88R7481 MLH-D
By: Martinez Fischer H.B. No. 4948
A BILL TO BE ENTITLED
AN ACT
relating to the regulation of Internet products, services, and
features accessed by children; providing a civil penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subtitle C, Title 5, Business & Commerce Code, is
amended by adding Chapter 121 to read as follows:
CHAPTER 121. INTERNET PRODUCTS, SERVICES, AND FEATURES ACCESSED
BY CHILDREN
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 121.001. DEFINITIONS. In this chapter:
(1) "Child" means an individual younger than 18 years
of age.
(2) "Consumer" has the meaning assigned by Section
20.01.
(3) "Personal identifying information" has the
meaning assigned by Section 521.002.
SUBCHAPTER B. DUTIES AND PROHIBITIONS
Sec. 121.051. DATA PROTECTION IMPACT ASSESSMENT REQUIRED.
(a) Except as provided by Subsection (d), a person shall conduct a
data protection impact assessment to assess and mitigate risks
posed to a child who accesses a product, service, or feature
provided by the person if the person:
(1) provides a product, service, or feature to a
consumer in this state through an Internet website that is likely to
be accessed by a child;
(2) collects a consumer's personal identifying
information; and
(3) in the preceding year:
(A) generated more than $25 million in annual
gross revenue;
(B) collected or used the personal identifying
information of more than 50,000 consumers; or
(C) generated more than half of the person's
annual gross revenue from the collection and sale of a consumer's
personal identifying information.
(b) An assessment under this section must:
(1) identify:
(A) the purpose of the product, service, or
feature;
(B) the manner in which the product, service, or
feature uses personal identifying information; and
(C) any risks to children posed by the manner in
which the product, service, or feature uses personal identifying
information; and
(2) assess:
(A) whether the product, service, or feature
poses a risk of exposing a child to harmful content;
(B) whether the algorithms or advertising
systems used by the product, service, or feature pose a risk of
exposing a child to harmful content; and
(C) the manner in which the product, service, or
feature:
(i) uses design features to increase or
extend use of the product by a child; and
(ii) collects and processes the child's
personal identifying information.
(c) For the purposes of this section:
(1) a product, service, or feature is considered
likely to be accessed by a child if the product, service, or
feature:
(A) is intended, wholly or partly, to be used by a
child;
(B) is routinely accessed by children;
(C) is substantially similar to another product,
service, or feature that is routinely accessed by children;
(D) is marketed to children; or
(E) has design elements that are known to
interest children, including games, cartoons, music, and content
pertaining to celebrities of interest to children; and
(2) content is considered harmful if the content is
reasonably likely to have a detrimental impact on a child's
physical, mental, or emotional health.
(d) This section does not apply to a person who:
(1) is required to maintain and disseminate a privacy
policy under the Health Insurance Portability and Accountability
Act of 1996 (42 U.S.C. Section 1320d et seq.); or
(2) provides a product, service, or feature to a
consumer through an Internet website if the product, service, or
feature is:
(A) a broadband service;
(B) a telecommunications service; or
(C) a service that involves the delivery or use
of a physical product.
Sec. 121.052. IMPACT MANAGEMENT PLAN REQUIRED. A person
required to conduct a data protection impact assessment under
Section 121.051 shall develop an impact management plan to mitigate
or eliminate any risks identified in the assessment. The plan must
include defined goals and a timeline to achieve those goals.
Sec. 121.053. PROVISION OF ASSESSMENT TO ATTORNEY GENERAL.
(a) On the request of the attorney general, a person required to
conduct a data protection impact assessment under Section 121.051
shall, not later than the third business day after the person
receives the request, provide a list of data protection impact
assessments conducted by the person under Section 121.051. The
list must include the product, service, or feature assessed and the
date of the assessment.
(b) On the request of the attorney general, a person
required to conduct a data protection impact assessment under
Section 121.051 shall, not later than the fifth business day after
the person receives the request, provide a copy of a data protection
impact assessment conducted by the person.
(c) Production of a data protection impact assessment under
this section does not constitute a waiver of attorney-client
privilege or attorney work product protection.
Sec. 121.054. PROTECTION OF PERSONAL IDENTIFYING
INFORMATION. (a) A person required to conduct a data protection
impact assessment under Section 121.051 shall:
(1) estimate the age of an individual using a product,
service, or feature, and, in the case of a child:
(A) configure default settings of a product,
service, or feature to a high level of privacy, unless the person
can demonstrate a compelling reason that alternate settings are in
the best interest of a child; and
(B) provide privacy information, terms of
service, policies, and community standards for a product, service,
or feature in a clear and concise manner able to be understood by a
child; or
(2) apply the requirements of Subdivisions (1)(A) and
(B) to all users of the product, service, or feature.
(b) If a product, service, or feature allows for another
person to monitor or track a child, a person required to conduct a
data protection impact assessment under Section 121.051 shall
ensure the product, service, or feature provides an obvious signal
to a child when the product, service, or feature is monitoring or
tracking the child.
(c) A person required to conduct a data protection impact
assessment under Section 121.051 shall enforce any terms, policies,
and community standards established by the person, including any
policies concerning use of a product by a child.
(d) A person required to conduct a data protection impact
assessment under Section 121.051 shall provide tools to help a
child or the child's parent or guardian exercise privacy rights and
report concerns relating to privacy. A tool under this subsection
must be prominently displayed, easily accessible, and responsive to
requests by a child or the child's parent or guardian.
Sec. 121.055. IMPROPER USE OF PERSONAL IDENTIFYING
INFORMATION. (a) A person required to conduct a data protection
impact assessment under Section 121.051 may not use a child's
personal identifying information for any purpose that is not:
(1) necessary to provide a product, service, or
feature; or
(2) the reason for which the person collected the
personal identifying information.
(b) A person required to conduct a data protection impact
assessment under Section 121.051 may not use a child's personal
identifying information in a manner that could:
(1) expose the child to harmful content, as described
by Section 121.051(c); or
(2) be detrimental to the physical or mental health
and well-being of the child.
(c) This section does not affect the ability of a person to
which this chapter applies to disclose personal identifying
information in a manner necessary to comply with a request by a
governmental entity or law enforcement.
Sec. 121.056. IMPROPER PROFILING OF CHILD. (a) In this
section, "profile" means the automated process of using personal
identifying information to analyze specific aspects of an
individual's demographic characteristics.
(b) A person required to conduct a data protection impact
assessment under Section 121.051 may not profile a child unless:
(1) the profiling is either:
(A) necessary to provide a product, service, or
feature; or
(B) in the best interests of the child; and
(2) the person has implemented safeguards to prevent
the child from accessing harmful content, as described by Section
121.051(c).
Sec. 121.057. IMPROPER USE OF GEOLOCATION DATA. (a) A
person required to conduct a data protection impact assessment
under Section 121.051 may not collect the precise geolocation data
of a child unless the business's product, service, or feature
provides an obvious sign to the child for the duration of the
collection process that the child's precise geolocation data is
being collected.
(b) A person required to conduct a data protection impact
assessment under Section 121.051 may not collect, use, or sell the
precise geolocation data of a child unless the collection, use, or
sale is necessary for the person to provide a product, service, or
feature to the child.
Sec. 121.058. USE OF DECEPTIVE DESIGN ELEMENTS PROHIBITED.
A person required to conduct a data protection impact assessment
under Section 121.051 may not use deceptive design elements
intended to induce a child to provide more personal identifying
information than is necessary under this chapter.
SUBCHAPTER C. DATA PROTECTION WORK GROUP
Sec. 121.101. DATA PROTECTION WORK GROUP. (a) In this
section, "work group" means the work group established under this
section.
(b) The consumer protection division of the attorney
general's office shall establish a work group to promote business
practices that protect the personal identifying information of
consumers. The work group consists of:
(1) two members appointed by the governor;
(2) two members appointed by the lieutenant governor;
(3) two members appointed by the speaker of the house
of representatives; and
(4) two members appointed by the attorney general.
(c) To be eligible to serve as a member of the work group, a
person must have expertise in two or more of the following areas:
(1) children's data privacy;
(2) physical health;
(3) mental health and well-being;
(4) computer science; or
(5) children's rights.
(d) A member of the work group receives no compensation for
serving on the work group but may be reimbursed for travel or other
expenses incurred while conducting the business of the work group.
(e) The work group shall solicit input from stakeholders and
prepare recommendations for the legislature on ways to protect the
personal identifying information of children in this state.
(f) Not later than January 1 of each odd-numbered year, the
work group shall submit to the legislature a report of the work
group's findings and recommendations. The report must:
(1) identify products likely to be used by children;
(2) evaluate and prioritize the best interests of
children;
(3) evaluate the manner in which the best interests of
children may be furthered by the products in Subdivision (1);
(4) evaluate whether the risks posed by the products
in Subdivision (1) are proportional to the safeguards put in place
by businesses;
(5) suggest ways to assess and mitigate risks to
children that arise from the products identified under Subdivision
(1); and
(6) identify best methods of publishing privacy
information, terms of service, policies, and community standards
for a product in a clear and concise manner able to be understood by
a child.
(g) This section expires on January 1, 2033.
SUBCHAPTER D. ENFORCEMENT
Sec. 121.151. CIVIL PENALTY. (a) A person who violates
this chapter is liable to the state for a civil penalty in an amount
not to exceed:
(1) $2,500 for each child exposed to harmful content
as described by Section 121.051(c) as a result of a negligent
violation; and
(2) $7,500 for each child exposed to harmful content
as described by Section 121.051(c) as a result of an intentional
violation.
(b) The attorney general may bring suit to recover a civil
penalty imposed under this section. The attorney general may
recover attorney's fees and costs incurred in bringing an action
under this section.
(c) The action may be brought in a district court in:
(1) Travis County; or
(2) a county in which any part of the violation or
threatened violation occurs.
(d) The attorney general shall deposit a civil penalty
collected under this section in the state treasury to the credit of
the general revenue fund.
Sec. 121.152. REQUIRED NOTICE. (a) If a person who
violates this chapter is in substantial compliance with the
requirements under Sections 121.051, 121.052, and 121.053, the
attorney general shall, before bringing suit under Section 121.151,
issue a notice to the person identifying the provisions of this
chapter that the attorney general alleges to have been violated by
the person.
(b) It shall be a complete defense to suit under Section
121.151 if, not later than the 90th day after receiving a notice
under Subsection (a), a person cures any violation of this chapter
and provides notice to the attorney general of the measures taken to
cure the violation and prevent further violations.
Sec. 121.153. NO PRIVATE CAUSE OF ACTION. Nothing in this
chapter may be construed to create a private cause of action for a
violation of this chapter.
Sec. 121.154. RULES. The attorney general shall adopt
rules to implement this chapter.
SECTION 2. This Act takes effect September 1, 2023.