Sec. 3. Requirements for processing of covered information of children or teenagers
3,629 words·~16 min read·
/bill/118/hr/2801/ih/section-3A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Section 1303 of the Children’s Online Privacy Protection Act of 1998 ( 15 U.S.C. 6502 ) is amended to read as follows: An operator of a children’s service shall process covered information under the principle of data minimization, requiring the operator to process only the minimum amount necessary for each purpose for which the covered information is processed. An operator of a children’s service shall develop and make publicly available, at all times and in a machine-readable format, a privacy policy, in a manner that is clear, easily understood, and written in plain and concise language, that includes, with respect to operating the children’s service— the categories of covered information that the operator processes about teenagers and children; how and under what circumstances covered information is collected directly from a teenager or child; the categories and the sources of any covered information processed by the operator that is not collected directly from a teenager or child; a description of the purposes for which the operator processes covered information, including— a description of whether and how the operator customizes products or services for teenagers or children, or adjusts the prices of products or services for teenagers or children, based in any part on processing of covered information; a description of whether and how the operator, or the operator’s affiliates or service providers, de-identify information, including the methods used to de-identify such information; and a description of whether and how the operator, or the operator’s affiliates or service providers, generate or use any consumer score to make decisions concerning a teenager or child, and the source or sources of any such consumer score; a description of how long and the circumstances under which the operator retains covered information; a description of all of the purposes for which the operator discloses covered information to service providers and, on a biennial basis, the categories of service providers; a description of whether and for what purposes the operator discloses covered information to third parties, and the categories of covered information disclosed; a description of the categories of third parties to which covered information described in subparagraph
(G)is disclosed, by category or categories of covered information for each category of third party to which the covered information is disclosed; whether the operator discloses covered information to third parties that sell or plan to sell such covered information; whether the operator collects covered information about teenagers or children over time and across different digital services if a teenager or child uses the operator’s digital service; how a teenager or a parent of a child can exercise their rights to access, correct, and delete such teenager’s or child’s covered information as set forth in paragraph (6); a listing of all possible consents that may be obtained by the operator for the processing of covered information, how a teenager or the parent of a child can grant, withhold, withdraw, or modify any such consent, and the consequences of withholding, withdrawing, or modifying any such consent; the effective date of the privacy policy; and how the operator will communicate material changes to the privacy policy to the teenager or the parent of a child. An operator of a children’s service shall— provide clear and concise notice to a teenager or the parent of a child of the items of covered information about such teenager or child, respectively, that are processed by such operator and how such operator processes such covered information; obtain verifiable consent for such processing; and if such operator determines, including through actual or constructive knowledge, that such operator has not obtained verifiable consent for any specific processing of covered information about a teenager or child, not later than 48 hours after such determination— obtain verifiable consent; or delete all covered information about such teenager or child. Verifiable consent under this paragraph is not required in the case of— online contact information collected from a teenager or child that— is used only to respond directly on a one-time basis to a specific request from the teenager or child; is not used to re-contact the teenager or child; and is not retained by the operator after responding as described in subclause (I); a request for the name or online contact information of a teenager or the parent of a child that is used for the sole purpose of obtaining verifiable consent or providing notice under subparagraph (A)(i), where such information is not retained by the operator if verifiable consent is not obtained within 48 hours; or the processing of covered information that is necessary— to respond to judicial process; or to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety. An operator of a children’s service shall provide a teenager or the parent of a child, as applicable— a mechanism to withdraw consent to the processing of covered information at any time in a manner that is as easy as the mechanism to give consent; and clear and conspicuous notice of the mechanism required by subclause (I). Withdrawal of consent to the processing of covered information shall not be construed to affect the lawfulness of any processing of covered information based on verifiable consent that was in effect before such withdrawal. An operator of a children’s service may not refuse to provide a service, or discontinue a service provided, to a teenager or child, if the teenager or parent of the child, as applicable, refuses to consent, or withdraws consent, to the processing of any covered information not technically required for the operator to provide such service. Subject to the exceptions provided in subparagraph (B), an operator of a children’s service may not keep, retain, or otherwise store covered information for longer than is reasonably necessary for the purposes for which the covered information is processed. Further retention of covered information does not violate subparagraph
(A)if the processing of the covered information is necessary and done solely for the purposes of— compliance with— requirements to document compliance under this title; or other laws, regulations, or legal obligations; preventing risks to the health or safety of a child or teenager or groups of children or teenagers; or repairing errors that impair the existing (as of the time when the repairs are made) functionality of the children’s service. Subject to the exceptions provided in subparagraph (C), an operator of a children’s service may not disclose covered information to a third party unless the operator has a written agreement with such third party that— specifies all of the purposes for which the third party may process the covered information for which the operator has verifiable consent; prohibits the third party from processing covered information for any purpose other than the purposes specified under clause (i); and requires the third party to provide at least the same level of privacy and security protections as the operator. An operator of a children’s service— shall perform reasonable due diligence in selecting any third party with which to enter into an agreement described in subparagraph
(A)and shall exercise reasonable oversight over all such third parties to assure compliance with the requirements of this title and the regulations promulgated under this title; and if the operator has actual or constructive knowledge that a third party has violated an agreement described in subparagraph (A), shall— to the extent practicable, promptly take steps to ensure compliance with such agreement; and promptly report to the Commission that such a violation occurred. An operator of a children’s service may disclose covered information to a third party other than under an agreement described in subparagraph
(A)if such disclosure is necessary and done solely for the purposes of— compliance with— requirements to document compliance under this title; or other laws, regulations, or legal obligations; preventing risks to the health or safety of a child or teenager or groups of children or teenagers; or repairing errors that impair the existing (as of the time when the repairs are made) functionality of the children’s service. An operator of a children’s service, subject to the exceptions in subparagraph (D), shall, upon request of a teenager or the parent of a child and after proper identification of such teenager or parent, promptly provide to such teenager or parent, as applicable— access to all covered information processed by the operator pertaining to such teenager or child, including a description of— each type of covered information processed by the operator pertaining to the teenager or child, as applicable; each purpose for which the operator processes each category of covered information pertaining to the teenager or child, as applicable; the names of each third party to which the operator disclosed the covered information; each source other than the teenager or child, as applicable, from which the operator obtained covered information pertaining to that teenager or child, as applicable; how long the covered information will be retained or stored by the operator and, if not known, the criteria the operator uses to determine how long the covered information will be retained or stored by the operator; and with respect to any consumer score of the teenager or child, as applicable, processed by the operator— how such score is used by the operator to make decisions with respect to that teenager or child, as applicable; and the source that created the score if not created by the operator; and a simple and reasonable mechanism by which a teenager or parent of a child may request access to the information described under clause (i), as applicable. An operator of a children’s service, subject to the exceptions in subparagraph (D), shall— establish a simple, publicly and easily accessible, and reasonable mechanism by which a teenager or parent of a child with respect to whom the operator processes covered information may request the operator to delete any such covered information (or any component thereof), including publicly available covered information submitted to the service by the child or teenager; and delete such covered information not later than 45 days after receiving such request. An operator of a children’s service, subject to the exceptions in subparagraph (D), shall— provide each teenager or parent of a child with respect to whom the operator processes covered information, as applicable, a simple, publicly and easily accessible, and reasonable mechanism by which that teenager or parent may submit a request to the operator— to dispute the accuracy or completeness of that covered information, or part or component thereof; and to request that such covered information, or part or component thereof, be corrected for accuracy or completeness; and not later than 45 days after receiving a request under clause (i)— determine whether the covered information disputed or requested to be corrected is inaccurate or incomplete; and correct the accuracy or completeness of any covered information determined by the operator to be inaccurate or incomplete. An operator of a children’s service may deny a request made under subparagraph (A), (B), or
(C)if— the operator is unable to verify the identity of the teenager or parent of a child making the request after making a reasonable effort to verify the identity of such teenager or parent; with respect to the request made, the operator determines that— the operator is limited from fulfilling the request by law, legally recognized privilege, or other legal obligation; or fulfilling the request would create a legitimate risk to the privacy, security, or safety of someone other than the teenager or child, as applicable; with respect to a request to delete covered information made under subparagraph
(B)or a request to correct covered information made under subparagraph (C), the operator determines that the retention of the covered information is necessary to— complete the transaction with the teenager or child, as applicable, for which the covered information was collected; provide a product or service affirmatively requested by the teenager or parent of a child, as applicable; perform a contract with the teenager or a parent of a child, as applicable, including a contract for billing, financial reporting, or accounting; keep a record of the covered information for law enforcement purposes; or repair errors that impair the existing (as of the time when the repairs are made) functionality of the children’s service; or the covered information is used in public or peer-reviewed scientific, medical, or statistical research in the public interest that adheres to commonly accepted ethical standards or laws, with informed consent consistent with section 50.20 of title 21, Code of Federal Regulations, if the research is already in progress at the time when the request to access, delete, or correct is made under subparagraph (A), (B), or (C). An operator of a children’s service may not refuse to provide a service, or discontinue a service provided, to a teenager or child on the basis of the exercise by the teenager or the parent of the child, as applicable, of any of the rights set forth in this paragraph. An operator of a children’s service may not— process any covered information in a manner that is inconsistent with what a reasonable teenager or parent of a child would expect in the context of a particular transaction or the teenager’s or parent’s relationship with such operator, or seek to obtain verifiable consent for such processing; process any covered information in a manner that is harmful or has been shown to be detrimental to the well-being of children or teenagers; process covered information for the purpose of providing for targeted personalized advertising or engage in other marketing to a specific child or teenager or group of children or teenagers based on— using the covered information, online behavior, or group identifiers of such child or teenager or of the children or teenagers in such group; or using the covered information or online behavior of children or teenagers who share characteristics with such child or teenager or with the children or teenagers in such group, including income level or protected characteristics or proxies thereof; condition the participation of a child or teenager in a game, sweepstakes, or other contest on consenting to the processing of more covered information than is necessary for such child or teenager to participate; engage in cross-device tracking of a child or teenager unless the child or teenager is logged in to a specific service, for the sole purpose of facilitating the primary purpose of the service or a specific feature thereof; engage in algorithmic processes that harmfully discriminate on the basis of race, age, gender, ability, or other protected characteristics; disclose biometric information, except to a service provider of the operator; disclose geolocation information, except to a service provider of the operator; or collect geolocation information by default or without disclosing clearly when geolocation tracking is in effect. Nothing in subparagraph
(A)shall prohibit an operator from processing covered information if the processing of the covered information is necessary and done solely for the purposes of— compliance with— requirements to document compliance under this title; or other laws, regulations, or legal obligations; preventing risks to the health or safety of a child or teenager or groups of children or teenagers; or repairing errors that impair the existing (as of the time when the repairs are made) functionality of the children’s service. An operator of a children’s service shall establish, implement, and maintain reasonable security policies, practices, and procedures for the protection of covered information, taking into consideration— the size, nature, scope, and complexity of the activities engaged in by such operator; the sensitivity of any covered information at issue; and the cost of implementing such policies, practices, and procedures. The policies, practices, and procedures established by an operator under subparagraph
(A)shall include the following: A written security policy with respect to the processing of such covered information. The identification of an officer or other individual as the point of contact with responsibility for the management of information security. A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system or systems maintained by such operator that contain such covered information, including regular monitoring for a breach of security of such system or systems. A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by clause (iii), which may include— implementing any changes to the security practices, architecture, installation, or implementation of network or operating software; and regular testing or otherwise monitoring the effectiveness of the safeguards. A process for determining if the covered information is no longer needed and deleting such covered information by shredding, permanently erasing, or otherwise modifying the covered information to make such covered information permanently unreadable or indecipherable. A process for overseeing persons (other than users of the children’s service) who have access to covered information, including through internet-connected devices, by— taking reasonable steps to select and retain persons that are capable of maintaining appropriate safeguards for the covered information or internet-connected devices at issue; and requiring all such persons to implement and maintain such safeguards. A process for employee training and supervision for implementation of the policies, practices, and procedures required by this subsection. A written plan or protocol for internal and public response in the event of a breach of security. An operator of a children’s service shall, not less frequently than every 12 months, monitor, evaluate, and adjust, as appropriate, the policies, practices, and procedures of such operator in light of any relevant changes in— technology; internal or external threats and vulnerabilities to covered information; and the changing business arrangements of the operator. An operator of a children’s service shall submit the policies, practices, and procedures established by the operator under subparagraph
(A)to the Commission in conjunction with a notification of a breach of security required by any Federal or State statute or regulation or upon request of the Commission. The Commission shall promulgate regulations under section 553 of title 5, United States Code, that contain requirements for operators of digital services that are not children’s services but are likely to be accessed by children or teenagers, which shall be based on the requirements of subsection
(a)but modified as the Commission considers appropriate given a risk-based approach to determine age and to determine and mitigate privacy risks and security risks to the child or teenager, and given differing developmental needs and cognitive capacities of children or teenagers. The Commission may include in such regulations different requirements for operators of different types of such services. The regulations promulgated under paragraph
(1)shall require an operator to make the best interests of children and teenagers a primary design consideration when designing its service, including by conducting a privacy and security impact assessment and mitigation for the service. The regulations promulgated under paragraph
(1)shall require a risk-based approach to determining the age of a specific user of a digital service under which higher privacy risks and security risks from the processing of covered information require a higher certainty of age assurance. The regulations promulgated under paragraph
(1)shall require an operator to conduct an age assurance to determine the age of each specific user. The Commission shall establish in the regulations promulgated under paragraph
(1)a process under which an operator may obtain the approval of the Commission of particular mechanisms of age assurance as meeting the age assurance requirements of such regulations for particular levels of privacy risks. The regulations required by paragraph
(1)shall provide that any data collected for age assurance shall be the minimal amount necessary and destroyed immediately or as determined by the Commission, but consistent with standards that still allow for auditing and compliance. An operator of a digital service that is likely to be accessed by children or teenagers may not process covered information for the purpose of providing for targeted personalized advertising or engage in other marketing to a specific child or teenager or group of children or teenagers based on— using the covered information, online behavior, or group identifiers of such child or teenager or of the children or teenagers in such group; or using the covered information or online behavior of children or teenagers who share characteristics with such child or teenager or with the children or teenagers in such group, including income level or protected characteristics or proxies thereof. Not later than 1 year after the date of the enactment of the Protecting the Information of our Vulnerable Adolescents, Children, and Youth Act , the Commission shall promulgate, under section 553 of title 5, United States Code, such regulations as may be necessary to carry out this section, including the regulations required by subsection (b). Not later than 10 years after the date on which the Commission promulgates the regulations required by paragraph (1), the Commission shall review such regulations and, if the Commission considers revisions to such regulations appropriate, promulgate such revisions under section 553 of title 5, United States Code. Subject to section 1306, a violation of this section or a regulation promulgated under this section shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act ( 15 U.S.C. 57a(a)(1)(B) ). . Section 1305 of the Children’s Online Privacy Protection Act of 1998 ( 15 U.S.C. 6504 ) is amended— in subsection (a)(1)— by striking any regulation of the Commission prescribed under section 1303(b) and inserting section 1303 or a regulation promulgated under such section ; and in subparagraph (B), by striking the regulation and inserting such section or such regulation ; and in subsection (d)— by striking any regulation prescribed under section 1303 and inserting section 1303 or a regulation promulgated under such section ; and by striking that regulation and inserting such section or such regulation .
Connectionstraces to 3
Citation graph
cites case law
Sec. 3
Requirements for processing of covered information of children or teenagers
Cites 3Cited by 0 across 0 sources