A bill

 

TO AMEND THE SOUTH CAROLINA CODE OF LAWS BY ADDING CHAPTER 80 TO TITLE 39 SO AS TO PROVIDE THAT A COVERED ONLINE SERVICE SHALL TAKE CARE IN THE USE OF A MINOR'S PERSONAL DATA AND IN THE DESIGN AND IMPLEMENTATION OF THE SERVICE TO PREVENT HARM TO MINORS, TO PROVIDE THAT THE ONLINE SERVICE MUST PROVIDE MINORS WITH EASILY ACCESSIBLE TOOLS TO LIMIT TIME SPENT ON THE SERVICE AND PROTECT PERSONAL DATA, TO PROVIDE LIMITS ON HOW MUCH OF A MINOR'S DATA THE SERVICE MAY COLLECT AND RESTRICT THE USE OF SUCH DATA, TO PROVIDE THAT ONLINE SERVICES MUST OFFER PARENTS TOOLS TO HELP THEM PROTECT MINORS USING THE SERVICE AND TO ENABLE THEM TO REPORT HARMS TO MINORS ON ONLINE SERVICES, TO PROVIDE THAT ONLINE SERVICES MUST ISSUE A PUBLIC REPORT ON THE SERVICE'S PRACTICES PERTAINING TO MINORS, AND TO DEFINE NECESSARY TERMS.

 

Be it enacted by the General Assembly of the State of South Carolina:

 

SECTION 1.  Title 39 of the S.C. Code is amended by adding:

 

CHAPTER 80

 

Age-Appropriate Code Design

 

    Section 39-80-10.  As used in this chapter:

    (1) "Child" means a consumer who is less than thirteen years of age.

    (2) "Compulsive usage" means the persistent and repetitive use of a covered online service that substantially limits one or more of a child's major life activities, including, but not limited to, sleeping eating, learning, reading, concentrating, communicating, or working.

    (3) "Covered design feature" means any feature or component of a covered online service that will encourage or increase a child's frequency, time-spent, or activity on a covered online service, including but not limited to:

       (a) infinite scroll;

       (b) rewards or incentives for the frequency of visits, time spent on, or participation in activities on the covered online service;

       (c) notifications and push alerts;

       (d) in-game purchases; or

       (e) appearance altering filters.

    (4)(a) "Covered online service" means:

           (i) a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that owns, operates, controls, or provides an online service that conducts business in this State, is reasonably likely to accessed by a child, determines the purposes and means of the processing of consumer's personal data alone, or jointly with its affiliates, subsidiaries, or parent company;

           (ii) the online service conducts business in the State;

           (iii) the online service is reasonably likely to be accessed by minors;

           (iv) alone, or jointly with its affiliates or subsidiaries or parent companies, the online service determines the purposes and means of the processing of consumers' personal data; and

           (v) the online service either:

               (A) has annual gross revenues in excess of twenty-five million dollars, adjusted every odd-numbered year to reflect changes in the Consumer Price Index;

               (B) annually buys, receives, sells, or shares the personal data of fifty thousand or more consumers, households, or devices alone or in combination with its affiliates, subsidiaries, or parent company; or

               (C) derives at least fifty percent of its annual revenue from the sale or sharing of consumers' personal data; and

        (b) "Covered online services" include:

           (i) an entity that controls or is controlled by a business that shares a name, service mark, or trademark that would cause a reasonable consumer to understand that two or more entities are commonly owned; and

           (ii) a joint venture or partnership composed of businesses in which each business has at least a forty percent interest in the joint venture or partnership.

    (5) "Know to be a minor" means the covered online service has actual knowledge that a particular consumer is a minor. For purposes of this act, actual knowledge includes all information and inferences known to the covered online service relating to the age of the individual, including, but not limited to, self-identified age, and including any age the covered online service has attributed or associated with the individual for any purpose, including, but not limited to, marketing advertising, or product development purposes.

    (6) "Minor" means a consumer who is less than eighteen years of age.

    (7) "Online service" means a digital product that is accessible to the public on the internet, including, but not limited to, a website or application. An Online Service may include a digital product that is based in part or in whole on artificial intelligence. "Online Service" does not mean any of the following:

       (a) a telecommunications service, as defined in 47 U.S.C. § 153;

       (b) a broadband internet access service as defined in 47 C.F.R. § 54.400; or

       (c) the sale, delivery, or use of a physical product.

    (8) "Personal data" means any information, including derived data and unique identifiers, that is linked or reasonably linkable, alone or in combination with other information, to an identified or identifiable individual or to a device that identifies, is linked to, or is reasonably linkable to one or more

identified or identifiable individuals in a household.

    (9) "Personalized recommendation system" means a fully or partially automated system used to suggest, promote, or rank content, including other users, hashtags, or posts, based on the users' personal data.

    (10)(a) "Precise geolocation information" means any data that accurately identifies a minor's present or past location within a radius of one thousand one hundred eighty feet, the present or past location of a device that links or is linkable to a minor, or any data that is derived from a device that is used or intended to be used to locate a minor within a radius of one thousand one hundred eighty feet by means of technology that includes a global positioning system that provides latitude and longitude coordinates.

       (b) "Precise geolocation information" does not include the content of communications or any data generated or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

    (11) "Process" means the performance of an operation, or a set of operations, by manual or automated means on personal data, including, but not limited to collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.

    (12) "Profile" means any form of automated processing of personal data to evaluate, analyze, or predict certain aspects relating to a minor, including, but not limited to a minor's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

    (13)(a) "Publicly available data" means data that is lawfully made available from federal, state, or local government records, or data that a business has a reasonable basis to believe is lawfully made available to the general public by the individual or from widely distributed media; or data made available by a person to whom the individual has disclosed the data if the individual has not restricted the data to a specific audience.

       (b) "Publicly available data" does not mean biometric data collected by a covered online service about a minor without the minor's knowledge.

    (14)(a) "Reasonably likely to be accessed by a minor" means it is reasonable to expect that the covered online service would be accessed by an individual minor or by minors based on the covered online service's reasonable knowledge that:

           (i) the individual is known to the covered online service to be a minor; or

           (ii) the covered online service is directed to minors as defined by the Children's Online Privacy Protection Act, 15 U.S.C. Sections 6501-6506 and the Federal Trade Commission rules implementing that act.

        (b) Where subitem (a)(i) is met, the covered online service must treat the particular individual as a minor. Where subitem (a0(ii) is met, the covered online service must treat all individuals using or visiting the covered online service as minors, except where the covered online service has actual knowledge, as defined in subsection (5), that the individual is not a minor.

    (15) "Sensitive personal data" means personal data that reveals:

       (a) an individual's social security number, driver's license, state identification card, or passport number;

       (b) an individual's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

       (c) an individual's racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership;

       (d) the contents of an individual's mail, email, and text messages unless the business is the intended recipient of the communication;

       (e) an individual's genetic data;

       (f) biometric data for the purpose of uniquely identifying an individual;

       (g) personal data collected and analyzed concerning an individual's health; or

       (h) personal data collected and analyzed concerning an individual's sex life, gender identity, or sexual orientation.

    (16)(a) "Targeted advertising" means displaying advertisements to an individual where the advertisement is selected based on personal data obtained or inferred from that individual's activities over time and across nonaffiliated websites or online applications to predict the individual's preferences or interest.

        (b) "Targeted advertising" does not include:

           (i) advertisements based on activities within a covered online service's own internet websites or online applications;

           (ii) advertisements based on the context of an individual's current search query, visit to an internet website, or use of an online application;

           (iii) advertisements directed to an individual in response to the individual's request for information or feedback; or

           (iv) processing personal data solely to measure or report advertising frequency, performance, or reach.

    (17) "User" means an individual who registers an account or creates a profile on a covered online service.

 

    Section 39-80-20.  (A) A covered online service shall exercise reasonable care in the use of a minor's personal data and the design and operation of the covered online service, including, but not limited to, covered design features, to prevent the following harms to minors:

       (1) compulsive usage of the covered online service;

       (2) severe psychological harm, including, but not limited to, anxiety, depression, self harm and suicidal ideations;

       (3) severe emotional distress;

       (4) highly offensive intrusions on the minor's reasonable privacy expectations;

       (5) identity theft;

       (6) discrimination against the minor on the basis of race, ethnicity, sex, disability, sexual orientation, gender identity, gender expression, or national origin; and

       (7) material financial or physical injury.

    (B) Harms defined in this section are limited to those for which liability is permitted under 47 U.S.C § 230, including as that provision is amended or repealed in the future.

    (C) Nothing in this section shall be construed to require a covered online service to prevent or preclude any user from deliberately and independently searching for or specifically requesting content, or accessing resources and information, regarding the prevention or mitigation of the harms described in this section.

    (D) The provisions contained in this chapter do not apply to:

       (1) a federal, state, tribal, or local government entity in the ordinary course of its operations;

       (2) personal data that a covered online service is required to collect in order to comply with:

           (a) Title V of the federal Gramm-Leach-Bliley Act;

           (b) the federal Health Information Technology for Economic and Clinical Health Act; or

           (c) regulations promulgated pursuant to § 264(C) of the Health Insurance Portability and Accountability Act of 1996;

       (3) information, including, but not limited to, personal data collected as part of a clinical trial subject to the federal policy for the protection of human subjects pursuant to human subject protection requirements of the U.S. Food and Drug Administration.

 

    Section 39-80-30.  (A) A covered online service must provide a user or visitor to the service with easily accessible and easy to use tools to:

       (1) limit other users or visitors to the service to communicate with the minor;

       (2) prevent other users from viewing the minor's personal data;

       (3) control the operation of covered design features by allowing minors to opt out of the use of all covered design features or entire categories of covered designed features;

       (4) control personalized recommendation systems by allowing minors to opt-in to a chronological feed or by preventing entire categories of content from being recommended;

       (5) control the use of in-game purchases and other transactions by allowing minors to opt-out of all purchases and transactions or to place limits on purchases and transactions; and

       (6) restrict the sharing of the minor's precise geolocation information and provide notice when the minor's precise geolocation information is being tracked.

    (B) A covered online service must provide accessible, easy to use options to limit the amount of time a minor spends on the covered online service to each user that the covered online service knows to be a minor.

    (C) A covered online service must establish, implement, and maintain default settings for the safeguards described in subsection (A) that provide the most protection available for the safety of a user or visitor that the covered online service knows is a minor.

 

    Section 39-80-40.  (A) Covered online services shall only collect the minimum amount of a minor's personal data necessary to provide the covered online service with which a minor has knowingly engaged. Such personal data may not be used for reasons other than those for which it was collected. Minors' Personal Data collected for age verification or estimation cannot be used for other purposes and must be deleted after use.

    (B) Covered online services may not facilitate targeted advertising to minors.

    (C) Precise geolocation information of minors cannot be collected by default unless necessary to the provision of the covered online service. An obvious notice to the minor must be provided when precise geolocation information is being collected or used.

    (D) The use of notifications and push alerts to an individual the covered online service knows is a minor by covered online services is prohibited between the hours of ten p.m. and six a.m. seven days a week year-round and between the months of August and May between the hours of 8:00 a.m. and 3:00 p.m. Monday through Friday in the minor's local time zone.

    (E) A covered online service shall not profile a minor, unless:

       (1) it can demonstrate that it has appropriate safeguards in place to prevent profiling that would violate the covered online service's minimum duty of care; or

       (2) profiling is necessary to the provision of the covered online service with which a minor has knowingly engaged and is limited to only that profiling that is necessary.

    (F) Settings for the protections required under this section must be set at the highest level of protection by default.

    (G) If a covered online service allows parental monitoring, then it must provide obvious notice to the minor when they are being monitored.

 

    Section 39-80-50.  (A) Covered online services must provide parents with tools to help parents protect and support minors using the covered online services and these shall be on by default where the user is a child.

    (B) The parental tools provided by the covered online services shall provide to the parents the ability to:

       (1) manage the child's account settings and change and control the child's privacy and account settings; and

       (2) restrict a minor's purchases and other financial transactions.

    (C) Among the parental tools provided by covered online services shall be one to enable parents to view the total time spent on a covered online service by a user the covered online service knows is a minor and allow the parent to place reasonable limits on the minor's use of the covered online service. The parental tools provided by covered online services must also offer parents the ability to restrict a child's use of the covered online service the during times of day specified by the parents, including during school hours and at night.

    (D) Covered online services must notify a minor when any of the tools described in this section are in effect and what settings have been applied.

 

    Section 39-80-60.  (A) Covered online services shall establish mechanisms for parents, minors, and schools to report harms to minors on covered online services, especially those harms that pose an imminent threat to a minor.

    (B) Covered online services are prohibited from facilitating ads directed to minors for products prohibited for minors including, but not limited to, narcotic drugs, tobacco products, gambling, and alcohol to users the covered online services know are minors.

    (C) Covered online services are prohibited from using dark patterns to obscure, subvert, or impair user autonomy, decision-making, or choice with respect to the safeguards or parental controls in this chapter.

    (D) Each covered online service that utilizes personalized recommendation systems is required to describe in its terms and conditions, in a clear, conspicuous, and easy to understand manner, how the systems are used to provide information to minors and information regarding how minors or their parents can opt out of or control the systems.

    (E) Covered online services are required to provide comprehensive, clear, conspicuous, and easy to understand information in a prominent location describing the design safety for minors, the privacy protections for minors, and the parental tools that the covered online service has adopted pursuant to this chapter. Such disclosure must also include a clear, conspicuous, and easy to understand explanation of how minors and parents may utilize those design safety measures, privacy protections, and tools.

 

    Section 39-80-70.  (A) Annually, on or before July first, the covered online service must issue a public report prepared by an independent third-party auditor that contains a detailed description of the covered online service as it pertains to minors, including its covered design features, its use of personal data, and its business practices as they pertain to minors. The public report must be submitted to the Attorney General who shall post it in a prominent place on his internet website. Each report must include:

       (1) the purpose of the covered online service;

       (2) the extent to which the covered online service is likely to be accessed by minors and accessed by a child;

       (3) an accounting of the number of users the covered online service knows to be minors and an accounting of how much time the minors spend on the covered online service. The accounting must be in the aggregate for all minors and also divided into one category for children and one category for minors between the ages of thirteen and eighteen;

       (4) an accounting of the total number and types of reports generated pursuant to Section 39-80-60(A) and assessment of how those reports were handled, if known;

       (5) whether, how, and for what purpose the covered online services collects or processes minors' sensitive personal data;

       (6) the design safety for minors, the privacy protections for minors, and the parental tools that the covered online entity has adopted;

       (7) whether and how the covered online service uses covered designed features;

       (8) the covered online service's process for handling data access, deletion, and correction requests for a minor's data;

       (9) age verification or estimation methods used; and

       (10) description of algorithms used by the covered online service.

    (B) Independent auditors that prepare reports required under this section are required to follow inspection and consultation practices designed to ensure that reports are comprehensive and accurate, and that the reports are be prepared in consultation with experts on minors' use of covered online services.

    (C) Covered online services are required to provide independent auditors that prepare reports required under this section full and complete cooperation, access to information and operations required to ensure that the report is comprehensive and accurate.

 

    Section 39-80-80.  (A) The Attorney General shall enforce the provisions contained in this chapter.

    (B) A covered online service shall be liable for treble the financial damages incurred as a result of a violation of this chapter.

    (C) The officers and employees of a covered online service may be held personally liable for willful and wonton violations of this chapter.

 

SECTION 2.  The requirements of this act are in addition to and shall not limit or restrict in any way the application of other laws, including, but not limited to, statutes, regulations, and common law of this State. In the event of a conflict between this act and one or more other laws, the law that affords the greatest protection to minors shall control.

 

SECTION 3.  If any section, subsection, paragraph, subparagraph, sentence, clause, phrase, or word of this act is for any reason held to be unconstitutional or invalid, such holding shall not affect the constitutionality or validity of the remaining portions of this act, the General Assembly hereby declaring that it would have passed this act, and each and every section, subsection, paragraph, subparagraph, sentence, clause, phrase, and word thereof, irrespective of the fact that any one or more other sections, subsections, paragraphs, subparagraphs, sentences, clauses, phrases, or words hereof may be declared to be unconstitutional, invalid, or otherwise ineffective.

 

SECTION 4.  This act takes effect upon approval by the Governor.

----XX----