H.B. No. 18
 
 
 
 
AN ACT
  relating to the protection of minors from harmful, deceptive, or
  unfair trade practices in connection with the use of certain
  digital services and electronic devices, including the use and
  transfer of electronic devices to students by a public school.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
  ARTICLE 1. SHORT TITLE
         SECTION 1.01.  This Act may be cited as the Securing Children
  Online through Parental Empowerment (SCOPE) Act.
  ARTICLE 2. USE OF DIGITAL SERVICES BY MINORS
         SECTION 2.01.  Subtitle A, Title 11, Business & Commerce
  Code, is amended by adding Chapter 509 to read as follows:
  CHAPTER 509. USE OF DIGITAL SERVICES BY MINORS
  SUBCHAPTER A. GENERAL PROVISIONS
         Sec. 509.001.  DEFINITIONS. In this chapter:
               (1)  "Digital service" means a website, an application,
  a program, or software that collects or processes personal
  identifying information with Internet connectivity.
               (2)  "Digital service provider" means a person who:
                     (A)  owns or operates a digital service;
                     (B)  determines the purpose of collecting and
  processing the personal identifying information of users of the
  digital service; and
                     (C)  determines the means used to collect and
  process the personal identifying information of users of the
  digital service.
               (3)  "Harmful material" has the meaning assigned by
  Section 43.24, Penal Code.
               (4)  "Known minor" means a person that a digital
  service provider knows to be a minor.
               (5)  "Minor" means a child who is younger than 18 years
  of age who has not had the disabilities of minority removed for
  general purposes.
               (6)  "Personal identifying information" means any
  information, including sensitive information, that is linked or
  reasonably linkable to an identified or identifiable individual.
  The term includes pseudonymous information when the information is
  used by a controller or processor in conjunction with additional
  information that reasonably links the information to an identified
  or identifiable individual. The term does not include deidentified
  information or publicly available information.
               (7)  "Verified parent" means the parent or guardian of
  a known minor whose identity and relationship to the minor have been
  verified by a digital service provider under Section 509.101.
         Sec. 509.002.  APPLICABILITY. (a) Except to the extent that
  Section 509.057 applies to any digital service provider, this
  chapter applies only to a digital service provider who provides a
  digital service that:
               (1)  connects users in a manner that allows users to
  socially interact with other users on the digital service;
               (2)  allows a user to create a public or semi-public
  profile for purposes of signing into and using the digital service;
  and
               (3)  allows a user to create or post content that can be
  viewed by other users of the digital service, including sharing
  content on:
                     (A)  a message board;
                     (B)  a chat room; or
                     (C)  a landing page, video channel, or main feed
  that presents to a user content created and posted by other users.
         (b)  This chapter does not apply to:
               (1)  a state agency or a political subdivision of this
  state;
               (2)  a financial institution or data subject to Title
  V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
               (3)  a covered entity or business associate governed by
  the privacy, security, and breach notification rules issued by the
  United States Department of Health and Human Services, 45 C.F.R.
  Parts 160 and 164, established under the Health Insurance
  Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d
  et seq.), and the Health Information Technology for Economic and
  Clinical Health Act (Division A, Title XIII, and Division B, Title
  IV, Pub. L. No. 111-5);
               (4)  a small business as defined by the United States
  Small Business Administration on September 1, 2024;
               (5)  an institution of higher education;
               (6)  a digital service provider who processes or
  maintains user data in connection with the employment, promotion,
  reassignment, or retention of the user as an employee or
  independent contractor, to the extent that the user's data is
  processed or maintained for that purpose;
               (7)  an operator or provider regulated by Subchapter D,
  Chapter 32, Education Code, that primarily provides education
  services to students or educational institutions;
               (8)  a person subject to the Family Educational Rights
  and Privacy Act of 1974 (20 U.S.C. Section 1232g) that:
                     (A)  operates a digital service; and
                     (B)  primarily provides education services to
  students or educational institutions;
               (9)  a digital service provider's provision of a
  digital service that facilitates e-mail or direct messaging
  services, if the digital service facilitates only those services;
  or
               (10)  a digital service provider's provision of a
  digital service that:
                     (A)  primarily functions to provide a user with
  access to news, sports, commerce, or content primarily generated or
  selected by the digital service provider; and
                     (B)  allows chat, comment, or other interactive
  functionality that is incidental to the digital service.
         (c)  Unless an Internet service provider, Internet service
  provider's affiliate or subsidiary, search engine, or cloud service
  provider is responsible for the creation of harmful material or
  other content described by Section 509.053(a), the Internet service
  provider, Internet service provider's affiliate or subsidiary,
  search engine, or cloud service provider is not considered to be a
  digital service provider or to offer a digital service if the
  Internet service provider or provider's affiliate or subsidiary,
  search engine, or cloud service provider solely provides access or
  connection, including through transmission, download, intermediate
  storage, access software, or other service, to an Internet website
  or to other information or content:
               (1)  on the Internet; or
               (2)  on a facility, system, or network not under the
  control of the Internet service provider, provider's affiliate or
  subsidiary, search engine, or cloud service provider.
  SUBCHAPTER B. DIGITAL SERVICE PROVIDER DUTIES AND PROHIBITIONS
         Sec. 509.051.  DIGITAL SERVICE PROVIDER DUTY TO REGISTER AGE
  OF USER. (a) A digital service provider may not enter into an
  agreement with a person to create an account with a digital service
  unless the person has registered the person's age with the digital
  service provider.
         (b)  A person who registers the person's age as younger than
  18 years of age is considered to be a known minor to the digital
  service provider until after the person's 18th birthday.
         (c)  A digital service provider may not allow a person who
  registers the person's age to alter the person's registered age,
  unless the alteration process involves a commercially reasonable
  review process.
         (d)  A minor is considered to be a known minor to a digital
  service provider if:
               (1)  the minor registers the minor's age under Section
  509.051 as younger than 18 years of age; or
               (2)  the minor's parent or guardian, including a
  verified parent:
                     (A)  notifies a digital service provider that the
  minor is younger than 18 years of age;
                     (B)  successfully disputes the registered age of
  the minor; or
                     (C)  performs another function of a parent or
  guardian under this chapter.
         (e)  If a minor is a known minor, or if the minor's parent or
  guardian, including a verified parent, takes an action under
  Subsection (a), a digital service provider:
               (1)  is considered to have actual knowledge that the
  minor is younger than 18 years of age; and
               (2)  shall treat the minor as a known minor under this
  chapter.
         Sec. 509.052.  DIGITAL SERVICE PROVIDER DUTIES RELATING TO
  AGREEMENT WITH MINOR. Unless a verified parent provides otherwise
  under Section 509.102, a digital service provider that enters into
  an agreement with a known minor for access to a digital service:
               (1)  shall:
                     (A)  limit collection of the known minor's
  personal identifying information to information reasonably
  necessary to provide the digital service; and
                     (B)  limit use of the known minor's personal
  identifying information to the purpose for which the information
  was collected; and
               (2)  may not:
                     (A)  allow the known minor to make purchases or
  engage in other financial transactions through the digital service;
                     (B)  share, disclose, or sell the known minor's
  personal identifying information;
                     (C)  use the digital service to collect the known
  minor's precise geolocation data; or
                     (D)  use the digital service to display targeted
  advertising to the known minor.
         Sec. 509.053.  DIGITAL SERVICE PROVIDER DUTY TO PREVENT HARM
  TO KNOWN MINORS. (a) In relation to a known minor's use of a digital
  service, a digital service provider shall develop and implement a
  strategy to prevent the known minor's exposure to harmful material
  and other content that promotes, glorifies, or facilitates:
               (1)  suicide, self-harm, or eating disorders;
               (2)  substance abuse;
               (3)  stalking, bullying, or harassment; or
               (4)  grooming, trafficking, child pornography, or
  other sexual exploitation or abuse.
         (b)  A strategy developed under Subsection (a):
               (1)  must include:
                     (A)  creating and maintaining a comprehensive
  list of harmful material or other content described by Subsection
  (a) to block from display to a known minor;
                     (B)  using filtering technology and other
  protocols to enforce the blocking of material or content on the list
  under Paragraph (A);
                     (C)  using hash-sharing technology and other
  protocols to identify recurring harmful material or other content
  described by Subsection (a);
                     (D)  creating and maintaining a database of
  keywords used for filter evasion, such as identifiable
  misspellings, hash-tags, or identifiable homoglyphs;
                     (E)  performing standard human-performed
  monitoring reviews to ensure efficacy of filtering technology;
                     (F)  making available to users a comprehensive
  description of the categories of harmful material or other content
  described by Subsection (a) that will be filtered; and
                     (G)  except as provided by Section 509.058, making
  available the digital service provider's algorithm code to
  independent security researchers; and
               (2)  may include:
                     (A)  engaging a third party to rigorously review
  the digital service provider's content filtering technology;
                     (B)  participating in industry-specific
  partnerships to share best practices in preventing access to
  harmful material or other content described by Subsection (a); or
                     (C)  conducting periodic independent audits to
  ensure:
                           (i)  continued compliance with the digital
  service provider's strategy; and
                           (ii)  efficacy of filtering technology and
  protocols used by the digital service provider.
         Sec. 509.054.  DIGITAL SERVICE PROVIDER DUTY TO CREATE
  PARENTAL TOOLS. (a) A digital service provider shall create and
  provide to a verified parent parental tools to allow the verified
  parent to supervise the verified parent's known minor's use of a
  digital service.
         (b)  Parental tools under this section must allow a verified
  parent to:
               (1)  control the known minor's privacy and account
  settings;
               (2)  alter the duties of a digital service provider
  under Section 509.052 with regard to the verified parent's known
  minor;
               (3)  if the verified parent alters the duty of a digital
  service provider under Section 509.052(2)(A), restrict the ability
  of the verified parent's known minor to make purchases or engage in
  financial transactions; and
               (4)  monitor and limit the amount of time the verified
  parent's known minor spends using the digital service.
         Sec. 509.055.  DIGITAL SERVICE PROVIDER DUTIES REGARDING
  ADVERTISING AND MARKETING. A digital service provider shall make a
  commercially reasonable effort to prevent advertisers on the
  digital service provider's digital service from targeting a known
  minor with advertisements that facilitate, promote, or offer a
  product, service, or activity that is unlawful for a minor in this
  state to use or engage in.
         Sec. 509.056.  USE OF ALGORITHMS. A digital service
  provider that uses algorithms to automate the suggestion,
  promotion, or ranking of information to known minors on the digital
  service shall:
               (1)  make a commercially reasonable effort to ensure
  that the algorithm does not interfere with the digital service
  provider's duties under Section 509.053; and
               (2)  disclose in the digital service provider's terms
  of service, privacy policy, or similar document, in a clear and
  accessible manner, an overview of:
                     (A)  the manner in which the digital service uses
  algorithms to provide information or content;
                     (B)  the manner in which algorithms promote, rank,
  or filter information or content; and
                     (C)  the personal identifying information used as
  inputs to provide information or content.
         Sec. 509.057.  DIGITAL SERVICE PROVIDER DUTY AS TO HARMFUL
  MATERIAL. (a) A digital service provider as defined by Section
  509.001 that knowingly publishes or distributes material, more than
  one-third of which is harmful material or obscene as defined by
  Section 43.21, Penal Code, must use a commercially reasonable age
  verification method to verify that any person seeking to access
  content on or through the provider's digital service is 18 years of
  age or older.
         (b)  If a person seeking to access content on or through the
  digital service of a provider for which age verification is
  required under this section is not 18 years of age or older, the
  digital service provider may not enter into an agreement with the
  person for access to the digital service.
         Sec. 509.058.  PROTECTION OF TRADE SECRETS. Nothing in this
  subchapter may be construed to require a digital service provider
  to disclose a trade secret.
         Sec. 509.059.  USE OF KNOWN MINOR'S PERSONAL IDENTIFYING
  INFORMATION FOR CERTAIN PURPOSES. Nothing in this subchapter may be
  construed to prevent a digital service provider from collecting,
  processing, or sharing a known minor's personal identifying
  information in a manner necessary to:
               (1)  comply with a civil, criminal, or regulatory
  inquiry, investigation, subpoena, or summons by a governmental
  entity;
               (2)  comply with a law enforcement investigation;
               (3)  detect, block, or prevent the distribution of
  unlawful, obscene, or other harmful material to a known minor;
               (4)  block or filter spam;
               (5)  prevent criminal activity; or
               (6)  protect the security of a digital service.
  SUBCHAPTER C. VERIFIED PARENTS
         Sec. 509.101.  VERIFICATION OF PARENT OR GUARDIAN. (a) A
  digital service provider shall verify, using a commercially
  reasonable method and for each person seeking to perform an action
  on a digital service as a minor's parent or guardian:
               (1)  the person's identity; and
               (2)  the relationship of the person to the known minor.
         (b)  A digital service provider shall provide a process by
  which a person who has been verified under Subsection (a) as the
  parent or guardian of a known minor may participate in the digital
  service as the known minor's verified parent as provided by this
  chapter.
         Sec. 509.102.  POWERS OF VERIFIED PARENT. (a) A verified
  parent is entitled to alter the duties of a digital service provider
  under Section 509.052 with regard to the verified parent's known
  minor.
         (b)  A verified parent is entitled to supervise the verified
  parent's known minor's use of a digital service using tools provided
  by a digital service provider under Section 509.054.
         Sec. 509.103.  ACCESS TO KNOWN MINOR'S PERSONAL IDENTIFYING
  INFORMATION. (a) A known minor's verified parent may submit a
  request to a digital service provider to:
               (1)  review and download any personal identifying
  information associated with the minor in the possession of the
  digital service provider; and
               (2)  delete any personal identifying information
  associated with the minor collected or processed by the digital
  service provider.
         (b)  A digital service provider shall establish and make
  available on the digital service provider's digital service a
  method by which a known minor's parent or guardian may make a
  request for access under this section.
         Sec. 509.104.  MINOR IN CONSERVATORSHIP OF DEPARTMENT OF
  FAMILY AND PROTECTIVE SERVICES. If a minor is in the
  conservatorship of the Department of Family and Protective
  Services, the department may designate the minor's caregiver or a
  member of the department's staff to perform the functions of the
  minor's parent or guardian under this chapter.
  SUBCHAPTER D. ENFORCEMENT
         Sec. 509.151.  DECEPTIVE TRADE PRACTICE; ENFORCEMENT BY
  ATTORNEY GENERAL. A violation of this chapter is a deceptive act or
  practice actionable under Subchapter E, Chapter 17, solely as an
  enforcement action by the consumer protection division of the
  attorney general's office.
         Sec. 509.152.  PRIVATE CAUSE OF ACTION. (a) Except as
  provided by Subsection (b), this chapter may not be construed as
  providing a basis for, or being subject to, a private right of
  action for a violation of this chapter.
         (b)  If a digital service provider violates this chapter, the
  parent or guardian of a known minor affected by that violation may
  bring a cause of action seeking:
               (1)  a declaratory judgment under Chapter 37, Civil
  Practice and Remedies Code; or
               (2)  an injunction against the digital service
  provider.
         (c)  A court may not certify an action brought under this
  section as a class action.
  ARTICLE 3. USE AND TRANSFER OF ELECTRONIC DEVICES BY STUDENTS
         SECTION 3.01.  The heading to Subchapter C, Chapter 32,
  Education Code, is amended to read as follows:
  SUBCHAPTER C. TRANSFER OF DATA PROCESSING EQUIPMENT AND ELECTRONIC
  DEVICES TO STUDENTS
         SECTION 3.02.  Section 32.101, Education Code, is amended to
  read as follows:
         Sec. 32.101.  DEFINITIONS [DEFINITION]. In this subchapter:
               (1)  "Data [, "data] processing" has the meaning
  assigned by Section 2054.003, Government Code.
               (2)  "Electronic device" means a device that is capable
  of connecting to a cellular network or the Internet, including:
                     (A)  a computer;
                     (B)  a smartphone; or
                     (C)  a tablet.
               (3)  "Internet filter" means a software application
  that is capable of preventing an electronic device from accessing
  certain websites or displaying certain online material.
         SECTION 3.03.  Subchapter C, Chapter 32, Education Code, is
  amended by adding Section 32.1021 to read as follows:
         Sec. 32.1021.  STANDARDS. The agency shall adopt standards
  for permissible electronic devices and software applications used
  by a school district or open-enrollment charter school. In adopting
  the standards, the agency must:
               (1)  minimize data collection conducted on students
  through electronic devices and software applications;
               (2)  ensure direct and informed parental consent is
  required for a student's use of a software application, other than a
  software application necessary for the administration of:
                     (A)  an assessment instrument under Subchapter B,
  Chapter 39; or
                     (B)  an assessment relating to college, career, or
  military readiness for which student performance is considered in
  evaluating a school district's performance under Section 39.054;
               (3)  ensure software applications do not conduct mental
  health assessments or other assessments unrelated to educational
  curricula that are intended to collect information about students
  without direct and informed parental consent;
               (4)  ensure that parents are provided the resources
  necessary to understand cybersecurity risks and online safety
  regarding their child's use of electronic devices before the child
  uses an electronic device at the child's school;
               (5)  specify periods of time during which an electronic
  device transferred to a student must be deactivated in the interest
  of student safety;
               (6)  consider necessary adjustments by age level to the
  use of electronic devices in the classroom to foster development of
  students' abilities regarding spending school time and completing
  assignments without the use of an electronic device;
               (7)  consider appropriate restrictions on student
  access to social media websites or applications with an electronic
  device transferred to a student by a district or school;
               (8)  require a district or school, before using a
  social media application for an educational purpose, to determine
  that an alternative application that is more secure and provides
  the same educational functionality as the social media application
  is unavailable for that educational purpose;
               (9)  consider the required use of an Internet filter
  capable of notifying appropriate school administrators, who are
  then required to notify the student's parent, if a student accesses
  inappropriate or concerning content or words, including content
  related to:
                     (A)  self-harm;
                     (B)  suicide;
                     (C)  violence to others; or
                     (D)  illicit drugs;
               (10)  assign to the appropriate officer of a district
  or school the duty to receive complaints or concerns regarding
  student use of electronic devices, including cybersecurity and
  online safety concerns, from district or school staff, other
  students, or parents; and
               (11)  provide methods by which a district or school may
  ensure an operator, as that term is defined by Section 32.151, that
  contracts with the district or school to provide software
  applications complies with Subchapter D.
         SECTION 3.04.  Section 32.104, Education Code, is amended to
  read as follows:
         Sec. 32.104.  REQUIREMENTS FOR TRANSFER. Before
  transferring data processing equipment or an electronic device to a
  student, a school district or open-enrollment charter school must:
               (1)  adopt rules governing transfers under this
  subchapter, including provisions for technical assistance to the
  student by the district or school;
               (2)  determine that the transfer serves a public
  purpose and benefits the district or school; [and]
               (3)  remove from the equipment any offensive,
  confidential, or proprietary information, as determined by the
  district or school;
               (4)  adopt rules establishing programs promoting
  parents as partners in cybersecurity and online safety that involve
  parents in students' use of transferred equipment or electronic
  devices; and
               (5)  for the transfer of an electronic device to be used
  for an educational purpose, install an Internet filter that blocks
  and prohibits pornographic or obscene materials or applications,
  including from unsolicited pop-ups, installations, and downloads.
  ARTICLE 4. STUDY OF EFFECTS OF MEDIA ON MINORS
         SECTION 4.01.  (a) A joint committee of the legislature
  shall conduct a study on the effects of media on minors.
         (b)  The joint committee shall consist of:
               (1)  members of the house of representatives appointed
  by the speaker of the house of representatives; and
               (2)  members of the senate appointed by the lieutenant
  governor.
         (c)  In conducting the study, members of the joint committee
  shall confer with experts on the subject.
         (d)  The members of the joint committee shall examine:
               (1)  the health and developmental effects of media on
  minors; and
               (2)  the effects of exposure by a minor to various forms
  of media, including:
                     (A)  social media platforms;
                     (B)  software applications;
                     (C)  Internet websites;
                     (D)  television programming;
                     (E)  motion pictures and film;
                     (F)  artificial intelligence;
                     (G)  mobile devices;
                     (H)  computers;
                     (I)  video games;
                     (J)  virtual and augmented reality; and
                     (K)  other media formats the joint committee
  considers necessary.
  ARTICLE 5. TRANSITION AND EFFECTIVE DATE
         SECTION 5.01.  If any provision of this Act or its
  application to any person or circumstance is held invalid, the
  invalidity does not affect other provisions or applications of this
  Act that can be given effect without the invalid provision or
  application, and to this end the provisions of this Act are declared
  to be severable.
         SECTION 5.02.  Article 3 of this Act applies beginning with
  the 2023-2024 school year.
         SECTION 5.03.  (a) Except as provided by Subsection (b) of
  this section, this Act takes effect September 1, 2024.
         (b)  Article 3 of this Act takes effect immediately if it
  receives a vote of two-thirds of all the members elected to each
  house, as provided by Section 39, Article III, Texas Constitution.
  If this Act does not receive the vote necessary for immediate
  effect, Article 3 of this Act takes effect September 1, 2023.
 
 
  ______________________________ ______________________________
     President of the Senate Speaker of the House     
 
 
         I certify that H.B. No. 18 was passed by the House on April
  26, 2023, by the following vote:  Yeas 125, Nays 20, 1 present, not
  voting; and that the House concurred in Senate amendments to H.B.
  No. 18 on May 28, 2023, by the following vote:  Yeas 120, Nays 21, 2
  present, not voting.
 
  ______________________________
  Chief Clerk of the House   
 
         I certify that H.B. No. 18 was passed by the Senate, with
  amendments, on May 23, 2023, by the following vote:  Yeas 31, Nays
  0.
 
  ______________________________
  Secretary of the Senate   
  APPROVED: __________________
                  Date       
   
           __________________
                Governor