H.B. No. 18
AN ACT
relating to the protection of minors from harmful, deceptive, or
unfair trade practices in connection with the use of certain
digital services and electronic devices, including the use and
transfer of electronic devices to students by a public school.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
ARTICLE 1. SHORT TITLE
SECTION 1.01. This Act may be cited as the Securing Children
Online through Parental Empowerment (SCOPE) Act.
ARTICLE 2. USE OF DIGITAL SERVICES BY MINORS
SECTION 2.01. Subtitle A, Title 11, Business & Commerce
Code, is amended by adding Chapter 509 to read as follows:
CHAPTER 509. USE OF DIGITAL SERVICES BY MINORS
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 509.001. DEFINITIONS. In this chapter:
(1) "Digital service" means a website, an application,
a program, or software that collects or processes personal
identifying information with Internet connectivity.
(2) "Digital service provider" means a person who:
(A) owns or operates a digital service;
(B) determines the purpose of collecting and
processing the personal identifying information of users of the
digital service; and
(C) determines the means used to collect and
process the personal identifying information of users of the
digital service.
(3) "Harmful material" has the meaning assigned by
Section 43.24, Penal Code.
(4) "Known minor" means a person that a digital
service provider knows to be a minor.
(5) "Minor" means a child who is younger than 18 years
of age who has not had the disabilities of minority removed for
general purposes.
(6) "Personal identifying information" means any
information, including sensitive information, that is linked or
reasonably linkable to an identified or identifiable individual.
The term includes pseudonymous information when the information is
used by a controller or processor in conjunction with additional
information that reasonably links the information to an identified
or identifiable individual. The term does not include deidentified
information or publicly available information.
(7) "Verified parent" means the parent or guardian of
a known minor whose identity and relationship to the minor have been
verified by a digital service provider under Section 509.101.
Sec. 509.002. APPLICABILITY. (a) Except to the extent that
Section 509.057 applies to any digital service provider, this
chapter applies only to a digital service provider who provides a
digital service that:
(1) connects users in a manner that allows users to
socially interact with other users on the digital service;
(2) allows a user to create a public or semi-public
profile for purposes of signing into and using the digital service;
and
(3) allows a user to create or post content that can be
viewed by other users of the digital service, including sharing
content on:
(A) a message board;
(B) a chat room; or
(C) a landing page, video channel, or main feed
that presents to a user content created and posted by other users.
(b) This chapter does not apply to:
(1) a state agency or a political subdivision of this
state;
(2) a financial institution or data subject to Title
V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
(3) a covered entity or business associate governed by
the privacy, security, and breach notification rules issued by the
United States Department of Health and Human Services, 45 C.F.R.
Parts 160 and 164, established under the Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d
et seq.), and the Health Information Technology for Economic and
Clinical Health Act (Division A, Title XIII, and Division B, Title
IV, Pub. L. No. 111-5);
(4) a small business as defined by the United States
Small Business Administration on September 1, 2024;
(5) an institution of higher education;
(6) a digital service provider who processes or
maintains user data in connection with the employment, promotion,
reassignment, or retention of the user as an employee or
independent contractor, to the extent that the user's data is
processed or maintained for that purpose;
(7) an operator or provider regulated by Subchapter D,
Chapter 32, Education Code, that primarily provides education
services to students or educational institutions;
(8) a person subject to the Family Educational Rights
and Privacy Act of 1974 (20 U.S.C. Section 1232g) that:
(A) operates a digital service; and
(B) primarily provides education services to
students or educational institutions;
(9) a digital service provider's provision of a
digital service that facilitates e-mail or direct messaging
services, if the digital service facilitates only those services;
or
(10) a digital service provider's provision of a
digital service that:
(A) primarily functions to provide a user with
access to news, sports, commerce, or content primarily generated or
selected by the digital service provider; and
(B) allows chat, comment, or other interactive
functionality that is incidental to the digital service.
(c) Unless an Internet service provider, Internet service
provider's affiliate or subsidiary, search engine, or cloud service
provider is responsible for the creation of harmful material or
other content described by Section 509.053(a), the Internet service
provider, Internet service provider's affiliate or subsidiary,
search engine, or cloud service provider is not considered to be a
digital service provider or to offer a digital service if the
Internet service provider or provider's affiliate or subsidiary,
search engine, or cloud service provider solely provides access or
connection, including through transmission, download, intermediate
storage, access software, or other service, to an Internet website
or to other information or content:
(1) on the Internet; or
(2) on a facility, system, or network not under the
control of the Internet service provider, provider's affiliate or
subsidiary, search engine, or cloud service provider.
SUBCHAPTER B. DIGITAL SERVICE PROVIDER DUTIES AND PROHIBITIONS
Sec. 509.051. DIGITAL SERVICE PROVIDER DUTY TO REGISTER AGE
OF USER. (a) A digital service provider may not enter into an
agreement with a person to create an account with a digital service
unless the person has registered the person's age with the digital
service provider.
(b) A person who registers the person's age as younger than
18 years of age is considered to be a known minor to the digital
service provider until after the person's 18th birthday.
(c) A digital service provider may not allow a person who
registers the person's age to alter the person's registered age,
unless the alteration process involves a commercially reasonable
review process.
(d) A minor is considered to be a known minor to a digital
service provider if:
(1) the minor registers the minor's age under Section
509.051 as younger than 18 years of age; or
(2) the minor's parent or guardian, including a
verified parent:
(A) notifies a digital service provider that the
minor is younger than 18 years of age;
(B) successfully disputes the registered age of
the minor; or
(C) performs another function of a parent or
guardian under this chapter.
(e) If a minor is a known minor, or if the minor's parent or
guardian, including a verified parent, takes an action under
Subsection (a), a digital service provider:
(1) is considered to have actual knowledge that the
minor is younger than 18 years of age; and
(2) shall treat the minor as a known minor under this
chapter.
Sec. 509.052. DIGITAL SERVICE PROVIDER DUTIES RELATING TO
AGREEMENT WITH MINOR. Unless a verified parent provides otherwise
under Section 509.102, a digital service provider that enters into
an agreement with a known minor for access to a digital service:
(1) shall:
(A) limit collection of the known minor's
personal identifying information to information reasonably
necessary to provide the digital service; and
(B) limit use of the known minor's personal
identifying information to the purpose for which the information
was collected; and
(2) may not:
(A) allow the known minor to make purchases or
engage in other financial transactions through the digital service;
(B) share, disclose, or sell the known minor's
personal identifying information;
(C) use the digital service to collect the known
minor's precise geolocation data; or
(D) use the digital service to display targeted
advertising to the known minor.
Sec. 509.053. DIGITAL SERVICE PROVIDER DUTY TO PREVENT HARM
TO KNOWN MINORS. (a) In relation to a known minor's use of a digital
service, a digital service provider shall develop and implement a
strategy to prevent the known minor's exposure to harmful material
and other content that promotes, glorifies, or facilitates:
(1) suicide, self-harm, or eating disorders;
(2) substance abuse;
(3) stalking, bullying, or harassment; or
(4) grooming, trafficking, child pornography, or
other sexual exploitation or abuse.
(b) A strategy developed under Subsection (a):
(1) must include:
(A) creating and maintaining a comprehensive
list of harmful material or other content described by Subsection
(a) to block from display to a known minor;
(B) using filtering technology and other
protocols to enforce the blocking of material or content on the list
under Paragraph (A);
(C) using hash-sharing technology and other
protocols to identify recurring harmful material or other content
described by Subsection (a);
(D) creating and maintaining a database of
keywords used for filter evasion, such as identifiable
misspellings, hash-tags, or identifiable homoglyphs;
(E) performing standard human-performed
monitoring reviews to ensure efficacy of filtering technology;
(F) making available to users a comprehensive
description of the categories of harmful material or other content
described by Subsection (a) that will be filtered; and
(G) except as provided by Section 509.058, making
available the digital service provider's algorithm code to
independent security researchers; and
(2) may include:
(A) engaging a third party to rigorously review
the digital service provider's content filtering technology;
(B) participating in industry-specific
partnerships to share best practices in preventing access to
harmful material or other content described by Subsection (a); or
(C) conducting periodic independent audits to
ensure:
(i) continued compliance with the digital
service provider's strategy; and
(ii) efficacy of filtering technology and
protocols used by the digital service provider.
Sec. 509.054. DIGITAL SERVICE PROVIDER DUTY TO CREATE
PARENTAL TOOLS. (a) A digital service provider shall create and
provide to a verified parent parental tools to allow the verified
parent to supervise the verified parent's known minor's use of a
digital service.
(b) Parental tools under this section must allow a verified
parent to:
(1) control the known minor's privacy and account
settings;
(2) alter the duties of a digital service provider
under Section 509.052 with regard to the verified parent's known
minor;
(3) if the verified parent alters the duty of a digital
service provider under Section 509.052(2)(A), restrict the ability
of the verified parent's known minor to make purchases or engage in
financial transactions; and
(4) monitor and limit the amount of time the verified
parent's known minor spends using the digital service.
Sec. 509.055. DIGITAL SERVICE PROVIDER DUTIES REGARDING
ADVERTISING AND MARKETING. A digital service provider shall make a
commercially reasonable effort to prevent advertisers on the
digital service provider's digital service from targeting a known
minor with advertisements that facilitate, promote, or offer a
product, service, or activity that is unlawful for a minor in this
state to use or engage in.
Sec. 509.056. USE OF ALGORITHMS. A digital service
provider that uses algorithms to automate the suggestion,
promotion, or ranking of information to known minors on the digital
service shall:
(1) make a commercially reasonable effort to ensure
that the algorithm does not interfere with the digital service
provider's duties under Section 509.053; and
(2) disclose in the digital service provider's terms
of service, privacy policy, or similar document, in a clear and
accessible manner, an overview of:
(A) the manner in which the digital service uses
algorithms to provide information or content;
(B) the manner in which algorithms promote, rank,
or filter information or content; and
(C) the personal identifying information used as
inputs to provide information or content.
Sec. 509.057. DIGITAL SERVICE PROVIDER DUTY AS TO HARMFUL
MATERIAL. (a) A digital service provider as defined by Section
509.001 that knowingly publishes or distributes material, more than
one-third of which is harmful material or obscene as defined by
Section 43.21, Penal Code, must use a commercially reasonable age
verification method to verify that any person seeking to access
content on or through the provider's digital service is 18 years of
age or older.
(b) If a person seeking to access content on or through the
digital service of a provider for which age verification is
required under this section is not 18 years of age or older, the
digital service provider may not enter into an agreement with the
person for access to the digital service.
Sec. 509.058. PROTECTION OF TRADE SECRETS. Nothing in this
subchapter may be construed to require a digital service provider
to disclose a trade secret.
Sec. 509.059. USE OF KNOWN MINOR'S PERSONAL IDENTIFYING
INFORMATION FOR CERTAIN PURPOSES. Nothing in this subchapter may be
construed to prevent a digital service provider from collecting,
processing, or sharing a known minor's personal identifying
information in a manner necessary to:
(1) comply with a civil, criminal, or regulatory
inquiry, investigation, subpoena, or summons by a governmental
entity;
(2) comply with a law enforcement investigation;
(3) detect, block, or prevent the distribution of
unlawful, obscene, or other harmful material to a known minor;
(4) block or filter spam;
(5) prevent criminal activity; or
(6) protect the security of a digital service.
SUBCHAPTER C. VERIFIED PARENTS
Sec. 509.101. VERIFICATION OF PARENT OR GUARDIAN. (a) A
digital service provider shall verify, using a commercially
reasonable method and for each person seeking to perform an action
on a digital service as a minor's parent or guardian:
(1) the person's identity; and
(2) the relationship of the person to the known minor.
(b) A digital service provider shall provide a process by
which a person who has been verified under Subsection (a) as the
parent or guardian of a known minor may participate in the digital
service as the known minor's verified parent as provided by this
chapter.
Sec. 509.102. POWERS OF VERIFIED PARENT. (a) A verified
parent is entitled to alter the duties of a digital service provider
under Section 509.052 with regard to the verified parent's known
minor.
(b) A verified parent is entitled to supervise the verified
parent's known minor's use of a digital service using tools provided
by a digital service provider under Section 509.054.
Sec. 509.103. ACCESS TO KNOWN MINOR'S PERSONAL IDENTIFYING
INFORMATION. (a) A known minor's verified parent may submit a
request to a digital service provider to:
(1) review and download any personal identifying
information associated with the minor in the possession of the
digital service provider; and
(2) delete any personal identifying information
associated with the minor collected or processed by the digital
service provider.
(b) A digital service provider shall establish and make
available on the digital service provider's digital service a
method by which a known minor's parent or guardian may make a
request for access under this section.
Sec. 509.104. MINOR IN CONSERVATORSHIP OF DEPARTMENT OF
FAMILY AND PROTECTIVE SERVICES. If a minor is in the
conservatorship of the Department of Family and Protective
Services, the department may designate the minor's caregiver or a
member of the department's staff to perform the functions of the
minor's parent or guardian under this chapter.
SUBCHAPTER D. ENFORCEMENT
Sec. 509.151. DECEPTIVE TRADE PRACTICE; ENFORCEMENT BY
ATTORNEY GENERAL. A violation of this chapter is a deceptive act or
practice actionable under Subchapter E, Chapter 17, solely as an
enforcement action by the consumer protection division of the
attorney general's office.
Sec. 509.152. PRIVATE CAUSE OF ACTION. (a) Except as
provided by Subsection (b), this chapter may not be construed as
providing a basis for, or being subject to, a private right of
action for a violation of this chapter.
(b) If a digital service provider violates this chapter, the
parent or guardian of a known minor affected by that violation may
bring a cause of action seeking:
(1) a declaratory judgment under Chapter 37, Civil
Practice and Remedies Code; or
(2) an injunction against the digital service
provider.
(c) A court may not certify an action brought under this
section as a class action.
ARTICLE 3. USE AND TRANSFER OF ELECTRONIC DEVICES BY STUDENTS
SECTION 3.01. The heading to Subchapter C, Chapter 32,
Education Code, is amended to read as follows:
SUBCHAPTER C. TRANSFER OF DATA PROCESSING EQUIPMENT AND ELECTRONIC
DEVICES TO STUDENTS
SECTION 3.02. Section 32.101, Education Code, is amended to
read as follows:
Sec. 32.101. DEFINITIONS [DEFINITION]. In this subchapter:
(1) "Data [, "data] processing" has the meaning
assigned by Section 2054.003, Government Code.
(2) "Electronic device" means a device that is capable
of connecting to a cellular network or the Internet, including:
(A) a computer;
(B) a smartphone; or
(C) a tablet.
(3) "Internet filter" means a software application
that is capable of preventing an electronic device from accessing
certain websites or displaying certain online material.
SECTION 3.03. Subchapter C, Chapter 32, Education Code, is
amended by adding Section 32.1021 to read as follows:
Sec. 32.1021. STANDARDS. The agency shall adopt standards
for permissible electronic devices and software applications used
by a school district or open-enrollment charter school. In adopting
the standards, the agency must:
(1) minimize data collection conducted on students
through electronic devices and software applications;
(2) ensure direct and informed parental consent is
required for a student's use of a software application, other than a
software application necessary for the administration of:
(A) an assessment instrument under Subchapter B,
Chapter 39; or
(B) an assessment relating to college, career, or
military readiness for which student performance is considered in
evaluating a school district's performance under Section 39.054;
(3) ensure software applications do not conduct mental
health assessments or other assessments unrelated to educational
curricula that are intended to collect information about students
without direct and informed parental consent;
(4) ensure that parents are provided the resources
necessary to understand cybersecurity risks and online safety
regarding their child's use of electronic devices before the child
uses an electronic device at the child's school;
(5) specify periods of time during which an electronic
device transferred to a student must be deactivated in the interest
of student safety;
(6) consider necessary adjustments by age level to the
use of electronic devices in the classroom to foster development of
students' abilities regarding spending school time and completing
assignments without the use of an electronic device;
(7) consider appropriate restrictions on student
access to social media websites or applications with an electronic
device transferred to a student by a district or school;
(8) require a district or school, before using a
social media application for an educational purpose, to determine
that an alternative application that is more secure and provides
the same educational functionality as the social media application
is unavailable for that educational purpose;
(9) consider the required use of an Internet filter
capable of notifying appropriate school administrators, who are
then required to notify the student's parent, if a student accesses
inappropriate or concerning content or words, including content
related to:
(A) self-harm;
(B) suicide;
(C) violence to others; or
(D) illicit drugs;
(10) assign to the appropriate officer of a district
or school the duty to receive complaints or concerns regarding
student use of electronic devices, including cybersecurity and
online safety concerns, from district or school staff, other
students, or parents; and
(11) provide methods by which a district or school may
ensure an operator, as that term is defined by Section 32.151, that
contracts with the district or school to provide software
applications complies with Subchapter D.
SECTION 3.04. Section 32.104, Education Code, is amended to
read as follows:
Sec. 32.104. REQUIREMENTS FOR TRANSFER. Before
transferring data processing equipment or an electronic device to a
student, a school district or open-enrollment charter school must:
(1) adopt rules governing transfers under this
subchapter, including provisions for technical assistance to the
student by the district or school;
(2) determine that the transfer serves a public
purpose and benefits the district or school; [and]
(3) remove from the equipment any offensive,
confidential, or proprietary information, as determined by the
district or school;
(4) adopt rules establishing programs promoting
parents as partners in cybersecurity and online safety that involve
parents in students' use of transferred equipment or electronic
devices; and
(5) for the transfer of an electronic device to be used
for an educational purpose, install an Internet filter that blocks
and prohibits pornographic or obscene materials or applications,
including from unsolicited pop-ups, installations, and downloads.
ARTICLE 4. STUDY OF EFFECTS OF MEDIA ON MINORS
SECTION 4.01. (a) A joint committee of the legislature
shall conduct a study on the effects of media on minors.
(b) The joint committee shall consist of:
(1) members of the house of representatives appointed
by the speaker of the house of representatives; and
(2) members of the senate appointed by the lieutenant
governor.
(c) In conducting the study, members of the joint committee
shall confer with experts on the subject.
(d) The members of the joint committee shall examine:
(1) the health and developmental effects of media on
minors; and
(2) the effects of exposure by a minor to various forms
of media, including:
(A) social media platforms;
(B) software applications;
(C) Internet websites;
(D) television programming;
(E) motion pictures and film;
(F) artificial intelligence;
(G) mobile devices;
(H) computers;
(I) video games;
(J) virtual and augmented reality; and
(K) other media formats the joint committee
considers necessary.
ARTICLE 5. TRANSITION AND EFFECTIVE DATE
SECTION 5.01. If any provision of this Act or its
application to any person or circumstance is held invalid, the
invalidity does not affect other provisions or applications of this
Act that can be given effect without the invalid provision or
application, and to this end the provisions of this Act are declared
to be severable.
SECTION 5.02. Article 3 of this Act applies beginning with
the 2023-2024 school year.
SECTION 5.03. (a) Except as provided by Subsection (b) of
this section, this Act takes effect September 1, 2024.
(b) Article 3 of this Act takes effect immediately if it
receives a vote of two-thirds of all the members elected to each
house, as provided by Section 39, Article III, Texas Constitution.
If this Act does not receive the vote necessary for immediate
effect, Article 3 of this Act takes effect September 1, 2023.
______________________________ ______________________________
President of the Senate Speaker of the House
I certify that H.B. No. 18 was passed by the House on April
26, 2023, by the following vote: Yeas 125, Nays 20, 1 present, not
voting; and that the House concurred in Senate amendments to H.B.
No. 18 on May 28, 2023, by the following vote: Yeas 120, Nays 21, 2
present, not voting.
______________________________
Chief Clerk of the House
I certify that H.B. No. 18 was passed by the Senate, with
amendments, on May 23, 2023, by the following vote: Yeas 31, Nays
0.
______________________________
Secretary of the Senate
APPROVED: __________________
Date
__________________
Governor