a) Application and Exemptions

i) The requirements of this Act apply to covered businesses. A covered business is a sole proprietorship, a limited liability company, a corporation, an association, or any other legal entity that:

1) Conducts business in the State;

2) Is reasonably likely to be accessed by minors;

3) Alone, or jointly with its affiliates or subsidiaries, determines the purposes and means of the processing of consumers’ personal data; and,

4) Either: 

(a) Has annual gross revenues in excess of $25 million, adjusted every odd-numbered year to reflect adjustments in the Consumer Price Index;

(b) Annually buys, receives, sells, or shares the personal data of 50,000 or more consumers, households, or devices alone or in combination with its affiliates or subsidiaries; or,

(c) Derives at least 50% of its annual revenues from the sale of consumer’s personal data.

5) A covered business includes:

(a) An entity that controls or is controlled by a covered business that shares a name, service mark, or trademark that would cause a reasonable consumer to understand that two or more entities are commonly owned; and

(b) A joint venture or partnership composed of businesses in which each has at least a 40% interest in the joint venture or partnership and at least one business would be considered a covered business.

ii) This Act does not apply to:

1) A federal, state, tribal, or local government entity in the ordinary course of its operations.

2) Data subject to a statute or regulation identified under (a) below that is controlled by a covered entity or service provider that is:

(a) Required to comply with:

(i) Title V of the federal Gramm-Leach-Bliley Act; or

(ii) The federal Health Information Technology for Economic and Clinical Health Act; or

(iii) Regulations promulgated under §264(C) of the Health Insurance Portability and Accountability Act of 1996; and,

(b) In compliance with the Information Security requirements of applicable statutes or regulations identified in (a) above.

3) Information collected as part of a clinical trial subject to the federal policy for the protection of human subjects in accordance with:

(a) Good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; or

(b) Human subject protection requirements of the U.S. Food and Drug Administration.

b) Data Use Assessment

i) A covered business that, on or after [effective date], offers any online service, product, or feature reasonably likely to be accessed by minors shall conduct a data use assessment for the online service, product, or feature that identifies:

1) The purpose of the online service, product, or feature;

2) The purposes for which the company processes minors’ personal data with respect to the online service, product, or feature;

3) The types of minors’ personal data that the company processes with respect to the online service, product, or feature; and

4) An estimate of the number of account holders on the online service, product, or feature that belong to minors.

ii) Each covered business that conducts a data use assessment shall:

1) Review and update the the data use assessment as necessary to account for any material change to the processing operations of the online service, product, or feature that is the subject of the data use assessment;

2) Maintain documentation concerning the data use assessment for the longer of:

(a) The three year period beginning on the date on which such processing operations cease; or

(b) As long as the company offers the online service, product, or feature; and,

3) Annually report to the Attorney General:

(a) The estimated number of account holders on the online service, product, or feature that are minors;

(b) The categories of minors’ personal data, including sensitive personal data, that the online service, product, or feature processes; and,

(c) The purposes for which the business processes minors’ personal data with respect to the online service, product, or feature.

iii) Data use assessments shall be confidential and shall be exempt from disclosure under the [STATE Freedom of Information Act]. 

iv) A covered business that conducts a data use assessment and determines that the online service, product, or feature processes minors’ data in a way that does not comply with the requirements of this Act shall establish and implement a plan to bring the online service, product, or feature processing of minors’ data into compliance with the requirements of this Act.

v) A single data use assessment may address a comparable set of processing operations that include similar activities.

vi) If a covered business conducts a data use assessment for the purpose of complying with another applicable law or regulation, the assessment shall be deemed to satisfy the requirements established in this section if such data use assessment is reasonably similar in scope and effect to the data use assessment that would otherwise be conducted pursuant to this section. 

c) Data Risk Assessment

i) A covered business that, on or after [effective date], offers any online service, product, or feature reasonably likely to be accessed by minors shall conduct a data risk assessment for the online service, product, or feature that addresses any heightened risk of harm to minors that is a reasonably foreseeable result of offering the online service, product, or feature to minors.

ii) Each covered business that conducts a data risk assessment shall:

1) Review and update the data risk assessment as necessary to account for any material change to the processing operations of the online service, product, or feature that is the subject of the data risk assessment; and,

2) Maintain documentation concerning the data risk assessment for the longer of:

(a) The three year period beginning on the date on which such processing operations cease; or

(b) As long as the company offers the online service, product, or feature.

iii) A covered business that conducts a data risk assessment and determines that the online service, product, or feature that is the subject of such assessment poses a heightened risk of harm to minors shall establish and implement a plan to mitigate or eliminate such risk.

iv) Data risk assessments shall be confidential and shall be exempt from disclosure under the [STATE Freedom of Information Act]. 

v) A single data risk assessment may address a comparable set of processing operations that include similar activities.

vi) If a covered business conducts a data risk assessment for the purpose of complying with another applicable law or regulation, the assessment shall be deemed to satisfy the requirements established in this section if such data risk assessment is reasonably similar in scope and effect to the data risk assessment that would otherwise be conducted pursuant to this section.

d) Duty of Care

i) A covered business that processes a minor’s data in any capacity owes a minimum duty of care to the minor. 

ii)As used in this Act, a “minimum duty of care” means the use of the personal data of a minor and the design of an online service, product, or feature will not benefit the covered business to the detriment of a minor and will not result in:

1) Reasonably foreseeable and material physical or financial injury to a minor;

2) Reasonably foreseeable emotional distress to a minor;

3) Intrusion on the reasonable privacy expectations of a minor; or

4) The encouragement of excessive or compulsive use of the online service, product, or feature by a minor.

e) Covered Business Obligations to Provide Minimum Privacy Standards

i) A covered business that offers any online service, product, or feature reasonably likely to be accessed by minors shall:

1) Configure all default privacy settings provided to minors by the online service, product, or feature to offer a high level of privacy;

2) Turn off notifications by default for social media platforms during the following hours unless the social media platform has obtained verifiable parent consent, as defined in 15 USC §6501, allowing the use of notifications during these times:

(a) The hours of 10 pm and 6 am seven days a week year-round in the minor’s local time zone; and

(b) Between the months of [INSERT STANDARD SCHOOL MONTHS IN STATE HERE – LIKELY BETWEEN August and May or September and June] between the hours of [INSERT STANDARD SCHOOL HOURS IN STATE HERE – LIKE BETWEEN 8:00 am to 3:30 pm] Monday through Friday in the minor’s local time zone.

3) Provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of minors reasonably likely to access the online service, product, or feature; and,

4) Provide prominent, accessible, and responsive tools to help a minor, or, if applicable, their parents or guardians exercise their privacy rights and report concerns to the covered business.

ii) A violation of this section constitutes a violation of the minimum duty of care as provided in Section (d) of this Act.

f) Prohibited Practices for Covered Businesses

i) A covered business that offers any online service, product, or feature reasonably likely to be accessed by minors shall not:

1) Process the personal data of a minor unless it is strictly necessary to provide the online service, product, or feature requested by a minor with which the minor is actively and knowingly engaged;

2) Sell the personal data of a minor;

3) Process any precise geolocation information of a minor consumer, unless the collection of that precise geolocation information is strictly necessary for the covered business to provide the service, product, or feature requested by a minor and with which the minor is actively and knowingly engaged. This collection of precise geolocation information must be limited to the amount of time necessary to provide the service, product, or feature requested by the minor and with which the minor is actively and knowingly engaged. If geolocation information must be processed to provide the minor with the service, product, or feature requested, a conspicuous signal denoting that processing must be provided to the minor for the duration of geolocation data processing;

4) Profile a minor, unless:

(a) The covered business can demonstrate it has appropriate safeguards in place to ensure that profiling does not violate the minimum duty of care; or,

(b) Profiling is strictly necessary to provide the online service, product, or feature requested by the minor and only with respect to the aspects of the online service, product, or feature with which a minor consumer is actively and knowingly engaged;

5) Use low-friction variable reward design features that encourage excessive and compulsive use by a minor, including but not limited to the use of addictive feeds;

6) Use dark patterns;

7) Permit an unknown adult to contact a minor on the online product, service, or feature without the minor first initiating that contact;

8) Permit a minor to be exploited by a contract on the online service, product or feature;

9) Provide targeted advertisements to minors; 

10) Process information collected for the purpose of age estimation for any other purpose or use.

ii) A violation of this section constitutes a violation of the minimum duty of care as provided in Section (d) of this Act.

g) Rights and Freedoms of Minors

i) It is the intent of the [State Legislature] that nothing in this Act may be construed to infringe on the existing rights and freedoms of minors or be construed to discriminate against the minor based on race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, or national origin.

ii) Nothing in this Act shall be interpreted or construed to prevent or preclude any minor consumer from deliberately or independently searching for, or specifically requesting, content.

iii) Nothing in this Act may be interpreted or construed to impose liability in a manner that is inconsistent with 47 U.S.C. §230.

h) Enforcement

i) A violation of this Act is an unfair, abusive, or deceptive trade practice.

ii) A covered business that violates this subtitle is subject to a civil penalty not exceeding:

1) $2,500 per affected minor for each negligent violation; and, 

2) $7,500 per affected minor for each intentional violation.

iii) The [Office of the Attorney General] shall have the same authority under this Act to make rules, conduct civil investigations, bring civil actions, and enter into assurances of discontinuance as provided under [State Consumer Protection Law].

iv) The [Office of the Attorney General] may request access to a covered business’s data risk assessments and data use transparency assessments.

1) Within 5 business days after receiving a written request from the [Office of the Attorney General] a covered business shall provide to the Office of the Attorney General a list of all data use transparency assessments or data risk assessments the covered business has completed under a) and b) of this Act.

2) Within 7 business days after receiving a written request from the [Office of the Attorney General], a covered business shall provide to the [Office of the Attorney General] any data use transparency assessment and any data risk assessments completed under a) and b) of this Act. The [Office of the Attorney General] may extend beyond 7 business days the amount of time allowed for a covered business to produce a data use transparency assessment or a data risk assessment.

3) To the extent that any disclosure required under this subsection includes information subject to attorney-client privilege or work-product protection, the disclosure may not constitute a waiver of that privilege or protection.

i) Definitions. As used in this Act:

i) “Addictive feed” means a website, online service, online application, or mobile application, or portion thereof, in which multiple pieces of media generated or shared by consumers of a website, online service, online application, or mobile application, either concurrently or sequentially, are recommended, selected, or prioritized for display to a consumer based, in whole or in part, on information associated with the consumer or the consumer’s device, unless any of the following conditions are met, alone or in combination with one another:

1) The recommendation, prioritization, or selection is based on information that is not persistently associated with the consumer or consumer’s device, and does not concern the consumer’s previous interactions with media generated or shared by other consumers;

2) The recommendation, prioritization, or selection is based on consumer-selected privacy or accessibility settings, or technical information concerning the consumer’s device;

3) The consumer expressly and unambiguously requested the specific media, media by the author, creator, or poster of media the consumer has subscribed to, or media shared by consumers to a page or group the consumer has subscribed to, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the consumer or the consumer’s device that is not otherwise permissible under this subdivision;

4) The consumer expressly acknowledges and unambiguously requested that specific media, media by a specified author, creator, or poster of media the consumer has subscribed to, or media shared to a page or group the consumer has subscribed to pursuant to paragraph 3) of this subsection, be blocked, prioritized, or deprioritized for display, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the consumer or the consumer’s device that is not otherwise permissible under this subdivision;

5) The media are direct and private communications;

6) The media is recommended, selected, or prioritized only in response to a specific search inquiry by the consumer;

7) The media recommended, selected, or prioritized for display is exclusively next in a pre-existing sequence from the same author, creator, poster, or source; or,

8) The recommendation, prioritization, or selection is necessary to comply with the provisions of this article and any regulations promulgated pursuant to this article.

ii) “Affiliate” means a legal entity that shares common branding with another legal entity or controls, is controlled by, or is under common control with another legal entity.

iii) “Age estimation” means a process that estimates that a consumer is likely to be of a certain age, fall within an age range, or is over or under a certain age.

1) Age estimation methods include: analysis of behavioral and environmental data the covered business already collects about its consumers; comparing the way a consumer interacts with a device or with consumers of the same age; metrics derived from motion analysis; and testing a consumer’s capacity or knowledge.

2) Age estimation does not require certainty, and if a covered business estimates a consumer’s age for the purpose of advertising or marketing, that estimation may also be used to comply with this Act.

iv) “Artificial intelligence” means a machine-based system that infers, from the input it receives, how to generate outputs that can influence physical or virtual environments. Artificial intelligence may do this to achieve explicit or implicit objectives. Outputs can include predictions, content, recommendations, or decisions. Different artificial intelligence varies in its levels of autonomy and adaptiveness after deployment.

v) “Age verification” means a system that relies on hard identifiers or verified sources of identification to confirm a consumer has reached a certain age, including government-issued identification or a credit card.

vi) “Collect” means to buy, rent, gather, obtain, receive, or access personal data relating to a consumer. Collect includes actively or passively receiving data from the consumer and observing the consumer’s behavior.

vii) “Consumer” means an individual who is a resident of the state. “Consumer” does not include an individual acting in a commercial or employment context or as an employer, an owner, a director, an officer, or a contractor of a company, partnership, sole proprietorship, nonprofit organization, or governmental unit whose communications or transactions with the covered business occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.

viii) “Dark pattern” means a user interface designed or manipulated with the effect of subverting or impairing user autonomy, decision making, or choice. “Dark pattern” includes any practice identified by the Federal Trade Commission as a dark pattern.

ix) “Default” means a preselected option adopted by the covered business for an online service, product, or feature.

x) “Deidentified” means data that cannot reasonably be used to infer information about, or a device linked to an individual consumer, provided that the covered business that possesses the data: takes reasonable measures to ensure that the data cannot be associated with a consumer; publicly commits to maintain and use the data only in a deidentified fashion and not attempt to reidentify the data; and contractually obligates any recipients of the data to comply with all provisions of this subsection.

xi) “Low-friction variable reward” means a design feature or virtual item that intermittently rewards consumers for scrolling, tapping, opening, or continuing to engage in an online service, product, or feature. Examples of low-friction variable reward designs include endless scroll, autoplay, and nudges meant to encourage reengagement.

xii) “Minor” means a consumer who is under 18 years of age.

xiii) “Online service, product, or feature” means a digital product that is accessible to the public via the internet, including a website or application. An “online service, product, or feature” may include a digital product that is based in part or in whole on artificial intelligence.  An “online service, product, or feature” does not mean any of the following:

1) A telecommunications service, as defined in 47 U.S.C. §153;

2) A broadband internet access service as defined in 47 C.F.R. §54.400; or

3) The sale, delivery, or use of a physical product.

xiv) “Personal data” means any information, including derived data and unique identifiers, that is linked or reasonably linkable, alone or in combination with other information, to an identified or identifiable individual or to a device that identifies, is linked to, or is reasonably linkable to one or more identified or identifiable individuals in a household. Personal data does not include deidentified data. 

xv) “Precise geolocation” means any data that accurately identifies within a radius of 1,850 feet an individual’s present or past location or the present or past location of a device that links or is linkable to a individual or any data that is derived from a device that is used or intended to be used to locate an individual within a radius of 1,850 feet by means of technology that includes a global positioning system that provides latitude and longitude coordinates. “Precise geolocation” does not include the content of communications or any data generated or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

xvi) “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, modification, or otherwise handling of personal data. 

xvii) “Profile” or “profiling” means any form of automated processing of personal data to evaluate, analyze, or predict certain aspects relating to an individual, including an individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

xviii) “Reasonably likely to be accessed by minors” means it is reasonable to expect that the online product, service, or feature would be accessed by minors, based on satisfying any of the following criteria:

1) The business has actual knowledge that the consumer is a minor. For purposes of this Act, actual knowledge shall not be accomplished through age verification and may be accomplished through age estimation;

2) The business has knowledge fairly implied on the basis of objective circumstances that the consumer is a minor; or,

3) The online service, product, or feature is directed to children, as defined by the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506 and the Federal Trade Commission rules implementing that Act.

xix) “Sell” means to transfer, rent, release, disclose, disseminate, make available, or otherwise communicate, whether orally, in writing, or by electronic or other means, a consumer’s personal data, in a transaction for monetary or other valuable consideration between a covered business and a third party. “Sell” does not include:

1) The disclosure of personal data to the service provider that processes personal data on behalf of the covered business;

2) The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;

3) The disclosure or transfer of personal data to an affiliate of the covered business;

4) The disclosure of personal data where the consumer directs the covered business to disclose the personal data or intentionally uses the covered business to interact with a third party; or,

5) The disclosure of personal data to a third party as an asset that is part of an actual or proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the covered business’s assets.

xx) “Service provider” means a person that processes personal data on behalf of a covered business and that receives from or on behalf of the covered business a consumer’s personal data for the business purposes in accordance with a written contract if the contract prohibits the person from: 

1) Selling or sharing the personal data;

2) Retaining, using, or disclosing the personal data for any purpose other than for the business purposes specified in the contract for the covered business, including retaining, using, or disclosing the personal data for a commercial purpose other than the business purposes specified in the contract with the covered business, or as otherwise allowed under this Act;

3) Retaining, using, or disclosing the personal data outside the direct business relationship between the service provider and the covered business; and,

4) Combining the personal data that the service provider receives from, or on behalf of, the covered business with personal data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer.

xxi) “Share” means to rent, release, disseminate, make available, transfer, or otherwise communicate, whether orally, in writing, or by electronic or other means, a consumer’s personal data to a third party for cross-context behavioral advertising whether or not for monetary or other valuable consideration, including in a transaction between a covered business and a third party for targeted advertising for the benefit of a covered entity in which no money is exchanged.

xxii) “Social media platform” means a public or semi-public internet-based service or application that is primarily intended to connect and allow a consumer to socially interact within such a service or application and enables a consumer to:

1) Construct a public or semi-public profile for the purposes of signing into and using such service or application;

2) Populate a public list of other consumers with whom the consumer shared a social connection within such service or application; or,

3) Create or post content that is viewable by other consumers, including content on message boards and in chat rooms, and that presents the consumer with content generated by other uses.

4) “Social media platform” does not mean a public or semi-public internet-based service or application that:

(a) Exclusively provides electronic mail or direct messaging services; or,

(b) Primarily consists of news, sports, entertainment, electronic commerce, or content that is preselected by the provider for which any interactive functionality is incidental to, directly related to, or dependent on the provision of such content.

xxiii) “Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interest. “Targeted advertising” does not include:

1) Advertisements based on activities within a covered business’s own Internet websites or online applications;

2) Advertisements based on the context of a consumer’s current search query, visit to an Internet Website, or use of an online application;

3) Advertisements directed to a consumer in response to the consumer’s request for information or feedback; or

4) Processing personal data solely to measure or report advertising frequency, performance, or reach.

xxiv) “Third party” means a person who is not the covered business with which the consumer intentionally interacts and that collects personal data from the consumer as part of the consumer’s interaction with the covered business; or a service provider for the covered business.

j) Severability

i) The provisions of this Act are severable. If any provision of this act or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.