1) a product, service, or feature is considered | ||
| likely to be accessed by a child if the product, service, or | ||
| feature: | ||
| (A) is intended, wholly or partly, to be used by a | ||
| child; | ||
| (B) is routinely accessed by children; | ||
| (C) is substantially similar to another product, | ||
| service, or feature that is routinely accessed by children; | ||
| (D) is marketed to children; or | ||
| (E) has design elements that are known to | ||
| interest children, including games, cartoons, music, and content | ||
| pertaining to celebrities of interest to children; and | ||
| (2) content is considered harmful if the content is | ||
| reasonably likely to have a detrimental impact on a child's | ||
| physical, mental, or emotional health. | ||
| (d) This section does not apply to a person who: | ||
| (1) is required to maintain and disseminate a privacy | ||
| policy under the Health Insurance Portability and Accountability | ||
| Act of 1996 (42 U.S.C. Section 1320d et seq.); or | ||
| (2) provides a product, service, or feature to a | ||
| consumer through an Internet website if the product, service, or | ||
| feature is: | ||
| (A) a broadband service; | ||
| (B) a telecommunications service; or | ||
| (C) a service that involves the delivery or use | ||
| of a physical product. | ||
| Sec. 121.052. IMPACT MANAGEMENT PLAN REQUIRED. A person | ||
| required to conduct a data protection impact assessment under | ||
| Section 121.051 shall develop an impact management plan to mitigate | ||
| or eliminate any risks identified in the assessment. The plan must | ||
| include defined goals and a timeline to achieve those goals. | ||
| Sec. 121.053. PROVISION OF ASSESSMENT TO ATTORNEY GENERAL. | ||
| (a) On the request of the attorney general, a person required to | ||
| conduct a data protection impact assessment under Section 121.051 | ||
| shall, not later than the third business day after the person | ||
| receives the request, provide a list of data protection impact | ||
| assessments conducted by the person under Section 121.051. The | ||
| list must include the product, service, or feature assessed and the | ||
| date of the assessment. | ||
| (b) On the request of the attorney general, a person | ||
| required to conduct a data protection impact assessment under | ||
| Section 121.051 shall, not later than the fifth business day after | ||
| the person receives the request, provide a copy of a data protection | ||
| impact assessment conducted by the person. | ||
| (c) Production of a data protection impact assessment under | ||
| this section does not constitute a waiver of attorney-client | ||
| privilege or attorney work product protection. | ||
| Sec. 121.054. PROTECTION OF PERSONAL IDENTIFYING | ||
| INFORMATION. (a) A person required to conduct a data protection | ||
| impact assessment under Section 121.051 shall: | ||
| (1) estimate the age of an individual using a product, | ||
| service, or feature, and, in the case of a child: | ||
| (A) configure default settings of a product, | ||
| service, or feature to a high level of privacy, unless the person | ||
| can demonstrate a compelling reason that alternate settings are in | ||
| the best interest of a child; and | ||
| (B) provide privacy information, terms of | ||
| service, policies, and community standards for a product, service, | ||
| or feature in a clear and concise manner able to be understood by a | ||
| child; or | ||
| (2) apply the requirements of Subdivisions (1)(A) and | ||
| (B) to all users of the product, service, or feature. | ||
| (b) If a product, service, or feature allows for another | ||
| person to monitor or track a child, a person required to conduct a | ||
| data protection impact assessment under Section 121.051 shall | ||
| ensure the product, service, or feature provides an obvious signal | ||
| to a child when the product, service, or feature is monitoring or | ||
| tracking the child. | ||
| (c) A person required to conduct a data protection impact | ||
| assessment under Section 121.051 shall enforce any terms, policies, | ||
| and community standards established by the person, including any | ||
| policies concerning use of a product by a child. | ||
| (d) A person required to conduct a data protection impact | ||
| assessment under Section 121.051 shall provide tools to help a | ||
| child or the child's parent or guardian exercise privacy rights and | ||
| report concerns relating to privacy. A tool under this subsection | ||
| must be prominently displayed, easily accessible, and responsive to | ||
| requests by a child or the child's parent or guardian. | ||
| Sec. 121.055. IMPROPER USE OF PERSONAL IDENTIFYING | ||
| INFORMATION. (a) A person required to conduct a data protection | ||
| impact assessment under Section 121.051 may not use a child's | ||
| personal identifying information for any purpose that is not: | ||
| (1) necessary to provide a product, service, or | ||
| feature; or | ||
| (2) the reason for which the person collected the | ||
| personal identifying information. | ||
| (b) A person required to conduct a data protection impact | ||
| assessment under Section 121.051 may not use a child's personal | ||
| identifying information in a manner that could: | ||
| (1) expose the child to harmful content, as described | ||
| by Section 121.051(c); or | ||
| (2) be detrimental to the physical or mental health | ||
| and well-being of the child. | ||
| (c) This section does not affect the ability of a person to | ||
| which this chapter applies to disclose personal identifying | ||
| information in a manner necessary to comply with a request by a | ||
| governmental entity or law enforcement. | ||
| Sec. 121.056. IMPROPER PROFILING OF CHILD. (a) In this | ||
| section, "profile" means the automated process of using personal | ||
| identifying information to analyze specific aspects of an | ||
| individual's demographic characteristics. | ||
| (b) A person required to conduct a data protection impact | ||
| assessment under Section 121.051 may not profile a child unless: | ||
| (1) the profiling is either: | ||
| (A) necessary to provide a product, service, or | ||
| feature; or | ||
| (B) in the best interests of the child; and | ||
| (2) the person has implemented safeguards to prevent | ||
| the child from accessing harmful content, as described by Section | ||
| 121.051(c). | ||
| Sec. 121.057. IMPROPER USE OF GEOLOCATION DATA. (a) A | ||
| person required to conduct a data protection impact assessment | ||
| under Section 121.051 may not collect the precise geolocation data | ||
| of a child unless the business's product, service, or feature | ||
| provides an obvious sign to the child for the duration of the | ||
| collection process that the child's precise geolocation data is | ||
| being collected. | ||
| (b) A person required to conduct a data protection impact | ||
| assessment under Section 121.051 may not collect, use, or sell the | ||
| precise geolocation data of a child unless the collection, use, or | ||
| sale is necessary for the person to provide a product, service, or | ||
| feature to the child. | ||
| Sec. 121.058. USE OF DECEPTIVE DESIGN ELEMENTS PROHIBITED. | ||
| A person required to conduct a data protection impact assessment | ||
| under Section 121.051 may not use deceptive design elements | ||
| intended to induce a child to provide more personal identifying | ||
| information than is necessary under this chapter. | ||
| SUBCHAPTER C. DATA PROTECTION WORK GROUP | ||
| Sec. 121.101. DATA PROTECTION WORK GROUP. (a) In this | ||
| section, "work group" means the work group established under this | ||
| section. | ||
| (b) The consumer protection division of the attorney | ||
| general's office shall establish a work group to promote business | ||
| practices that protect the personal identifying information of | ||
| consumers. The work group consists of: | ||
| (1) two members appointed by the governor; | ||
| (2) two members appointed by the lieutenant governor; | ||
| (3) two members appointed by the speaker of the house | ||
| of representatives; and | ||
| (4) two members appointed by the attorney general. | ||
| (c) To be eligible to serve as a member of the work group, a | ||
| person must have expertise in two or more of the following areas: | ||
| (1) children's data privacy; | ||
| (2) physical health; | ||
| (3) mental health and well-being; | ||
| (4) computer science; or | ||
| (5) children's rights. | ||
| (d) A member of the work group receives no compensation for | ||
| serving on the work group but may be reimbursed for travel or other | ||
| expenses incurred while conducting the business of the work group. | ||
| (e) The work group shall solicit input from stakeholders and | ||
| prepare recommendations for the legislature on ways to protect the | ||
| personal identifying information of children in this state. | ||
| (f) Not later than January 1 of each odd-numbered year, the | ||
| work group shall submit to the legislature a report of the work | ||
| group's findings and recommendations. The report must: | ||
| (1) identify products likely to be used by children; | ||
| (2) evaluate and prioritize the best interests of | ||
| children; | ||
| (3) evaluate the manner in which the best interests of | ||
| children may be furthered by the products in Subdivision (1); | ||
| (4) evaluate whether the risks posed by the products | ||
| in Subdivision (1) are proportional to the safeguards put in place | ||
| by businesses; | ||
| (5) suggest ways to assess and mitigate risks to | ||
| children that arise from the products identified under Subdivision | ||
| (1); and | ||
| (6) identify best methods of publishing privacy | ||
| information, terms of service, policies, and community standards | ||
| for a product in a clear and concise manner able to be understood by | ||
| a child. | ||
| (g) This section expires on January 1, 2033. | ||
| SUBCHAPTER D. ENFORCEMENT | ||
| Sec. 121.151. CIVIL PENALTY. (a) A person who violates | ||
| this chapter is liable to the state for a civil penalty in an amount | ||
| not to exceed: | ||
| (1) $2,500 for each child exposed to harmful content | ||
| as described by Section 121.051(c) as a result of a negligent | ||
| violation; and | ||
| (2) $7,500 for each child exposed to harmful content | ||
| as described by Section 121.051(c) as a result of an intentional | ||
| violation. | ||
| (b) The attorney general may bring suit to recover a civil | ||
| penalty imposed under this section. The attorney general may | ||
| recover attorney's fees and costs incurred in bringing an action | ||
| under this section. | ||
| (c) The action may be brought in a district court in: | ||
| (1) Travis County; or | ||
| (2) a county in which any part of the violation or | ||
| threatened violation occurs. | ||
| (d) The attorney general shall deposit a civil penalty | ||
| collected under this section in the state treasury to the credit of | ||
| the general revenue fund. | ||
| Sec. 121.152. REQUIRED NOTICE. (a) If a person who | ||
| violates this chapter is in substantial compliance with the | ||
| requirements under Sections 121.051, 121.052, and 121.053, the | ||
| attorney general shall, before bringing suit under Section 121.151, | ||
| issue a notice to the person identifying the provisions of this | ||
| chapter that the attorney general alleges to have been violated by | ||
| the person. | ||
| (b) It shall be a complete defense to suit under Section | ||
| 121.151 if, not later than the 90th day after receiving a notice | ||
| under Subsection (a), a person cures any violation of this chapter | ||
| and provides notice to the attorney general of the measures taken to | ||
| cure the violation and prevent further violations. | ||
| Sec. 121.153. NO PRIVATE CAUSE OF ACTION. Nothing in this | ||
| chapter may be construed to create a private cause of action for a | ||
| violation of this chapter. | ||
| Sec. 121.154. RULES. The attorney general shall adopt | ||
| rules to implement this chapter. | ||
| SECTION 2. This Act takes effect September 1, 2023. | ||
