119-hr3149

[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3149 Introduced in House

    (IH) ]

<DOC>

119th CONGRESS
 1st Session
 H. R. 3149

 To safeguard children by providing parents with clear and accurate 
information about the apps downloaded and used by their children and to 
 ensure proper parental consent is achieved, and for other purposes.

_______________________________________________________________________

 IN THE HOUSE OF REPRESENTATIVES

 May 1, 2025

 Mr. James (for himself and Mr. Bilirakis) introduced the following 
 bill; which was referred to the Committee on Energy and Commerce

_______________________________________________________________________

 A BILL

 To safeguard children by providing parents with clear and accurate 
information about the apps downloaded and used by their children and to 
 ensure proper parental consent is achieved, and for other purposes.

 Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``App Store 
Accountability Act''.

    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.

Sec. 2. Definitions.

Sec. 3. App store obligations.

Sec. 4. App developer obligations.

Sec. 5. Compliance.

Sec. 6. Enforcement by the Federal Trade Commission.

Sec. 7. Enforcement by States.

Sec. 8. Safe harbor.

Sec. 9. Preemption.

Sec. 10. Severability.

Sec. 11. Effective date.

SEC. 2. DEFINITIONS.

 In this Act:

    (1) Age category.--The term ``age category'' means the 
 category of an individual based on their age, including the 
 following categories:
        (A) Adult.--An ``adult'' is such an individual who 
 has attained 18 years of age.
        (B) Teenager.--A ``teenager'' is such an individual 
 who has attained 16 years of age but has not attained 
 18 years of age.
            (C) Child.--A ``child'' is such an individual who 
 has attained 13 years of age but has not attained 16 
 years of age.
            (D) Young child.--A ``young child'' is such an 
 individual who has not attained 13 years of age.

    (2) Age category data.--The term ``age category data'' 
 means information that identifies the age category of a user 
 and is collected by a covered app store provider and shared 
 with an app developer.

    (3) Age rating.--The term ``age rating'' means a publicly 
 displayed assessment of an app's appropriateness for different 
 age categories.

    (4) App.--The term ``app'' means a software application or 
 electronic service that may be run or directed by a user on a 
 computer, mobile device, or any other general purpose computing 
 device.

    (5) App developer.--The term ``app developer'' means any 
 person that owns or controls an app on the app store of a 
 covered app store provider and is available in the United 
 States.

    (6) App store.--The term ``app store'' means a publicly 
 available website, software application, or other electronic 
 service that distributes and facilitates the download onto a 
 mobile device of an app from a third-party developer by a user 
 of a computer, mobile device, or any other general purpose 
 computing device.

    (7) Commission.--The term ``Commission'' means the Federal 
 Trade Commission.

    (8) Covered app store provider.--The term ``covered app 
 store provider'' means any person that owns or controls an app 
 store available in the United States and for which users in the 
 United States exceed 5,000,000.

    (9) Know.--The term ``know'' means to have actual knowledge 
 or willful disregard.

    (10) Minor.--The term ``minor'' means an individual who has 
 not attained 18 years of age.

    (11) Mobile device.--The term ``mobile device'' means a 
 phone or general purpose tablet that provides cellular or 
 wireless connectivity, is capable of connecting to the 
 Internet, runs a mobile operating system, and is capable of 
 running apps through the mobile operating system.

    (12) Mobile operating system.--The term ``mobile operating 
 system'' means a set of software that manages mobile device 
 hardware resources, provides common services for mobile device 
 programs, controls memory allocation, and provides interfaces 
 for applications to access device functionality.

    (13) Parent.--The term ``parent'', with respect to a minor, 
 means an adult with the legal right to make decisions on behalf 
 of the minor, including--
        (A) a natural parent;
        (B) an adoptive parent;
            (C) a legal guardian; or
            (D) an individual with legal custody over the 
 minor.

    (14) Parental account.--The term ``parental account'' means 
 an account with a covered app store provider that is--
        (A) verified to be established by an individual who 
 the app store provider has determined is at least 18 
 years of age through the covered app store provider's 
 age verification method or process; and
        (B) affiliated with one or more account of a user 
 or prospective user who is a minor.

    (15) Parental consent disclosure.--The term ``parental 
 consent disclosure'' means the following information that is 
 provided to a parent before obtaining parental consent--
        (A) a description of--
            (i) the personal data collected by the app 
 from a user; and
            (ii) the personal data shared by the app 
 with a third party;
        (B) a description of the measures taken by the app 
 developer to protect the confidentiality of the user's 
 personal data;
            (C) if there is an age rating for the app or an in-
 app purchase, the app's or in-app purchase's age 
 rating; and
            (D) if there is a content description for the app 
 or in-app purchase, the app's or in-app purchase's 
 content description.

    (16) Personal data.--The term ``personal data'' has the 
 same meaning as the term ``personal information'' as defined in 
 

section 1302 of the Children's Online Privacy Protection Act 
 (15 U.S.C. 6501).

    (17) Signal.--The term ``signal'' means age bracketed data 
 sent by a real-time secure application programming interface or 
 operating system that is likely to be accessed by minors.

    (18) Significant change.--The term ``significant change'' 
 means a material modification of an app's terms of service or 
 privacy policy that--
        (A) changes the category of data collected or 
 stored;
        (B) changes the category of data shared with an 
 unaffiliated third party that is not a service provider 
 or processor;
            (C) alters the app's age rating or content 
 description;
            (D) adds new monetization features, including in-
 app purchases or advertisements; or
        (E) changes the app's user experience or 
 functionality in a manner that a reasonable individual 
 would view as material.

    (19) Verifiable parental consent.--The term ``verifiable 
 parental consent'' means authorization that is provided--
        (A) by a parental account;
        (B) in response to a clear and conspicuous parental 
 content disclosure; and
            (C) signifies a parent's freely given, specific, 
 informed, and unambiguous agreement.

SEC. 3. APP STORE OBLIGATIONS.

    (a) In General.--Each covered app store provider shall--

    (1) at the time an individual creates an account with the 
 covered app store provider--
        (A) request age information from the individual; 
 and
        (B) verify the individual's age category using a 
 commercially available method or process that is 
 reasonably designed to ensure accuracy;

    (2) if the age verification method or process determines 
 the individual is a minor--
        (A) require the account to be affiliated with a 
 parental account; and
        (B) obtain verifiable parental consent from the 
 holder of the affiliated parental account before 
 allowing the minor to download or purchase an app or 
 make an in-app purchase;

    (3) after receiving notice of a significant change from an 
 app developer--
        (A) notify the user of a significant change; and
        (B) for a minor account, notify the holder of the 
 affiliated parental account and obtain a new verifiable 
 parental consent;

    (4) provide to an app developer the user's age category and 
 the status of verified parental consent if the user is a minor;

    (5) notify an app developer when a parent revokes 
 verifiable parental consent;

    (6) protect the confidentiality of personal data related to 
 age verification by--
        (A) limiting its collection, processing, and 
 storage to what is strictly necessary to verify a 
 user's age, obtain verifiable parental consent, or 
 maintain compliance records; and
        (B) safeguarding personal data related to age 
 verification by adopting reasonable administrative, 
 technical, and physical safeguards to secure the 
 collection, processing, storage, and transmission of 
 this data, including through industry-standard 
 encryption;

    (7) if a covered app store provider displays an age rating 
 or description of an app's content, the age rating and 
 description must be clearly and prominently displayed and be in 
 plain and concise language; and

    (8) provide to an app developer the ability to determine, 
 in real time, the age category of any user and, with respect to 
 any user that is a minor, whether the covered app store 
 provider has obtained verifiable parental consent.

    (b) Rules of Construction.--Nothing in this section shall be 
construed--

    (1) to prevent a covered app store provider from taking 
 reasonable measures to block, detect, or prevent the 
 distribution of unlawful or obscene material to minors, to 
 block or filter spam, to prevent criminal activity, or to 
 protect the security of an app store or app;

    (2) to require a covered app store provider to disclose to 
 an app developer information other than such user's age 
 category and, with respect to any user that is a minor, whether 
 the covered app store provider has obtained verifiable parental 
 consent in accordance with this section;

    (3) to allow a covered app store provider to use any 
 measures required by this section in a way that is arbitrary, 
 capricious, anti-competitive, or unlawful; or

    (4) to affect or restrict the expression of political, 
 religious, or other viewpoints.

SEC. 4. APP DEVELOPER OBLIGATIONS.

    (a) In General.--An app developer shall--

    (1) verify through a covered app store's method or process 
 the age category of the app developer's users or potential 
 users and, for a minor account, whether verifiable parental 
 consent has been obtained;

    (2) notify a covered app store provider of a significant 
 change to the app; and

    (3) request age category data or verifiable parental 
 consent--
        (A) at the time a potential app user downloads or 
 purchases an app;
        (B) when the app developer implements a significant 
 change to the app; or
            (C) to comply with an applicable law or regulation.

    (b) App Developer Requests.--An app developer may request age 
category data or verifiable parental consent--

    (1) no more than once during each 12-month period to verify 
 the accuracy of user age verification data or continued account 
 use within the verified age category;

    (2) when there is reasonable suspicion of account transfer 
 or misuse outside the verified age category; or

    (3) at the time a user creates a new account with the app 
 developer.
            (c) Permissible Uses.--An app developer may use age category data 
to--

    (1) enforce any app developer-created age-related 
 restrictions;

    (2) ensure compliance with applicable laws and regulations; 
 and

    (3) implement any app developer-created features or 
 defaults.
            (d) Restrictions.--An app developer may not--

    (1) enforce a contract or terms of service against a minor 
 unless the app developer has verified through the covered app 
 store provider that verifiable parental consent has been 
 obtained;

    (2) knowingly misrepresent any material information in the 
 parental consent disclosure; or

    (3) share age category data with an unaffiliated third 
 party that is not a service provider or processor.

    (e) App Age Rating.--If an app developer provides an age rating or 
description of an app's content to a covered app store or user, the age 
rating or description must be in plain and concise language.

    (f) Covered App Store Provider Signal.--

    (1) In general.--Each app developer shall use a covered app 
 store provider's signal to determine the age category of a 
 user.

    (2) Rule of construction.--Receipt of a covered app store 
 provider's signal serves as actual knowledge of a user's age 
 category.

SEC. 5. COMPLIANCE.

    (a) Guidance.--

    (1) In general.--Not later than 1 year after the date of 
 enactment of this Act, the Commission shall issue guidance to 
 assist covered app store providers and app developers in 
 complying with the requirements of this Act.

    (2) Limitations.--
        (A) No conferring of rights or binding effect.--Any 
 guidance issued by the Commission with respect to this 
 Act shall not confer any rights on any person, State, 
 or locality, nor shall such guidance operate to bind 
 the Commission or any person to the approach 
 recommended in such guidance.
        (B) Basis of enforcement actions.--In any 
 enforcement action brought pursuant to this Act, the 
 Commission shall allege a specific violation of a 
 provision of this Act. The Commission may not base an 
 enforcement action on, or execute a consent order based 
 on, practices that are alleged to be inconsistent with 
 any such guidelines, unless the practices allegedly 
 violate sections 3 or 4.

    (b) Mechanism To Certify Compliance.--

    (1) In general.--The Commission shall--
        (A) establish a mechanism, in such form and manner 
 as the Commission determines is appropriate, for any 
 covered app store provider to submit a request for the 
 Commission to review their policies relevant to the 
 requirements under 

section 3; and
        (B) not later than 30 days after receiving such a 
 request--
            (i) review such policies to determine 
 whether the covered app store provider that 
 submitted such request is compliant with such 
 requirements; and
            (ii) if the Commission determines that such 
 provider is compliant with such requirements 
 and does not permit or is able to quickly 
 remedy any method of circumventing such 
 requirements, submit to Congress and make 
 publicly available on the website of the 
 Commission a notice certifying that such 
 provider is compliant with such requirements.

    (2) Notification of significant changes.--If a covered app 
 store provider that the Commission certifies is compliant with 
 the requirements of 

section 3 makes a significant change to any 
 policy of such provider that is relevant to such requirements, 
 such provider shall notify the Commission of such change to 
 ensure that the change does not impact the certification of 
 compliance under paragraph

    (1) .

    (3) Period of eligibility.--A certification of compliance 
 under paragraph

    (1) shall be valid for 1 year after the date of 
 the issuance of such certification.
            (c) Complaints.--

    (1) In general.--The Commission shall establish a mechanism 
 to receive complaints regarding the compliance of any covered 
 app store provider with the requirements described in 

section 3.

    (2) Review.--The Commission shall regularly review any 
 complaints received through the mechanism described in 
 paragraph

    (1) and, if necessary, evaluate the covered app store 
 provider's certification of compliance under subsection

    (b)

    (1) .

SEC. 6. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

    (a) Unfair or Deceptive Acts or Practices.--A violation of this Act 
or a regulation promulgated thereunder shall be treated as a violation 
of a rule defining an unfair or deceptive act or practice under 

section 18

    (a)

    (1)
        (B) of the Federal Trade Commission Act (15 U.S.C. 
57a

    (a)

    (1)
        (B) ).

    (b) Powers of the Commission.--

    (1) In general.--The Commission shall enforce this Act in 
 the same manner, by the same means, and with the same 
 jurisdiction, powers, and duties as though all applicable terms 
 and provisions of the Federal Trade Commission Act (15 U.S.C. 
 41 et seq.) were incorporated into and made a part of this Act.

    (2) Privileges and immunities.--Any person who violates 
 this Act or a regulation promulgated thereunder shall be 
 subject to the penalties and entitled to the privileges and 
 immunities provided in the Federal Trade Commission Act (15 
 U.S.C. 41 et seq.).

    (3) Authority preserved.--Nothing in this Act shall be 
 construed to limit the authority of the Commission under any 
 other provision of law.

SEC. 7. ENFORCEMENT BY STATES.

    (a) In General.--

    (1) Civil actions.--In any case in which the attorney 
 general of a State has reason to believe that an interest of 
 the residents of that State has been or is threatened or 
 adversely affected by the engagement of any person in a 
 practice that violates this Act, the State, as parens patriae, 
 may bring a civil action on behalf of the residents of the 
 State in a district court of the United States of appropriate 
 jurisdiction to--
        (A) enjoin that practice;
        (B) enforce compliance with the regulation;
            (C) obtain damages, restitution, or other 
 compensation on behalf of residents of the State; or
            (D) obtain such other relief as the court may 
 consider to be appropriate.

    (2) Notice.--
        (A) In general.--Before filing an action under 
 paragraph

    (1) , the attorney general of the State 
 involved shall provide to the Commission--
            (i) a written notice of that action; and
            (ii) a copy of the complaint for that 
 action.
        (B) Exemption.--
            (i) In general.--Subparagraph
        (A) shall not 
 apply with respect to the filing of an action 
 by an attorney general of a State under this 
 subsection, if the attorney general determines 
 that it is not feasible to provide the notice 
 described in that subparagraph before the 
 filing of the action.
            (ii) Notification.--In an action described 
 in clause
            (i) , the attorney general of a State 
 shall provide notice and a copy of the 
 complaint to the Commission at the same time as 
 the attorney general files the action.

    (b) Intervention.--

    (1) In general.--On receiving notice under subsection

    (a)

    (2) , the Commission shall have the right to intervene in the 
 action that is the subject of the notice.

    (2) Effect of intervention.--If the Commission intervenes 
 in an action under subsection

    (a) , it shall have the right--
        (A) to be heard with respect to any matter that 
 arises in that action; and
        (B) to file a petition for appeal.
            (c) Construction.--For purposes of bringing any civil action under 
subsection

    (a) , nothing in this chapter shall be construed to prevent 
an attorney general of a State from exercising the powers conferred on 
the attorney general by the laws of that State to--

    (1) conduct investigations;

    (2) administer oaths or affirmations; or

    (3) compel the attendance of witnesses or the production of 
 documentary and other evidence.
            (d) Actions by the Commission.--In any case in which an action is 
instituted by or on behalf of the Commission for a violation of this 
Act, no State may, during the pendency of that action, institute an 
action under subsection

    (a) against any defendant named in the 
complaint in that action for such violation.

    (e) Venue; Service of Process.--

    (1) Venue.--Any action brought under subsection

    (a) may be 
 brought in the district court of the United States that meets 
 applicable requirements relating to venue under 

section 1391 of 
 title 28, United States Code.

    (2) Service of process.--In an action brought under 
 subsection

    (a) , process may be served in any district in which 
 the defendant--
        (A) is an inhabitant; or
        (B) may be found.

SEC. 8. SAFE HARBOR.

    (a) In General.--An app developer is deemed not liable for a 
violation of this Act if the app developer demonstrates it has--

    (1) relied in good faith on age verification data provided 
 by a covered app store provider or it obtained a signal from a 
 covered app store provider that indicates the user is a minor;

    (2) complied with the requirements of 

section 4; and

    (3) reasonably conforms to widely accepted industry 
 standards or best practices, or to standards or best practices 
 identified by the Commission, for age ratings and app content 
 descriptions and applies those standards or best practices 
 consistently and in good faith.

    (b) Limitations.--The safe harbor described in this section applies 
only to actions brought under this Act and does not limit the liability 
of an app developer under any other applicable law.

SEC. 9. PREEMPTION.

    (a) In General.--No State or political subdivision of a State may 
maintain, enforce, prescribe, or continue in effect any law, rule, 
regulation, requirement, standard, or other provision having the force 
and effect of law of any State, or political subdivision of a State, 
related to the provisions of this Act.

    (b) Rule of Construction.--Nothing in this subsection shall be 
construed as preempting, displacing, or supplanting contract or tort 
law.

SEC. 10. SEVERABILITY.

 If any provision of this Act, or the application thereof to any 
person or circumstance, is held invalid, the remainder of this Act, and 
the application of such provision to other persons not similarly 
situated or to other circumstances, shall not be affected by the 
invalidation.

SEC. 11. EFFECTIVE DATE.

 Except as otherwise provided in this Act, this Act shall take 
effect on the date that is 1 year after the date of enactment of this 
Act.
 <all>