Bill Text

Bill Information


Bill PDF |Add To My Favorites | print page

SB-845 Let Parents Choose Protection Act of 2023.(2023-2024)

SHARE THIS: share this bill in Facebook share this bill in Twitter
Date Published: 04/17/2023 09:00 PM
SB845:v98#DOCUMENT

Amended  IN  Senate  April 17, 2023

CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Senate Bill
No. 845

Introduced by Senator Stern

February 17, 2023

An act to add Chapter 22.2.8 (commencing with Section 22588.5) to Division 8 of the Business and Professions Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


SB 845, as amended, Stern. Let Parents Choose Protection Act of 2023.
Existing law establishes various online privacy rights for minors, including prohibiting the operator of an internet website, online service, online application, or mobile application from marketing or advertising specified types of products or services to a minor, and requires an operator to permit a registered user who is a minor to remove content or information posted.
This bill, beginning July 1, 2024, would require large social media platform providers, as defined, to create, maintain, and make available to specified third-party safety software providers a set of third-party-accessible application programming interfaces to allow a third-party safety software provider, upon authorization by a child 13 years of age or older, or a parent or legal guardian of a child, to manage monitor a child’s online interactions, content, and account settings and initiate secure transfers of the child’s user data for these purposes, as provided. The bill would prohibit the third-party safety software provider from disclosing user data unless specified exceptions apply, and would authorize the child or the parent or legal guardian, as applicable, to revoke the authorization with the third-party safety software provider or disable registration the account with the large social media provider.
The bill would require the third-party safety software provider to register with the Attorney General’s office as a condition of accessing an application programming interface from a large social media platform provider, and would require the Attorney General to affirm that the third-party safety software provider meets specified requirements, including that it is solely engaged in the business of internet safety. The bill would also require a large social media platform to register with the Attorney General’s office within 30 days of meeting specified requirements, including that it enables a child to share images, text, or video through the internet with other users of the service, as provided, and has more than 100,000,000 monthly global active users or generates more than $1,000,000,000 in gross revenue per year, as provided. The bill would require the Attorney General to post both registration lists on its internet website, and to establish processes to deregister third-party safety software providers and large social media platform providers if certain criteria is met.
The bill would provide that a large social media platform provider is not liable for damages arising out of the transfer of user data to a third-party safety software provider in accordance with these provisions if the large social media platform provider has in good faith complied with specified requirements.
The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.
This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Chapter 22.2.8 (commencing with Section 22588.5) is added to Division 8 of the Business and Professions Code, to read:
CHAPTER  22.2.8. Let Parents Choose Protection Act of 2023

22588.5.
 This chapter shall be known, and may be cited, as the “Let Parents Choose Protection Act of 2023” or “Sammy’s Law of 2023.”

22588.5.1.
 (a) The Legislature finds and declares all of the following:
(1) Parents and legal guardians should be empowered to use the services of third-party safety software providers to protect their children from certain harms on large social media platforms.
(2) Dangers like cyberbullying, human trafficking, illegal drug distribution, sexual harassment, and violence perpetrated, facilitated, or exacerbated through the use of certain large social media platforms have harmed children on those platforms.
(b) It is the intent of the Legislature to require large social media platform providers to create, maintain, and make available to third-party safety software providers a set of real-time application programming interfaces, through which a child or a parent or legal guardian of a child may delegate permission to a third-party safety software provider to manage the child’s online interactions, content, and account settings on the large social media platform on the same terms as the child, and for other purposes.

22588.5.2.
 For purposes of this chapter, the following definitions shall apply:
(a) “Child” means any individual under 17 years of age who has registered an account with a large social media platform.
(b) (1) “Large social media platform” means a service that meets all of the following:
(A) Is provided through an internet website or a mobile application, or both.
(B) The terms of service do not prohibit the use of the service by a child.
(C) The service includes features that enable a child to share images, text, or video through the internet with other users of the service whom the child has met, identified, or become aware of solely through the use of the service.
(D) The service has more than 100,000,000 monthly global active users or generates more than one billion dollars ($1,000,000,000) in gross revenue per year, adjusted yearly for inflation, or both.
(2) “Large social media platform” does not include any of the following:
(A) A service that primarily serves to facilitate the sale or provision of professional services or the sale of commercial products.
(B) A service that primarily serves to provide news or information and the service does not offer the ability for content to be sent by a user directly to a child.
(C) A service that has features that enable a user who communicates directly with a child through a message, including a text, audio, or video message, not otherwise available to other users of the service, to add other users to that message that the child may not have otherwise met, identified, or become aware of solely through the use of the service and does not have any features described in subparagraph (C) of paragraph (1).
(c) “Large social media platform provider” means any person who, for commercial purposes, provides, manages, operates, or controls a large social media platform.
(d) “Third-party safety software provider” means any person who, for commercial purposes, is authorized by a child, if the child is 13 years of age or older, or a parent or legal guardian of a child, to interact with a large social media platform to manage the child’s online interactions, content, or account settings for the sole purpose of protecting the child from harm, including physical or emotional harm.
(e) “User data” means any information needed to have a profile on a large social media platform or content on a large social media platform, including images, video, audio, or text, that is created by or sent to a child on or through the child’s account with that platform, and the information or content is created by or sent to the child while a delegation under Section 22588.5.4 is in effect with respect to the account. Information shall only be considered “user data” for 30 days, beginning on the date on which the information or content is created by or sent to the child.

22588.5.3.
 (a) The Attorney General shall administer and enforce this chapter.
(b) Before July 1, 2024, the Attorney General shall issue guidance on all both of the following:

(1)Assisting large social media platform providers and third-party safety software providers with compliance with this chapter.

(2)

(1) Facilitating a third-party safety software provider’s ability to obtain user data or access under Section 22588.5.4 in a way that ensures that a request for user data or access on behalf of a child is a verifiable request.

(3)

(2) For large social media platform providers and third-party safety software providers, maintaining reasonable safety standards to protect user data.

(c)Before July 1, 2024, the Attorney General’s office shall educate consumers regarding their rights under this chapter.

(d)

(c) The Attorney General shall make publicly available on the internet website a list of the third-party safety software providers registered under Section 22588.5.5, a list of the large social media platforms registered under Section 22588.5.6, and a list of the third-party safety software providers deregistered under Section 22588.5.5.

(e)The Attorney General shall biannually assess compliance by large social media platform providers and third-party safety software providers with the provisions of this chapter.

(f)The Attorney General shall establish procedures under which a child or the child’s parent or legal guardian, a large social media platform provider, or a third-party safety software provider may file a complaint alleging that a large social media platform provider or a third-party safety software provider has violated this chapter.

(g)

(d) The Attorney General may adopt regulations to implement this chapter. The adoption, amendment, repeal, or readoption of a regulation authorized by this section is deemed to address an emergency, for purposes of Sections 11346.1 and 11349.6 of the Government Code, and the Attorney General is hereby exempted for this purpose from the requirements of subdivision (b) of Section 11346.1 of the Government Code.

22588.5.4.
 (a) Before August 1, 2024, or within 30 days after a service becomes a large social media platform, as applicable, the large social media platform provider shall create, maintain, and make available to any third-party safety software provider registered with the Attorney General pursuant to Section 22588.5.5 a set of third-party-accessible real time application programming interfaces, including any information necessary to use the interfaces, by which a child, if the child is 13 years of age or older, or a parent or legal guardian of a child, may delegate permission to the third-party safety software provider to do both of the following:
(1) Manage Monitor the child’s online interactions, content, and account settings on the large social media platform on the same terms as the child. platform.
(2) Initiate secure transfers of user data from the large social media platform in a commonly used and machine-readable format to the third-party safety software provider, and the frequency of the transfers may not be limited by the large social media platform provider to less than once per hour.
(b) Once a child or a parent or legal guardian of a child makes a delegation under subdivision (a), the large social media platform provider shall make the application programming interfaces and information described in such paragraphs available to the third-party safety software provider on an ongoing basis until one of the following applies:
(1) The child, if the child made the delegation, delegation is revoked by the child or the child’s parent or legal guardian of the child revokes the delegation. guardian.
(2) The child or a parent or legal guardian of the child revokes or disables the registration of the account of the child with the large social media platform. child’s account is disabled with the large social media platform.
(3) The third-party safety software provider rejects the delegation.
(4) One or more of the affirmations made by the third-party safety software provider under Section 22588.5.5 is no longer true.
(c) A large social media platform provider shall establish and implement reasonable policies, practices, and procedures regarding the secure transfer of user data pursuant to a delegation under subdivision (a) from the large social media platform to a third-party safety software provider in order to mitigate any risks related to user data.
(d) If a delegation is made by a child or a parent or legal guardian of a child under subdivision (a) with respect to the account of the child with a large social media platform, the large social media platform provider shall do all of the following:
(1) Disclose to the child and, if the parent or legal guardian made the delegation, the parent or legal guardian the fact that the delegation has been made.
(2) Provide to the child and, if the parent or legal guardian made the delegation, the parent or legal guardian a summary of what user data is being transferred to the third-party safety software provider.
(3) Update Provide any update to the summary provided under paragraph (2) as necessary to reflect any change to what user data is being transferred to the third-party safety software provider.
(e) (1) A third-party safety software provider shall not disclose any user data obtained under this section to any person except as follows:
(A) Pursuant to a lawful request from a government body, including for law enforcement purposes or for judicial or administrative proceedings by means of a court order or a court ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena.
(B) To the extent that the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of that law.
(C) To the child, or a parent or legal guardian of the child, who made a delegation under Section 22588.5.4 and whose data is at issue, or with the explicit and express consent of that child or a parent or legal guardian of the child. issue. The disclosure shall be limited, by a good faith effort on the part of the third-party safety software provider, only to the user data strictly sufficient for a reasonable parent or caregiver to understand that the child is at foreseeable risk or currently experiencing any of the following harms:
(i) Suicide.
(ii) Anxiety.
(iii) Depression.
(iv) Eating disorders.
(v) Violence, including being the victim of or planning to commit or facilitate battery as defined by Section 242 of the Penal Code and assault defined by Section 240 of the Penal Code.
(vi) Substance abuse.
(vii) Fraud.
(viii) Human trafficking as defined by Section 236.1 of the Penal Code.
(ix) Sexual abuse.
(x) Physical injury.
(xi) Harassment, including hate-based harassment, sexual harassment, and stalking as defined by Section 646.9 of the Penal Code.
(xii) Exposure to “harmful matter” as defined by Section 313 of the Penal Code.
(xiii) Communicating with a terrorist organization defined under Section 219 of the federal Immigration and Nationality Act.
(xiv) Academic dishonesty, including cheating, plagiarism, or other forms of academic dishonesty that are intended to gain an unfair academic advantage.
(xv) Sharing personal information limited to:
(I) Home address.
(II) Telephone number.
(III) Social security number.
(IV) Personal banking information.
(D) In the case of a reasonably foreseeable serious and imminent threat to the health or safety of any individual, if the disclosure is made to a person or persons reasonably able to prevent or lessen the threat.

(E)To a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.

(2) A third-party safety software provider that makes a disclosure permitted under this subdivision shall promptly inform the child, and if a parent or legal guardian of the child made the delegation, the parent or legal guardian, that such a disclosure has been or will be made, unless one of the following applies: made.

(A)The third-party safety software provider, in the exercise of professional judgment, believes informing the child or parent or legal guardian would place the child at risk of serious harm.

(B)The third-party safety software provider is prohibited by law, including a valid order by a court or administrative body, from informing the child or parent or legal guardian.

22588.5.5.
 (a) A third-party safety software provider shall register with the Attorney General’s office as a condition of accessing an application programming interface and any information or use data pursuant to Section 22588.5.4.
(b) The registration shall require the third-party safety software provider to affirm that the third-party safety software provider meets all of the following requirements:

(1)Is a company doing business in the State of California.

(2)

(1) Is solely engaged in the business of internet safety.

(3)

(2) Will use any user data obtained under Section 22588.5.4 solely for the purpose of protecting a child from any harm.

(4)

(3) Will only disclose user data obtained under Section 22588.5.4 as permitted by that section.

(5)

(4) Will disclose, in an easy-to-understand, readable format, to each child with respect to whose account with a large social media platform the service of the third-party safety software provider is operating and, if a parent or legal guardian of the child made the delegation under Section 22588.5.4 with respect to the account, and to the parent or legal guardian, sufficient information detailing the operation of the service and what information the third-party safety software provider is collecting to enable the child and, if applicable, and the parent or legal guardian to make informed decisions regarding the use of the service.
(c) Within 30 days after there is any change to an affirmation made under subdivision (a) by a third-party safety software provider that is registered under subdivision (a), the provider shall notify both of the following of the change:
(1) The Attorney General.
(2) Each child with respect to whose account with a large social media platform the service of the third-party safety software provider is operating and, if a parent or legal guardian of the child made the delegation under Section 22588.5.4 with respect to the account, the parent or legal guardian.
(d) (1) The Attorney General shall establish a process to may deregister a third-party safety software provider that the Attorney General determines meets any of the following: if it is determined that the provider has violated or misrepresented the affirmations made under subdivision (b) or has not notified the Attorney General, a child, or a parent or legal guardian of a child, of a change to an affirmation as required by subdivision (c).

(A)Has violated or misrepresented the affirmations made under subdivision (b).

(B)Has not notified the Attorney General, a child, or a parent or legal guardian of a child of a change to such an affirmation as required by subdivision (c).

(2) If the Attorney General deregisters a third-party safety software provider under paragraph (1), the Attorney General shall notify each large social media platform provider of the deregistration of the third-party safety software provider and the specific reason for the deregistration.
(3) A large social media platform provider that receives a notification from the Attorney General under paragraph (2) that the Attorney General has deregistered a third-party safety software provider pursuant to paragraph (1) shall notify each child with respect to whose account with the large social media platform the service of the third-party safety software provider was operating and, if a parent or legal guardian of the child made the delegation under Section 22588.5.4 with respect to the account, the parent or legal guardian of the deregistration of the third-party safety software provider and the specific reason for the deregistration provided by the Attorney General.

22588.5.6.
 (a) Before August 1, 2024, or within 30 days after a service becomes a large social media platform, as applicable, the large social media platform provider of the platform shall register the platform with the Attorney General by submitting to the Attorney General a statement indicating that the platform is a large social media platform.
(b) The Attorney General shall establish a process to deregister a service registered under subdivision (a) if the service is no longer a large social media platform. The Attorney General shall permit the person who provides, manages, operates, or controls a service registered under subdivision (a) to submit to the Attorney General information indicating that the service is no longer a large social media platform.

22588.5.7.
 In any civil action, other than an action brought by the Attorney General, a large social media platform provider shall not be held liable for damages arising out of the transfer of user data to a third-party safety software provider in accordance with this chapter, if the large social media platform provider has in good faith complied with the requirements of this chapter and the guidance issued by the Attorney General in accordance with this act.

22588.5.8.
 This chapter shall become operative on July 1, 2024.

SEC. 2.

 The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.