By: Slawson H.B. No. 18
A BILL TO BE ENTITLED
AN ACT
relating to the protection of minors from harmful, deceptive, or
unfair trade practices in connection with the use of certain
digital services.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subtitle A, Title 11, Business & Commerce Code,
is amended by adding Chapter 509 to read as follows:
CHAPTER 509. COLLECTION OR USE OF MINORS' PERSONAL IDENTIFYING
INFORMATION BY DIGITAL SERVICE PROVIDERS
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 509.001. DEFINITIONS. In this chapter:
(1) "Digital service" means a website, an application,
a program, or software that performs collection or processing
functions with Internet connectivity.
(2) "Digital service provider" means a person who owns
or operates a digital service.
(3) "Minor" means a child who is at least 13 years of
age but younger than 18 years of age.
(4) "Personal identifying information" means any
information linked or reasonably linked to a specific minor,
including:
(A) a name, account name, alias, or online
identifier;
(B) a home or other physical address;
(C) an Internet Protocol (IP) address or e-mail
address;
(D) a social security number;
(E) a telephone number;
(F) a driver's license number or state
identification card number;
(G) a passport number;
(H) physical characteristics or description;
(I) race, ethnicity, or national origin;
(J) religion or faith;
(K) sex, gender, or sexual orientation;
(L) family status;
(M) disability status;
(N) political affiliation;
(O) commercial information, including:
(i) records relating to personal property;
(ii) products or services the minor
purchased, obtained, or considered; or
(iii) other histories, interests, or
tendencies in consumption;
(P) biometric information;
(Q) device identifiers, online identifiers,
persistent identifiers, or digital fingerprinting information;
(R) Internet, browsing, or search history,
including any information relating to a minor's use of an Internet
website;
(S) geolocation information;
(T) audio, electronic, visual, thermal,
olfactory, or similar information, including facial recognition;
(U) educational information;
(V) health information;
(W) the contents of, attachments to, and parties
to text messages, e-mails, voicemails, audio conversations, and
video conversations;
(X) financial information, including:
(i) bank account numbers;
(ii) credit card numbers;
(iii) debit card numbers;
(iv) insurance policy numbers; or
(v) information related to the balance of
any financial accounts; or
(Y) any inferences drawn from personal
identifying information that might identify a minor's traits,
characteristics, or trends.
Sec. 509.002. APPLICABILITY. (a) This chapter applies to a
digital service provider that:
(1) collects or processes the personal identifying
information of minors; and
(2) either:
(A) targets minors; or
(B) knows or should know that the digital service
appeals to minors.
(b) For purposes of Subsection (a):
(1) a digital service targets or appeals to minors if:
(A) the digital service contains subject matter
that is tailored toward minors, including:
(i) animated characters;
(ii) instruction or activities intended for
minors;
(iii) music or audio popular among minors;
(iv) images containing:
(a) models who are minors; or
(b) celebrities who are minors or who
are popular among minors;
(v) colloquial use of language that is
common among minors; or
(vi) advertisements intended for minors; or
(B) empirical evidence obtained by the digital
service provider, an advertiser, the press, third-party
complaints, or another entity that conducts privacy and security
impact assessments demonstrates that:
(i) many users of the digital service are
minors; or
(ii) the intended audience for the digital
service is minors; and
(2) a digital service does not target or appeal to
minors by referring or linking to a digital service that targets or
appeals to minors.
SUBCHAPTER B. DIGITAL SERVICE PROVIDER DUTIES AND PROHIBITIONS
Sec. 509.051. DIGITAL SERVICE PROVIDER DUTY TO PREVENT
HARM. (a) A digital service provider shall prevent physical,
emotional, and developmental harm to a minor using a digital
service, including:
(1) self harm, suicide, eating disorders, and other
similar behaviors;
(2) substance abuse and patterns of use that indicate
addiction;
(3) bullying and harassment;
(4) sexual exploitation, including enticement,
grooming, trafficking, abuse, and child pornography;
(5) advertisements for products or services that are
unlawful for a minor, including illegal drugs, tobacco, gambling,
pornography, and alcohol; and
(6) predatory, unfair, or deceptive marketing
practices.
(b) A digital service provider shall ensure that a minor is
not exposed to a type of harm described by Subsection (a).
Sec. 509.052. PROHIBITION ON COLLECTION OF PERSONAL
IDENTIFYING INFORMATION; EXEMPTIONS. (a) Except as provided by this
section, a digital service provider may not collect a minor's
personal identifying information.
(b) A digital service provider may collect a minor's
personal identifying information for employment purposes.
(c) A digital service provider may collect a minor's
personal identifying information if the minor's parent or guardian
consents in a manner that:
(1) is specific, informed, and unambiguous;
(2) takes into account:
(A) the minor's age; and
(B) the minor's developmental and cognitive
needs and capabilities;
(3) is for only a single specific act of collection or
processing of personal identifying information;
(4) occurs in the absence of any financial or other
incentive;
(5) occurs before the collection or processing of the
minor's personal identifying information;
(6) occurs in a time, place, and manner that the
minor's parent or guardian would expect the consent to be sought;
and
(7) is not deceptive or coercive.
(d) A digital service provider may collect a minor's
personal identifying information without the consent of the minor's
parent or guardian if:
(1) the personal identifying information is a form of
online contact information that:
(A) is used to respond to a single specific
request made by the minor;
(B) is not used to contact the minor in any other
way; and
(C) is not retained by the digital service
provider once a response has been made;
(2) the personal identifying information is for the
purpose of receiving consent under Subsection (c) and is not
retained by the digital service provider after:
(A) the minor's parent or guardian gives consent
under Subsection (c); or
(B) eight hours after the personal identifying
information is collected; or
(3) the personal identifying information is necessary
to respond to judicial process or comply with a law enforcement
agency on a matter related to public safety.
(e) A digital service provider that collects a minor's
personal identifying information with the consent of the minor's
parent or guardian shall set the minor's digital service to the
strongest settings available to protect the minor from harm, as
described by Section 509.051(a).
Sec. 509.053. PARENTAL TOOLS. (a) A digital service
provider shall make available to each parent or guardian who gives
consent under Section 509.052 parental tools to allow the parent or
guardian to supervise the minor's use of the digital service.
(b) Parental tools under this section must allow a parent or
guardian to:
(1) control the minor's privacy and account settings,
including the settings described by Section 509.052(e);
(2) restrict the ability of a minor to make purchases
and financial transactions;
(3) monitor the amount of time the minor spends using
the digital service; and
(4) disable any default parental controls placed on
the digital service.
Sec. 509.054. ACCESS TO PERSONAL IDENTIFYING INFORMATION.
(a) A minor or minor's parent or guardian may submit a request to a
digital service provider to access the minor's personal identifying
information.
(b) A digital service provider shall establish and make
available a simple and easily accessible method by which a minor or
a minor's parent or guardian may make a request for information
under this section.
(c) The method established under Subsection (b) must allow a
minor or minor's parent or guardian to access:
(1) all of the minor's personal identifying
information in the digital service provider's possession that the
provider has collected or processed, organized by:
(A) type of personal identifying information;
and
(B) purpose for which the digital service
provider processed each type of personal identifying information;
(2) the name of each third party to which the digital
service provider disclosed the personal identifying information,
if applicable;
(3) each source other than the minor from which the
digital service provider obtained the minor's personal identifying
information;
(4) the length of time for which the digital service
provider will retain the minor's personal identifying information;
(5) any index or score assigned to the minor as a
result of the personal identifying information, including whether
the digital service provider created the index or score and, if not,
who created the index or score;
(6) the manner in which the digital service provider
uses an index or score under Subdivision (5);
(7) a method by which a minor or minor's parent or
guardian may:
(A) dispute the accuracy of any personal
identifying information collected or processed by the digital
service provider; and
(B) request that the digital service provider
correct any personal identifying information collected or
processed by the digital service provider; and
(8) a method by which a minor or minor's parent or
guardian may request that the digital service provider delete any
personal identifying information collected or processed by the
digital service provider.
(d) If a digital service provider receives a request under
Subsection (c)(7), the digital service provider shall, not later
than the 45th day after the request is made:
(1) determine whether the relevant personal
identifying information is inaccurate or incomplete; and
(2) make any corrections necessary.
(e) If a digital service provider receives a request under
Subsection (c)(8), the digital service provider shall delete the
personal identifying information specified by the request not later
than the 45th day after the request is made.
Sec. 509.055. ADVERTISING AND MARKETING DUTIES. A digital
service provider that allows advertisers to advertise to minors on
the digital service shall disclose in a clear and accessible
manner:
(1) the name of each product, service, or brand
advertising on the digital service;
(2) the subject matter of each advertisement or
marketing material on the digital service;
(3) if the digital service provider or advertiser
targets advertisements to minors on the digital service, the reason
why each advertisement has been targeted to a minor;
(4) the way in which a minor's personal identifying
information leads to each advertisement targeted to the minor; and
(5) whether certain media on the digital service are
advertisements.
Sec. 509.056. USE OF ALGORITHMS. A digital service provider
that uses algorithms to automate the suggestion, promotion, or
ranking of information to minors on the digital service shall:
(1) ensure that the algorithm does not interfere with
the digital service provider's duties under Section 509.051; and
(2) disclose in the digital service provider's terms
of service, in a clear and accessible manner:
(A) an overview of the manner in which the
digital service uses algorithms to provide information to minors;
(B) an overview of the manner in which those
algorithms use the personal identifying information of minors;
(C) options available to a minor and a minor's
parent or guardian to modify the results of information provided by
the algorithm, including the ability to opt out of or down-rank
certain information; and
(D) the ability minors have to opt out of using
the algorithm.
Sec. 509.057. PROHIBITION ON LIMITING OR DISCONTINUING
DIGITAL SERVICE. A digital service provider may not limit or
discontinue a digital service provided to a minor because the minor
or minor's parent or guardian withholds or withdraws consent to the
collection or processing of any personal identifying information
not required to provide the digital service.
SUBCHAPTER C. ENFORCEMENT
Sec. 509.101. CIVIL ACTION; LIABILITY. (a) A minor's parent
or guardian may bring an action against a digital service provider
for a violation of this chapter.
(b) Notwithstanding Sections 41.003 and 41.004, Civil
Practice and Remedies Code, a parent or guardian who prevails in an
action under this section is entitled to receive:
(1) injunctive relief;
(2) actual damages;
(3) punitive damages;
(4) reasonable attorney's fees;
(5) court costs; and
(6) any other relief the court deems appropriate.
(c) A violation of this chapter constitutes an injury in
fact to the minor.
Sec. 509.102. DECEPTIVE TRADE PRACTICE. A violation of this
chapter is a false, misleading, or deceptive act or practice as
defined by Section 17.46(b). In addition to any remedy under this
chapter, a remedy under Subchapter E, Chapter 17, is also available
for a violation of this chapter.
SECTION 2. This Act takes effect September 1, 2024.