TX
Texas House Bill HB4948

Texas 2023 - 88th Regular

Texas House Bill HB4948 Compare Versions

OldNewDifferences
11 88R7481 MLH-D
22 By: Martinez Fischer H.B. No. 4948
33
44
55 A BILL TO BE ENTITLED
66 AN ACT
77 relating to the regulation of Internet products, services, and
88 features accessed by children; providing a civil penalty.
99 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1010 SECTION 1. Subtitle C, Title 5, Business & Commerce Code, is
1111 amended by adding Chapter 121 to read as follows:
1212 CHAPTER 121. INTERNET PRODUCTS, SERVICES, AND FEATURES ACCESSED
1313 BY CHILDREN
1414 SUBCHAPTER A. GENERAL PROVISIONS
1515 Sec. 121.001. DEFINITIONS. In this chapter:
1616 (1) "Child" means an individual younger than 18 years
1717 of age.
1818 (2) "Consumer" has the meaning assigned by Section
1919 20.01.
2020 (3) "Personal identifying information" has the
2121 meaning assigned by Section 521.002.
2222 SUBCHAPTER B. DUTIES AND PROHIBITIONS
2323 Sec. 121.051. DATA PROTECTION IMPACT ASSESSMENT REQUIRED.
2424 (a) Except as provided by Subsection (d), a person shall conduct a
2525 data protection impact assessment to assess and mitigate risks
2626 posed to a child who accesses a product, service, or feature
2727 provided by the person if the person:
2828 (1) provides a product, service, or feature to a
2929 consumer in this state through an Internet website that is likely to
3030 be accessed by a child;
3131 (2) collects a consumer's personal identifying
3232 information; and
3333 (3) in the preceding year:
3434 (A) generated more than $25 million in annual
3535 gross revenue;
3636 (B) collected or used the personal identifying
3737 information of more than 50,000 consumers; or
3838 (C) generated more than half of the person's
3939 annual gross revenue from the collection and sale of a consumer's
4040 personal identifying information.
4141 (b) An assessment under this section must:
4242 (1) identify:
4343 (A) the purpose of the product, service, or
4444 feature;
4545 (B) the manner in which the product, service, or
4646 feature uses personal identifying information; and
4747 (C) any risks to children posed by the manner in
4848 which the product, service, or feature uses personal identifying
4949 information; and
5050 (2) assess:
5151 (A) whether the product, service, or feature
5252 poses a risk of exposing a child to harmful content;
5353 (B) whether the algorithms or advertising
5454 systems used by the product, service, or feature pose a risk of
5555 exposing a child to harmful content; and
5656 (C) the manner in which the product, service, or
5757 feature:
5858 (i) uses design features to increase or
5959 extend use of the product by a child; and
6060 (ii) collects and processes the child's
6161 personal identifying information.
6262 (c) For the purposes of this section:
6363 (1) a product, service, or feature is considered
6464 likely to be accessed by a child if the product, service, or
6565 feature:
6666 (A) is intended, wholly or partly, to be used by a
6767 child;
6868 (B) is routinely accessed by children;
6969 (C) is substantially similar to another product,
7070 service, or feature that is routinely accessed by children;
7171 (D) is marketed to children; or
7272 (E) has design elements that are known to
7373 interest children, including games, cartoons, music, and content
7474 pertaining to celebrities of interest to children; and
7575 (2) content is considered harmful if the content is
7676 reasonably likely to have a detrimental impact on a child's
7777 physical, mental, or emotional health.
7878 (d) This section does not apply to a person who:
7979 (1) is required to maintain and disseminate a privacy
8080 policy under the Health Insurance Portability and Accountability
8181 Act of 1996 (42 U.S.C. Section 1320d et seq.); or
8282 (2) provides a product, service, or feature to a
8383 consumer through an Internet website if the product, service, or
8484 feature is:
8585 (A) a broadband service;
8686 (B) a telecommunications service; or
8787 (C) a service that involves the delivery or use
8888 of a physical product.
8989 Sec. 121.052. IMPACT MANAGEMENT PLAN REQUIRED. A person
9090 required to conduct a data protection impact assessment under
9191 Section 121.051 shall develop an impact management plan to mitigate
9292 or eliminate any risks identified in the assessment. The plan must
9393 include defined goals and a timeline to achieve those goals.
9494 Sec. 121.053. PROVISION OF ASSESSMENT TO ATTORNEY GENERAL.
9595 (a) On the request of the attorney general, a person required to
9696 conduct a data protection impact assessment under Section 121.051
9797 shall, not later than the third business day after the person
9898 receives the request, provide a list of data protection impact
9999 assessments conducted by the person under Section 121.051. The
100100 list must include the product, service, or feature assessed and the
101101 date of the assessment.
102102 (b) On the request of the attorney general, a person
103103 required to conduct a data protection impact assessment under
104104 Section 121.051 shall, not later than the fifth business day after
105105 the person receives the request, provide a copy of a data protection
106106 impact assessment conducted by the person.
107107 (c) Production of a data protection impact assessment under
108108 this section does not constitute a waiver of attorney-client
109109 privilege or attorney work product protection.
110110 Sec. 121.054. PROTECTION OF PERSONAL IDENTIFYING
111111 INFORMATION. (a) A person required to conduct a data protection
112112 impact assessment under Section 121.051 shall:
113113 (1) estimate the age of an individual using a product,
114114 service, or feature, and, in the case of a child:
115115 (A) configure default settings of a product,
116116 service, or feature to a high level of privacy, unless the person
117117 can demonstrate a compelling reason that alternate settings are in
118118 the best interest of a child; and
119119 (B) provide privacy information, terms of
120120 service, policies, and community standards for a product, service,
121121 or feature in a clear and concise manner able to be understood by a
122122 child; or
123123 (2) apply the requirements of Subdivisions (1)(A) and
124124 (B) to all users of the product, service, or feature.
125125 (b) If a product, service, or feature allows for another
126126 person to monitor or track a child, a person required to conduct a
127127 data protection impact assessment under Section 121.051 shall
128128 ensure the product, service, or feature provides an obvious signal
129129 to a child when the product, service, or feature is monitoring or
130130 tracking the child.
131131 (c) A person required to conduct a data protection impact
132132 assessment under Section 121.051 shall enforce any terms, policies,
133133 and community standards established by the person, including any
134134 policies concerning use of a product by a child.
135135 (d) A person required to conduct a data protection impact
136136 assessment under Section 121.051 shall provide tools to help a
137137 child or the child's parent or guardian exercise privacy rights and
138138 report concerns relating to privacy. A tool under this subsection
139139 must be prominently displayed, easily accessible, and responsive to
140140 requests by a child or the child's parent or guardian.
141141 Sec. 121.055. IMPROPER USE OF PERSONAL IDENTIFYING
142142 INFORMATION. (a) A person required to conduct a data protection
143143 impact assessment under Section 121.051 may not use a child's
144144 personal identifying information for any purpose that is not:
145145 (1) necessary to provide a product, service, or
146146 feature; or
147147 (2) the reason for which the person collected the
148148 personal identifying information.
149149 (b) A person required to conduct a data protection impact
150150 assessment under Section 121.051 may not use a child's personal
151151 identifying information in a manner that could:
152152 (1) expose the child to harmful content, as described
153153 by Section 121.051(c); or
154154 (2) be detrimental to the physical or mental health
155155 and well-being of the child.
156156 (c) This section does not affect the ability of a person to
157157 which this chapter applies to disclose personal identifying
158158 information in a manner necessary to comply with a request by a
159159 governmental entity or law enforcement.
160160 Sec. 121.056. IMPROPER PROFILING OF CHILD. (a) In this
161161 section, "profile" means the automated process of using personal
162162 identifying information to analyze specific aspects of an
163163 individual's demographic characteristics.
164164 (b) A person required to conduct a data protection impact
165165 assessment under Section 121.051 may not profile a child unless:
166166 (1) the profiling is either:
167167 (A) necessary to provide a product, service, or
168168 feature; or
169169 (B) in the best interests of the child; and
170170 (2) the person has implemented safeguards to prevent
171171 the child from accessing harmful content, as described by Section
172172 121.051(c).
173173 Sec. 121.057. IMPROPER USE OF GEOLOCATION DATA. (a) A
174174 person required to conduct a data protection impact assessment
175175 under Section 121.051 may not collect the precise geolocation data
176176 of a child unless the business's product, service, or feature
177177 provides an obvious sign to the child for the duration of the
178178 collection process that the child's precise geolocation data is
179179 being collected.
180180 (b) A person required to conduct a data protection impact
181181 assessment under Section 121.051 may not collect, use, or sell the
182182 precise geolocation data of a child unless the collection, use, or
183183 sale is necessary for the person to provide a product, service, or
184184 feature to the child.
185185 Sec. 121.058. USE OF DECEPTIVE DESIGN ELEMENTS PROHIBITED.
186186 A person required to conduct a data protection impact assessment
187187 under Section 121.051 may not use deceptive design elements
188188 intended to induce a child to provide more personal identifying
189189 information than is necessary under this chapter.
190190 SUBCHAPTER C. DATA PROTECTION WORK GROUP
191191 Sec. 121.101. DATA PROTECTION WORK GROUP. (a) In this
192192 section, "work group" means the work group established under this
193193 section.
194194 (b) The consumer protection division of the attorney
195195 general's office shall establish a work group to promote business
196196 practices that protect the personal identifying information of
197197 consumers. The work group consists of:
198198 (1) two members appointed by the governor;
199199 (2) two members appointed by the lieutenant governor;
200200 (3) two members appointed by the speaker of the house
201201 of representatives; and
202202 (4) two members appointed by the attorney general.
203203 (c) To be eligible to serve as a member of the work group, a
204204 person must have expertise in two or more of the following areas:
205205 (1) children's data privacy;
206206 (2) physical health;
207207 (3) mental health and well-being;
208208 (4) computer science; or
209209 (5) children's rights.
210210 (d) A member of the work group receives no compensation for
211211 serving on the work group but may be reimbursed for travel or other
212212 expenses incurred while conducting the business of the work group.
213213 (e) The work group shall solicit input from stakeholders and
214214 prepare recommendations for the legislature on ways to protect the
215215 personal identifying information of children in this state.
216216 (f) Not later than January 1 of each odd-numbered year, the
217217 work group shall submit to the legislature a report of the work
218218 group's findings and recommendations. The report must:
219219 (1) identify products likely to be used by children;
220220 (2) evaluate and prioritize the best interests of
221221 children;
222222 (3) evaluate the manner in which the best interests of
223223 children may be furthered by the products in Subdivision (1);
224224 (4) evaluate whether the risks posed by the products
225225 in Subdivision (1) are proportional to the safeguards put in place
226226 by businesses;
227227 (5) suggest ways to assess and mitigate risks to
228228 children that arise from the products identified under Subdivision
229229 (1); and
230230 (6) identify best methods of publishing privacy
231231 information, terms of service, policies, and community standards
232232 for a product in a clear and concise manner able to be understood by
233233 a child.
234234 (g) This section expires on January 1, 2033.
235235 SUBCHAPTER D. ENFORCEMENT
236236 Sec. 121.151. CIVIL PENALTY. (a) A person who violates
237237 this chapter is liable to the state for a civil penalty in an amount
238238 not to exceed:
239239 (1) $2,500 for each child exposed to harmful content
240240 as described by Section 121.051(c) as a result of a negligent
241241 violation; and
242242 (2) $7,500 for each child exposed to harmful content
243243 as described by Section 121.051(c) as a result of an intentional
244244 violation.
245245 (b) The attorney general may bring suit to recover a civil
246246 penalty imposed under this section. The attorney general may
247247 recover attorney's fees and costs incurred in bringing an action
248248 under this section.
249249 (c) The action may be brought in a district court in:
250250 (1) Travis County; or
251251 (2) a county in which any part of the violation or
252252 threatened violation occurs.
253253 (d) The attorney general shall deposit a civil penalty
254254 collected under this section in the state treasury to the credit of
255255 the general revenue fund.
256256 Sec. 121.152. REQUIRED NOTICE. (a) If a person who
257257 violates this chapter is in substantial compliance with the
258258 requirements under Sections 121.051, 121.052, and 121.053, the
259259 attorney general shall, before bringing suit under Section 121.151,
260260 issue a notice to the person identifying the provisions of this
261261 chapter that the attorney general alleges to have been violated by
262262 the person.
263263 (b) It shall be a complete defense to suit under Section
264264 121.151 if, not later than the 90th day after receiving a notice
265265 under Subsection (a), a person cures any violation of this chapter
266266 and provides notice to the attorney general of the measures taken to
267267 cure the violation and prevent further violations.
268268 Sec. 121.153. NO PRIVATE CAUSE OF ACTION. Nothing in this
269269 chapter may be construed to create a private cause of action for a
270270 violation of this chapter.
271271 Sec. 121.154. RULES. The attorney general shall adopt
272272 rules to implement this chapter.
273273 SECTION 2. This Act takes effect September 1, 2023.