A bill

 

TO AMEND THE SOUTH CAROLINA CODE OF LAWS BY ADDING CHAPTER 31 TO TITLE 37 SO AS TO PROVIDE DEFINITIONS; PROVIDE THAT LARGE SOCIAL MEDIA PLATFORM PROVIDERS SHALL CREATE, MAINTAIN, AND MAKE AVAILABLE TO ANY THIRD-PARTY SAFETY SOFTWARE PROVIDER A SET OF THIRD-PARTY ACCESSIBLE REAL TIME APPLICATION PROGRAMMING INTERFACES; PROVIDE FOR REGISTRATION; PROVIDE FOR GUIDANCE FOR THIRD-PARTY SAFETY SOFTWARE PROVIDERS; PROVIDE FOR GUIDANCE FOR LARGE SOCIAL MEDIA PLATFORMS; PROVIDE FOR CERTAIN EXEMPTIONS FROM LIABILITY; PROVIDE FOR THE DISCLOSURE OF DATA; AND PROVIDE FOR ENFORCEMENT.

 

Be it enacted by the General Assembly of the State of South Carolina:

 

SECTION 1.  Title 37 of the S.C. Code is amended by adding:

 

CHAPTER 31

 

Third-Party Safety Software Providers

 

    Section 37-31-10.  As used in this chapter:

       (1) "Child" means any individual under the age of seventeen years who has registered an account with a large social media platform.

       (2) "Commerce" has the same meaning given in section 4 of the Federal Trade Commission Act (15 U.S.C. 44).

       (3) "Department" means the South Carolina Department of Consumer Affairs.

       (4)(a) "Large social media platform" means a service:

               (i) provided through an internet website or a mobile application, or both;

               (ii) the terms of service of which do not prohibit the use of the service by a child;

               (iii) with any features that enable a child to share images, text, or video through the internet with other users of the service whom the child has met, identified, or become aware of solely through the use of the service; and

               (iv) that has more than one hundred million monthly global active users or generates more than one billion dollars in gross revenue each year, adjusted yearly for inflation.

           (b) The term "large social media platform" does not include:

               (i) a service that primarily serves to facilitate the sale or provision of professional services or the sale of commercial products or to provide news or information where the service does not offer the ability for content to be sent by a user directly to a child; or

               (ii) a service that has a feature that enables a user who communicates directly with a child through a message, including a text, audio, or video message, not otherwise available to other users of the service to add other users to that message that the child may not have otherwise met, identified, or become aware of solely through the use of the service and does not have any features described in subitem (a).

       (5) "Large social media platform provider" means any person who, for commercial purposes in or affecting commerce, provides, manages, operates, or controls a large social media platform.

       (6) "Third-party safety software provider" means any person who, for commercial purposes in or affecting commerce, is authorized by a child, if the child is thirteen years of age or older, or a parent or legal guardian of a child, to interact with a large social media platform to manage the online interactions, content, or account settings of the child for the sole purpose of protecting the child from harm, including physical or emotional harm.

       (7) "User data" means any information needed to have a profile on a large social media platform or content on a large social media platform, including images, video, audio, or text, that is created by or sent to a child on or through the account of the child with such platform, but only if the information or content is created by or sent to the child while a delegation pursuant to Section 37-31-20 is in effect with respect to the account and during a thirty-day period beginning on the date on which the information or content is created by or sent to the child.

 

    Section 37-31-20.  (A) Before January 1, 2026, in the case of a service that is a large social media platform, or not later than thirty days after a service becomes a large social media platform, in the case of a service that becomes a large social media platform after January 1, 2026, the large social media platform provider shall create, maintain, and make available to any third-party safety software provider registered with the department pursuant to Section 37-31-30 a set of third-party-accessible real time application programming interfaces, including any information necessary to use the interfaces, by which a child, if the child is thirteen years of age or older, or a parent or legal guardian of a child, may delegate permission to the third-party safety software provider to:

       (1) manage the online interactions, content, and account settings of the child on the large social media platform on the same terms as the child; and

       (2) initiate secure transfers of user data from the large social media platform in a commonly used and machine-readable format to the third-party safety software provider, where the frequency of the transfers may not be limited by the large social media platform provider to less than once each hour.

    (B) Once a child or a parent or legal guardian of a child makes a delegation pursuant to subsection (A), the large social media platform provider shall make the application programming interfaces and information described in subsection (A) available to the third-party safety software provider on an ongoing basis until:

       (1) the child, if the child made the delegation, or the parent or legal guardian of the child revokes the delegation;

       (2) the child or a parent or legal guardian of the child revokes or disables the registration of the account of the child with the large social media platform;

       (3) the third-party safety software provider rejects the delegation; or

       (4) one or more of the affirmations made by the third-party safety software provider pursuant to Section 37-31-30(A) is no longer true.

    (C) A large social media platform provider shall establish and implement reasonable policies, practices, and procedures regarding the secure transfer of user data pursuant to a delegation pursuant to subsection (A) from the large social media platform to a third-party safety software provider to mitigate any risks related to user data.

    (D) In the case of a delegation made by a child or a parent or legal guardian of a child pursuant to subsection (A) with respect to the account of the child with a large social media platform, the large social media platform provider shall:

       (1) disclose to the child and, if the parent or legal guardian made the delegation, the parent or legal guardian the fact that the delegation has been made;

       (2) provide to the child and, if the parent or legal guardian made the delegation, the parent or legal guardian a summary of the user data that is transferred to the third-party safety software provider; and

       (3) update the summary provided pursuant to item (2) as necessary to reflect any change to the user data that is transferred to the third-party safety software provider.

 

    Section 37-31-30.  (A) A third-party safety software provider shall register with the department as a condition of accessing an application programming interface and any information pursuant to Section 37-31-20. Registration requires the third-party safety software provider to affirm that the third-party safety software provider:

       (1) is a company based in the United States;

       (2) is solely engaged in the business of internet safety;

       (3) will use any user data obtained pursuant to Section 37-31-20 solely for the purpose of protecting a child from harm;

       (4) will only disclose user data obtained pursuant to Section 37-31-20 as permitted by Section 37-31-70; and

       (5) will disclose, in an easy-to-understand, human-readable format, to each child with respect to whose account with a large social media platform the service of the third-party safety software provider is operating and, if a parent or legal guardian of the child made the delegation pursuant to Section 37-31-20 with respect to the account, to the parent or legal guardian, sufficient information detailing the operation of the service and what information the third party safety software provider is collecting to enable the child and, if applicable, the parent or legal guardian to make informed decisions regarding the use of the service.

    (B) Not later than thirty days after the date on which there is a change to an affirmation made pursuant to subsection (A) by a third-party safety software provider that is registered pursuant to subsection (A), the provider shall notify the following about the change:

       (1) the department; and

       (2) each child with respect to whose account with a large social media platform the service of the third-party safety software provider is operating and, if a parent or legal guardian of the child made the delegation pursuant to subsection (A) with respect to the account, the parent or legal guardian.

    (C) The department shall establish a process to deregister a third-party safety software provider that the department determines:

       (1) has violated or misrepresented the affirmations made pursuant to subsection (A); or

       (2) has not notified the department, a child, or a parent or legal guardian of a child of a change to such an affirmation as required by subsection (B).

    (D)(1) If the department deregisters a third-party safety software provider pursuant to subsection (C), the department shall notify each large social media platform provider of:

           (a) the deregistration of the third-party safety software provider; and

           (b) the specific reason for the deregistration.

       (2) A large social media platform provider that receives a notification from the department pursuant to item (1) that a third-party safety software provider has been deregistered by the department pursuant to subsection (C) shall notify each child with respect to whose account with the large social media platform the service of the third-party safety software provider was operating and, if a parent or legal guardian of the child made the delegation pursuant to Section 37-31-20 with respect to the account, the parent or legal guardian of:

           (a) the deregistration of the third-party safety software provider; and

           (b) the specific reason for the deregistration provided by the department pursuant to item (1)(b).

    (E) Before January 1, 2026, in the case of a service that is a large social media platform on such date or not later than thirty days after a service becomes a large social media platform, in the case of a service that becomes a large social media platform after January 1, 2026, the large social media platform provider of the platform shall register the platform with the department by submitting to the department a statement indicating that the platform is a large social media platform.

    (F) The department shall establish a process to deregister a service registered pursuant to subsection (E) if the service is no longer a large social media platform. The department shall permit the person who provides, manages, operates, or controls a service registered pursuant to subsection (E) to submit to the department information indicating that the service is no longer a large social media platform.

    (G) The department shall make publicly available on the internet website of the department a list of the third-party safety software providers registered pursuant to subsection (A), a list of the large social media platforms registered pursuant to subsection (B), and a list of the third-party safety software providers deregistered by the department pursuant to subsection (C).

 

    Section 37-31-40.  Before July 1, 2026, the department shall issue guidance to facilitate the ability of a third-party safety software provider to obtain user data or access pursuant to Section 37-31-20 in a manner that ensures that a request for user data or access on behalf of a child is a verifiable request.

 

    Section 37-31-50.  Before July 1, 2026, the department shall issue guidance for large social media platform providers and third-party safety software providers regarding the maintenance of reasonable safety standards to protect user data and educate consumers regarding the rights of consumers pursuant to this section

 

    Section 37-31-60.  In any civil action in federal or state court, other than an action brought by the department, a large social media platform provider may not be held liable for damages arising out of the transfer of user data to a third-party safety software provider pursuant to Section 37-31-20 if the large social media platform provider has in good faith complied with the requirements of this chapter and the guidance issued by the department.

 

    Section 37-31-70.  (A) A third-party safety software provider may not disclose any user data obtained pursuant to Section 37-31-20 to any other person except:

       (1) pursuant to a lawful request from a government body, including law enforcement purposes or for judicial or administrative proceedings by means of a court order or a court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena;

       (2) to the extent that a disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of the law;

       (3) to the child or a parent or legal guardian of the child who made a delegation pursuant to Section 37-31-20 and whose data is at issue, with the third-party safety software provider making a good faith effort to ensure that the disclosure includes only the user data necessary for a reasonable parent or caregiver to understand that the child is experiencing, or is at a foreseeable risk to experience, the following harms:

           (a) suicide;

           (b) anxiety;

           (c) depression;

           (d) eating disorders;

           (e) violence, including being the victim of or planning to commit or facilitate assault;

           (f) substance abuse;

           (g) fraud;

           (h) severe forms of trafficking in persons, as defined in Section 103 of the Trafficking Victims Protection Act of 2000 (22 U.S.C. 7102);

           (i) sexual abuse;

           (j) physical injury;

           (k) harassment;

           (l) sexually explicit conduct or child pornography, as defined in 18 U.S.C. 2256;

           (m) terrorism, as defined in Section 140 (d) of the Foreign Relations Authorization Act, Fiscal Years 1988 and 1989 (22 U.S.C. 2656f(d)), including communications with or in support of a foreign terrorist organization, as designated by the Secretary of State pursuant to Section 219(a) of the Immigration and Nationality Act (8 U.S.C. 1189(a));

           (n) academic dishonesty, including cheating, plagiarism, and other forms of academic dishonesty that are intended to gain an unfair academic advantage; and

           (o) sharing personal information, limited to:

               (i) home address;

               (ii) phone number;

               (iii) social security number; and

               (iv) personal banking information;

       (4) in the case of a reasonably foreseeable serious and imminent threat to the health or safety of any individual, if the disclosure is made to a person or persons reasonably able to prevent or lessen the threat; or

       (5) to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.

    (B) A third-party safety software provider that makes a disclosure permitted by items (A)(1), (2), (4), or (5) promptly shall inform the child with respect to whose account with a large social media platform the delegation was made pursuant to Section 37-31-20 and, if a parent or legal guardian of the child made the delegation, the parent or legal guardian that the disclosure has been or will be made, except if:

       (1) the third-party safety software provider, in the exercise of professional judgment, believes informing the child or parent or legal guardian would place the child at risk of serious harm; or

       (2) the third-party safety software provider is prohibited by law, including a valid order by a court or administrative body, from informing the child or parent or legal guardian.

 

    Section 37-31-80.  (A)(1) A violation of this chapter is a violation of the South Carolina Unfair Trade Practices Act.

       (2) The department shall enforce this chapter in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the South Carolina Unfair Trade Practices Act were incorporated into and made a part of this chapter.

       (3) Any person who violates this chapter is subject to the penalties and entitled to the privileges and immunities provided in the South Carolina Unfair Trade Practices Act.

       (4) Nothing in this chapter may be construed to limit the authority of the department under any other provision of law.

    (B) Before July 1, 2026, the department shall issue guidance to assist large social media platform providers and third-party safety software providers in complying with this chapter.

    (C) The department, on a biannual basis, shall assess compliance by large social media platform providers and third-party safety software providers with the provisions of this chapter.

    (D) The department shall establish procedures under which a child, or the parent or legal guardian of the child, a large social media platform provider, or a third-party safety software provider may file a complaint alleging that a large social media platform provider or a third-party safety software provider has violated this chapter.

SECTION 2.  This act takes effect upon approval by the Governor.

----XX----