Sec. 2. Definitions
2,346 words·~11 min read·
/bill/117/hr/4801/ih/section-2A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 1302 of the Children’s Online Privacy Protection Act of 1998 ( 15 U.S.C. 6501 ) is amended— by striking paragraphs
(5)and (10); by redesignating paragraphs (2), (3), (4), (6), (7), (8), and
(9)as paragraphs (3), (5), (6), (7), (8), (9), and (10), respectively; by inserting after paragraph
(1)the following: The term teenager means an individual over the age of 12 and under the age of 18. ; by striking paragraph
(3)(as so redesignated) and inserting the following: The term covered entity means— any organization, corporation, trust, partnership, sole proprietorship, unincorporated association, or venture over which the Commission has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act ( 15 U.S.C. 45(a)(2) ); notwithstanding section 5(a)(2) of the Federal Trade Commission Act ( 15 U.S.C. 45(a)(2) ), common carriers; and notwithstanding sections 4 and 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 44 and 45(a)(2)), any nonprofit organization, including any organization described in section 501(c) of the Internal Revenue Code of 1986 that is exempt from taxation under section 501(a) of the Internal Revenue Code of 1986. The term operator means, with respect to a digital service, the covered entity that operates such service, to the extent the covered entity is engaged in operating such service or in processing covered information obtained in connection with such service. ; by amending paragraph
(6)(as so redesignated) to read as follows: The term disclose means to intentionally or unintentionally release, transfer, sell, disseminate, share, publish, lease, license, make available, allow access to, fail to restrict access to, or otherwise communicate covered information. ; by amending paragraph
(9)(as so redesignated) to read as follows: The term covered information — means any information, linked or reasonably linkable to a specific teenager or child, or specific consumer device of a teenager or child; may include— a name, alias, home or other physical address, online identifier, Internet Protocol address, email address, account name, Social Security number, physical characteristics or description, telephone number, State identification card number, driver’s license number, passport number, or other similar identifier; actual or perceived race, religion, sex, sexual orientation, sexual behavior, familial status, gender identity, disability, age, political affiliation, or national origin; commercial information, including records relating to personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories, interests, or tendencies; biometric information; device identifiers, online identifiers, persistent identifiers, or digital fingerprinting information; internet or other electronic network activity information, including browsing history, search history, and information regarding a teenager’s or child’s interaction with an internet website, application, or advertisement; geolocation information; audio, electronic, visual, thermal, olfactory, or similar information; education information; health information; facial recognition information; contents of, attachments to, and parties to information, including with respect to electronic mail, text messages, picture messages, voicemails, audio conversations, and video conversations; financial information, including bank account numbers, credit card numbers, debit card numbers, or insurance policy numbers; and inferences drawn from any of the information described in this paragraph to create a profile about a teenager or child reflecting the teenager’s or child’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes; and does not include— information that is processed solely for the purpose of employment of a teenager; or de-identified information. ; by amending paragraph
(10)(as so redesignated) to read as follows: The term verifiable consent means express, affirmative consent freely given by a teenager, or by the parent of a child, to the processing of covered information of that teenager or child, respectively— that is specific, informed, and unambiguous, taking into account the age and the developmental or cognitive needs and capabilities of the teenager or parent of a child, as applicable; that is given separately for each processing activity; where the teenager or parent of a child, as applicable, has not received any financial or other incentive in exchange for such consent; that is given before any processing occurs, at a time and in a context in which the teenager or parent of a child, as applicable, would reasonably expect to make choices concerning such processing; and that is not obtained through the use of a design, modification, or manipulation of a user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision making, or choice. ; and by adding at the end the following: The term process means to perform any operation or set of operations on covered information, whether or not by automated means, including collecting, creating, acquiring, disclosing, sharing, classifying, sorting, recording, deriving, inferring, obtaining, assembling, organizing, structuring, storing, retaining, adapting or altering, using, or retrieving covered information. The term de-identified information means information that cannot reasonably be used to infer information about, or otherwise be linked to, a specific teenager or child or specific consumer device of a teenager or child, if the covered entity that possesses the information— takes reasonable measures to ensure that the information cannot be associated with a teenager or child; publicly commits to maintain and use the information in de-identified form and not to attempt to re-identify the information, except for the purpose of testing the sufficiency of the de-identification measures; and contractually obligates any recipients of the information to comply with clauses
(i)and (ii). The term re-identify means to link information that has been de-identified to a specific teenager or child or specific consumer device of a teenager or child. The term State means each of the several States, the District of Columbia, each territory of the United States, and each federally recognized Indian Tribe. The term service provider means a covered entity that processes covered information at the direction of, and for the sole benefit of, another covered entity, and— is contractually or legally prohibited from processing such covered information for any other purpose; and complies with all of the requirements of this title and the regulations promulgated under this title. The term digital service means a website, online service, online application, mobile application, or any other service that processes covered information digitally. The term children’s service means— a digital service or portion thereof that is directed to children; or any other digital service or portion thereof, if the operator of the service decides to treat all users of the service or portion, as the case may be, as children. The term privacy risk means potential adverse consequences to an individual, group of individuals, or society arising from the processing of covered information, including— physical harm; psychological or emotional harm; negative or harmful outcomes or decisions with respect to an individual’s eligibility for rights, benefits, or opportunities; reputational and dignity harm; financial harm, including price discrimination; inconvenience or expenditure of time; disruption and intrusion from unwanted communications or contacts; other effects that limit an individual’s choices, influence an individual’s responses, or predetermine results or outcomes for that individual; and other demonstrable adverse consequences that affect an individual’s private life, including private family matters, actions, and communications within an individual’s home or similar physical, online, or digital location. The terms privacy and security impact assessment and mitigation and PSIAM mean, with respect to a digital service, an assessment and mitigation by the operator of the service of risks to the children and teenagers who access the service that arise from the processing of covered information, taking into account privacy risks, security risks, the rights and best interests of children and teenagers, differing ages, capacities, and developmental needs of children and teenagers, and any significant internal or external emerging risks, and ensuring that the PSIAM builds in risk mitigation and compliance with the other requirements of this title. In conducting a PSIAM with respect to a digital service, the operator of the service shall do the following: Embed the PSIAM into the design process of the service and complete the PSIAM before the launch of the service and on an ongoing basis, and before making significant changes to the processing of covered information. Publicly disclose the nature, scope, context, and purposes of the processing of covered information. Depending on the size of the service and level of risks identified— seek and document the views of children, teenagers, and parents (or their representatives), as well as experts in children’s and teenagers’ developmental needs; and take such views into account in the design of the service. Publicly disclose an explanation of why the operator’s processing of covered information is necessary and proportionate vis a vis the risks for the service, and how the operator complies with the requirements of this title. Assess any processing of covered information that is not in the best interests of children or teenagers or that can be detrimental to their wellbeing and safety, whether physical, emotional, developmental, or material. Identify, assess, and mitigate high-risk processing of covered information. Identify measures taken to mitigate the risks identified under clause
(vi)and comply with the other requirements of this title. Provide for regular internal reporting on the effectiveness of controls and residual risks of the operator. The Commission may audit a PSIAM conducted by an operator as the Commission considers necessary. The term directed to children means, with respect to a digital service, that the digital service is targeted to or attractive to children, as demonstrated by— the subject matter of the digital service; the visual content of the digital service; the use of animated characters or child-oriented activities for children, and related incentives, on the digital service; the music or other audio content on the digital service; the age of models on the digital service; the presence on the digital service of— child celebrities; or celebrities who appeal to children; the language used on the digital service; advertising content used on, or used to advertise, the digital service; reliable empirical evidence relating to— the composition of the audience of the digital service, including— data the operator of the digital service may directly or indirectly collect, use, profile, buy, sell, classify, or analyze (via algorithms or other forms of data analytics, including look-alike modeling) about a user or groups of users to estimate, identify, or classify the age or age range (or a proxy thereof) of such user or groups of users; advertising information or results, such as data, reporting, or information from the internal communications of the operator of the digital service, including documentation about its advertising practices, such as an advertisement insertion order, or other promotional material to marketers, that indicates that covered information is being collected from children that are using the digital service; data or reporting from the general or trade press of the digital service indicating that children are using the digital service; complaints from parents or other third parties about child users using the digital service, whether through the complaint mechanism of the digital service, by email, or by other means; and data or reporting from a privacy and security impact assessment and mitigation, compliance program, or other compliance, risk management, or internal process that documents privacy risks and controls related to children’s privacy, including the existence of data analytics controlled by the operator of the digital service, including those of service providers, and content analytics capabilities and functions or outputs; and the intended audience of the digital service, including data the operator of the digital service directly or indirectly collects, uses, profiles, buys, sells, classifies, or analyzes (via algorithms or other forms of data analytics, including look-alike modeling) about the nature of the content of the digital service that estimates, identifies, or classifies the content as child-directed or similarly estimates, identifies, or classifies the intended or likely audience for the content; or any other evidence or circumstances the Commission determines appropriate. A digital service shall be deemed to be directed to children if the operator of the digital service has actual or constructive knowledge that the digital service collects covered information directly from users of any other digital service that is directed to children under the criteria described in subparagraph (A). A digital service shall be deemed directed to children if the digital service receives a signal from a third party indicating that the digital service is intended for children or likely to appeal to children, whether directly or using a flag or other formal industry standard or convention. A digital service that does not target children as its primary audience shall not be deemed directed to children if the digital service— does not collect covered information from any visitor prior to collecting age information; and prevents the collection, use, or disclosure of covered information from visitors who identify themselves as under age 13 without first complying with the notice and parental consent provisions of this title and the regulations promulgated under this title. A digital service shall not be deemed directed to children solely because the digital service refers or links to another digital service that is directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. For purposes of determining whether a portion of a digital service is directed to children, any reference in this paragraph to a digital service shall be considered to refer to such portion. The term likely to be accessed by children or teenagers means, with respect to a digital service, that the possibility of more than a de minimis number of children or teenagers accessing the digital service is more probable than not. In determining whether a digital service is likely to be accessed by children or teenagers, the operator of the service shall consider whether the service has particular appeal to children or teenagers and whether effective measures (such as age gating) are in place that prevent children or teenagers from gaining access to the service. The term age assurance means a verifiable process to estimate or determine the age of a user of a digital service with a given and documented degree of certainty. The term age gate means to use a verifiable process that meets a documented degree of certainty to restrict or block access to a digital service for users that do not meet an age requirement. .
Connectionstraces to 3
Traces to 3 documents
Citation graph
cites case law
Cites 3Cited by 0 across 0 sources