BUSINESS AND COMMERCE CODE


TITLE 11. PERSONAL IDENTITY INFORMATION


SUBTITLE A. IDENTIFYING INFORMATION


Chapter 509, consisting of Secs. 509.001 to 509.152, was added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01.


For another Chapter 509, consisting of Secs. 509.001 to 509.010, added by Acts 2023, 88th Leg., R.S., Ch. 963 (S.B. 2105), Sec. 1, see Sec. 509.001 et seq., post.


CHAPTER 509. USE OF DIGITAL SERVICES BY MINORS


SUBCHAPTER A. GENERAL PROVISIONS


Sec. 509.001. DEFINITIONS. In this chapter:

(1) "Digital service" means a website, an application, a program, or software that collects or processes personal identifying information with Internet connectivity.

(2) "Digital service provider" means a person who:

(A) owns or operates a digital service;

(B) determines the purpose of collecting and processing the personal identifying information of users of the digital service; and

(C) determines the means used to collect and process the personal identifying information of users of the digital service.

(3) "Harmful material" has the meaning assigned by Section 43.24, Penal Code.

(4) "Known minor" means a person that a digital service provider knows to be a minor.

(5) "Minor" means a child who is younger than 18 years of age who has not had the disabilities of minority removed for general purposes.

(6) "Personal identifying information" means any information, including sensitive information, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous information when the information is used by a controller or processor in conjunction with additional information that reasonably links the information to an identified or identifiable individual. The term does not include deidentified information or publicly available information.

(7) "Verified parent" means the parent or guardian of a known minor whose identity and relationship to the minor have been verified by a digital service provider under Section 509.101.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.002. APPLICABILITY. (a) Except to the extent that Section 509.057 applies to any digital service provider, this chapter applies only to a digital service provider who provides a digital service that:

(1) connects users in a manner that allows users to socially interact with other users on the digital service;

(2) allows a user to create a public or semi-public profile for purposes of signing into and using the digital service; and

(3) allows a user to create or post content that can be viewed by other users of the digital service, including sharing content on:

(A) a message board;

(B) a chat room; or

(C) a landing page, video channel, or main feed that presents to a user content created and posted by other users.

(b) This chapter does not apply to:

(1) a state agency or a political subdivision of this state;

(2) a financial institution or data subject to Title V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);

(3) a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII, and Division B, Title IV, Pub. L. No. 111-5);

(4) a small business as defined by the United States Small Business Administration on September 1, 2024;

(5) an institution of higher education;

(6) a digital service provider who processes or maintains user data in connection with the employment, promotion, reassignment, or retention of the user as an employee or independent contractor, to the extent that the user's data is processed or maintained for that purpose;

(7) an operator or provider regulated by Subchapter D, Chapter 32, Education Code, that primarily provides education services to students or educational institutions;

(8) a person subject to the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g) that:

(A) operates a digital service; and

(B) primarily provides education services to students or educational institutions;

(9) a digital service provider's provision of a digital service that facilitates e-mail or direct messaging services, if the digital service facilitates only those services; or

(10) a digital service provider's provision of a digital service that:

(A) primarily functions to provide a user with access to news, sports, commerce, or content primarily generated or selected by the digital service provider; and

(B) allows chat, comment, or other interactive functionality that is incidental to the digital service.

(c) Unless an Internet service provider, Internet service provider's affiliate or subsidiary, search engine, or cloud service provider is responsible for the creation of harmful material or other content described by Section 509.053(a), the Internet service provider, Internet service provider's affiliate or subsidiary, search engine, or cloud service provider is not considered to be a digital service provider or to offer a digital service if the Internet service provider or provider's affiliate or subsidiary, search engine, or cloud service provider solely provides access or connection, including through transmission, download, intermediate storage, access software, or other service, to an Internet website or to other information or content:

(1) on the Internet; or

(2) on a facility, system, or network not under the control of the Internet service provider, provider's affiliate or subsidiary, search engine, or cloud service provider.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

SUBCHAPTER B. DIGITAL SERVICE PROVIDER DUTIES AND PROHIBITIONS


Sec. 509.051. DIGITAL SERVICE PROVIDER DUTY TO REGISTER AGE OF USER. (a) A digital service provider may not enter into an agreement with a person to create an account with a digital service unless the person has registered the person's age with the digital service provider.

(b) A person who registers the person's age as younger than 18 years of age is considered to be a known minor to the digital service provider until after the person's 18th birthday.

(c) A digital service provider may not allow a person who registers the person's age to alter the person's registered age, unless the alteration process involves a commercially reasonable review process.

(d) A minor is considered to be a known minor to a digital service provider if:

(1) the minor registers the minor's age under Section 509.051 as younger than 18 years of age; or

(2) the minor's parent or guardian, including a verified parent:

(A) notifies a digital service provider that the minor is younger than 18 years of age;

(B) successfully disputes the registered age of the minor; or

(C) performs another function of a parent or guardian under this chapter.

(e) If a minor is a known minor, or if the minor's parent or guardian, including a verified parent, takes an action under Subsection (a), a digital service provider:

(1) is considered to have actual knowledge that the minor is younger than 18 years of age; and

(2) shall treat the minor as a known minor under this chapter.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.052. DIGITAL SERVICE PROVIDER DUTIES RELATING TO AGREEMENT WITH MINOR. Unless a verified parent provides otherwise under Section 509.102, a digital service provider that enters into an agreement with a known minor for access to a digital service:

(1) shall:

(A) limit collection of the known minor's personal identifying information to information reasonably necessary to provide the digital service; and

(B) limit use of the known minor's personal identifying information to the purpose for which the information was collected; and

(2) may not:

(A) allow the known minor to make purchases or engage in other financial transactions through the digital service;

(B) share, disclose, or sell the known minor's personal identifying information;

(C) use the digital service to collect the known minor's precise geolocation data; or

(D) use the digital service to display targeted advertising to the known minor.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.053. DIGITAL SERVICE PROVIDER DUTY TO PREVENT HARM TO KNOWN MINORS. (a) In relation to a known minor's use of a digital service, a digital service provider shall develop and implement a strategy to prevent the known minor's exposure to harmful material and other content that promotes, glorifies, or facilitates:

(1) suicide, self-harm, or eating disorders;

(2) substance abuse;

(3) stalking, bullying, or harassment; or

(4) grooming, trafficking, child pornography, or other sexual exploitation or abuse.

(b) A strategy developed under Subsection (a):

(1) must include:

(A) creating and maintaining a comprehensive list of harmful material or other content described by Subsection (a) to block from display to a known minor;

(B) using filtering technology and other protocols to enforce the blocking of material or content on the list under Paragraph (A);

(C) using hash-sharing technology and other protocols to identify recurring harmful material or other content described by Subsection (a);

(D) creating and maintaining a database of keywords used for filter evasion, such as identifiable misspellings, hash-tags, or identifiable homoglyphs;

(E) performing standard human-performed monitoring reviews to ensure efficacy of filtering technology;

(F) making available to users a comprehensive description of the categories of harmful material or other content described by Subsection (a) that will be filtered; and

(G) except as provided by Section 509.058, making available the digital service provider's algorithm code to independent security researchers; and

(2) may include:

(A) engaging a third party to rigorously review the digital service provider's content filtering technology;

(B) participating in industry-specific partnerships to share best practices in preventing access to harmful material or other content described by Subsection (a); or

(C) conducting periodic independent audits to ensure:

(i) continued compliance with the digital service provider's strategy; and

(ii) efficacy of filtering technology and protocols used by the digital service provider.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.054. DIGITAL SERVICE PROVIDER DUTY TO CREATE PARENTAL TOOLS. (a) A digital service provider shall create and provide to a verified parent parental tools to allow the verified parent to supervise the verified parent's known minor's use of a digital service.

(b) Parental tools under this section must allow a verified parent to:

(1) control the known minor's privacy and account settings;

(2) alter the duties of a digital service provider under Section 509.052 with regard to the verified parent's known minor;

(3) if the verified parent alters the duty of a digital service provider under Section 509.052(2)(A), restrict the ability of the verified parent's known minor to make purchases or engage in financial transactions; and

(4) monitor and limit the amount of time the verified parent's known minor spends using the digital service.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.055. DIGITAL SERVICE PROVIDER DUTIES REGARDING ADVERTISING AND MARKETING. A digital service provider shall make a commercially reasonable effort to prevent advertisers on the digital service provider's digital service from targeting a known minor with advertisements that facilitate, promote, or offer a product, service, or activity that is unlawful for a minor in this state to use or engage in.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.056. USE OF ALGORITHMS. A digital service provider that uses algorithms to automate the suggestion, promotion, or ranking of information to known minors on the digital service shall:

(1) make a commercially reasonable effort to ensure that the algorithm does not interfere with the digital service provider's duties under Section 509.053; and

(2) disclose in the digital service provider's terms of service, privacy policy, or similar document, in a clear and accessible manner, an overview of:

(A) the manner in which the digital service uses algorithms to provide information or content;

(B) the manner in which algorithms promote, rank, or filter information or content; and

(C) the personal identifying information used as inputs to provide information or content.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.057. DIGITAL SERVICE PROVIDER DUTY AS TO HARMFUL MATERIAL. (a) A digital service provider as defined by Section 509.001 that knowingly publishes or distributes material, more than one-third of which is harmful material or obscene as defined by Section 43.21, Penal Code, must use a commercially reasonable age verification method to verify that any person seeking to access content on or through the provider's digital service is 18 years of age or older.

(b) If a person seeking to access content on or through the digital service of a provider for which age verification is required under this section is not 18 years of age or older, the digital service provider may not enter into an agreement with the person for access to the digital service.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.058. PROTECTION OF TRADE SECRETS. Nothing in this subchapter may be construed to require a digital service provider to disclose a trade secret.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.059. USE OF KNOWN MINOR'S PERSONAL IDENTIFYING INFORMATION FOR CERTAIN PURPOSES. Nothing in this subchapter may be construed to prevent a digital service provider from collecting, processing, or sharing a known minor's personal identifying information in a manner necessary to:

(1) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a governmental entity;

(2) comply with a law enforcement investigation;

(3) detect, block, or prevent the distribution of unlawful, obscene, or other harmful material to a known minor;

(4) block or filter spam;

(5) prevent criminal activity; or

(6) protect the security of a digital service.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

SUBCHAPTER C. VERIFIED PARENTS


Sec. 509.101. VERIFICATION OF PARENT OR GUARDIAN. (a) A digital service provider shall verify, using a commercially reasonable method and for each person seeking to perform an action on a digital service as a minor's parent or guardian:

(1) the person's identity; and

(2) the relationship of the person to the known minor.

(b) A digital service provider shall provide a process by which a person who has been verified under Subsection (a) as the parent or guardian of a known minor may participate in the digital service as the known minor's verified parent as provided by this chapter.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.102. POWERS OF VERIFIED PARENT. (a) A verified parent is entitled to alter the duties of a digital service provider under Section 509.052 with regard to the verified parent's known minor.

(b) A verified parent is entitled to supervise the verified parent's known minor's use of a digital service using tools provided by a digital service provider under Section 509.054.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.103. ACCESS TO KNOWN MINOR'S PERSONAL IDENTIFYING INFORMATION. (a) A known minor's verified parent may submit a request to a digital service provider to:

(1) review and download any personal identifying information associated with the minor in the possession of the digital service provider; and

(2) delete any personal identifying information associated with the minor collected or processed by the digital service provider.

(b) A digital service provider shall establish and make available on the digital service provider's digital service a method by which a known minor's parent or guardian may make a request for access under this section.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.104. MINOR IN CONSERVATORSHIP OF DEPARTMENT OF FAMILY AND PROTECTIVE SERVICES. If a minor is in the conservatorship of the Department of Family and Protective Services, the department may designate the minor's caregiver or a member of the department's staff to perform the functions of the minor's parent or guardian under this chapter.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

SUBCHAPTER D. ENFORCEMENT


Sec. 509.151. DECEPTIVE TRADE PRACTICE; ENFORCEMENT BY ATTORNEY GENERAL. A violation of this chapter is a deceptive act or practice actionable under Subchapter E, Chapter 17, solely as an enforcement action by the consumer protection division of the attorney general's office.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.

Sec. 509.152. PRIVATE CAUSE OF ACTION. (a) Except as provided by Subsection (b), this chapter may not be construed as providing a basis for, or being subject to, a private right of action for a violation of this chapter.

(b) If a digital service provider violates this chapter, the parent or guardian of a known minor affected by that violation may bring a cause of action seeking:

(1) a declaratory judgment under Chapter 37, Civil Practice and Remedies Code; or

(2) an injunction against the digital service provider.

(c) A court may not certify an action brought under this section as a class action.

Added by Acts 2023, 88th Leg., R.S., Ch. 795 (H.B. 18), Sec. 2.01, eff. September 1, 2024.