Comparing the House's COPPA 2.0 AINS with the Senate's KOSPA

The Children and Teens Online Privacy Protection Act (COPPA 2.0) and the Kids Online Safety Act (KOSA) will be included in a Wednesday (9/18) markup by the full House Commerce Committee. An amendment in the nature of a substitute (AINS) were shared publicly this morning (9/17) for both bills.

Below is our redline comparing the Kids Online Safety and Privacy Act (KOSPA) as it passed the Senate to the House version of COPPA 2.0 (as updated in the AINS on 9/17). A similar redline for KOSA is forthcoming.

Children and Teens' Online Privacy Protection Act (COPPA 2.0) including COPPA statute

§6501. Definitions

In this chapter:
(1) Child
The term "child" means an individual under the age of 13.
(2) Operator
The term "operator"—

(A) means any person

(i) who, for commercial purposes, in interstate or foreign commerce operates or provides a website on the internetInternet, an online service, an online application, or a mobile application; and

(ii) who

(I) collects or maintains, either directly or through a service provider, personal information from or about the users of that website, service, or application;

(II) allows another person to collect personal information directly from users of that website, service, or application (in which case, the operator is deemed to have collected the information); or

(III) allows users of that website, service, or application to publicly disclose personal information (in which case, the operator is deemed to have collected the information); and

(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).

(3) Commission
The term "Commission" means the Federal Trade Commission.
(4) Disclosure
The term "disclosure" means, with respect to personal information—

(A) the release of personal information collected from a child or teen by an operator for any purpose, except where the personal information is provided to a person other than the operator who

(i) provides support for the internal operations of the website, online service, online application, or mobile application of the operator, excluding any activity relating to individual-specific advertising to children or teens; and

(ii) does not disclose or use that personal information for any other purpose; and

(B) making personal information collected from a child or teen by a website, online service, online application, or mobile application directed to children or with knowledge actual knowledge or knowledge fairly implied on the basis of objective circumstances that such information was collected from a child or teen, publicly available in identifiable form, by any means including by a public posting, through the Internet, or through—

(i) a home page of a website;

(ii) a pen pal service;

(iii) an electronic mail service;

(iv) a message board; or

(v) a chat room.

(5) Federal agency
The term "Federal agency" means an agency, as that term is defined in section 551(1) of title 5.
(6) Internet
The term "Internet" means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire or radio.
(7) Parent
The term "parent" includes a legal guardian.
(8) Personal information.--

(A) In general.--The term ‘personal information’ means individually identifiable information about an individual collected online, including–

(i A) a first and last name;

(ii B) a home or other physical address, including street name and name of a city or town;

(iii C) an e-mail address;

(iv D) a telephone number;

(v E) a Social Security number;

(vi F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or

(vii) a persistent identifier that can be used to recognize a specific child or teen over time and across different websites, online services, online applications, or mobile applications, including but not limited to a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier, but excluding an identifier that is used by an operator solely for providing support for the internal operations of the website, online service, online application, or mobile application;

(viii) a photograph, video, or audio file, where such file contains a specific child's or teen's image or voice;

(ix) geolocation information;

(x) information generated from the measurement or technological processing of an individual's biological, physical, or physiological characteristics that is used to identify an individual, including--

(I) fingerprints;

(II) voice prints;

(III) iris or retina imagery scans;

(IV) facial templates;

(V) deoxyribonucleic acid (DNA) information; or

(VI) gait; or

(xi G) information linked or reasonably linkable to a concerning the child or teen or the parents of a that child or teen (including any unique identifier) that an operator the website collects online from the child or teen and combines with an identifier described in this subparagraph.

(B) Exclusion.--The term `personal information' shall not include an audio file that contains a child's or teen's voice so long as the operator–

(i) does not request information via voice that would otherwise be considered personal information under this paragraph;

(ii) provides clear notice of its collection and use of the audio file and its deletion policy in its privacy policy;

(iii) only uses the voice within the audio file solely as a replacement for written words, to perform a task, or engage with a website, online service, online application, or mobile application, such as to perform a search or fulfill a verbal instruction or request; and

(iv) only maintains the audio file long enough to complete the stated purpose and then immediately deletes the audio file and does not make any other use of the audio file prior to deletion.

(C) Support for the internal operations of a website, online service, online application, or mobile application.--

(i) In general.--For purposes of subparagraph (A)(vii), the term `support for the internal operations of a website, online service, online application, or mobile application' means those activities necessary to–

(I) maintain or analyze the functioning of the website, online service, online application, or mobile application;

(II) perform network communications;

(III) authenticate users of, or personalize the content on, the website, online service, online application, or mobile application;

(IV) serve contextual advertising, if provided that any persistent identifier is only used as necessary for technical purposes to serve the contextual advertisement, or cap the frequency of advertising;

(V) protect the security or integrity of the user, website, online service, online application, or mobile application;

(VI) ensure legal or regulatory compliance, or

(VII) fulfill a request of a child or teen as permitted by subparagraphs (A) through (C) of section 1303(b)(2).

(ii) Condition.--Except as specifically permitted under clause (i), information collected for the activities listed in clause (i) cannot be used or disclosed to contact a specific individual, including through individual-specific advertising to children or teens, to amass a profile on a specific individual, in connection with processes that encourage or prompt use of a website or online service, or for any other purpose.

(9) Verifiable consent.--The term "verifiable consent" means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that, in the case of a child, a parent of the child, or, in the case of a teen, the teen–

(A) receives direct notice of the personal information collection, use, and disclosure practices of the operator;, and

(B) before the personal information of the child or teen is collected, freely and unambiguously authorizes

(i) the collection, use, and disclosure, as applicable, of that personal information; and

(ii) any subsequent use of that personal information.

(10) Website, online service, online application, or mobile application directed to children

(A) In general

The term "website, online service, online application, or mobile application directed to children" means—

(i) a commercial website, online service, online application, or mobile application that is targeted to children; or

(ii) that portion of a commercial website, online service, online application, or mobile application that is targeted to children.

(B) Limitation

A commercial website, online service, online application, or mobile application, or a portion of a commercial website, online service, online application, or mobile application, shall not be deemed directed to children solely for referring or linking to a commercial website, online service, online application, or mobile application directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link.

(C) Rule of construction.--In considering whether a website, online service, online application, or mobile application, or portion thereof, is directed to children, the Commission shall apply a totality of circumstances test and will also consider competent and reliable empirical evidence regarding audience composition and evidence regarding the intended audience of the website, online service, online application, or mobile application.

(11) Person
The term "person" means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity.
(12) Online contact information
The term "online contact information" means an e-mail address or another substantially similar identifier that permits direct contact with a person online.
(13) Connected device.--The term `connected device' means a device that is capable of connecting to the internet, directly or indirectly, or to another connected device.
(14) Online application.--The term `online application'--

(A) means an internet-connected software program; and

(B) includes a service or application offered via a connected device.

(15) Mobile application.--The term `mobile application'--

(A) means a software program that runs on the operating system of–

(i) a cellular telephone;

(ii) a tablet computer; or

(iii) a similar portable computing device that transmits data over a wireless connection; and

(B) includes a service or application offered via a connected device.

(16) Geolocation information.--The term `geolocation information' means information sufficient to identify a street name and name of a city or town.
(17) Teen.--The term `teen' means an individual over the age of 12 who has attained age 13 and is under the age of 17.
(18) Covered High-Impact Social Media Company.–The term ‘covered high-impact social media company’ means an operator that—

(A) generates $3,00,000,000 or more in global annual revenue, including the revenue generated by any affiliate of such operator;

(B) has 300,000,000 or more global monthly active users for not fewer than 3 or the preceding 12 months on the website, online service, online application, or mobile application of such operator; and

(C) constitutes an online product or service that is primarily used by users to access or share user-generated content.

(19) Knowledge.–The term ‘knowledge’ means—

(A) with respect to a high-impact social media company, the operator knew or should have known that a user is a child or teen;

(B) with respect to an operator that has an annual gross revenue of $200,000,000 or more, collects the personal information of 200,000 individuals or more, and does not meet the qualifications of subparagraph (A), the operator knew or acted in willful disregard of the fact that the individual is a child or teen; and

(C) with respect to an operator that does not meet the requirements of subparagraph (A) or (B), actual knowledge.

(2018) Individual-specific advertising to children or teens.--

(A) In general.--The term `individual-specific advertising to children or teens' means advertising or any other effort to market a product or service that is directed to a specific child or teen or a connected device that is linked or reasonably linkable to a child or teen based on–

(i) the personal information from--

(I) the child or teen; or

(II) a group of children or teens who are similar in sex, age, household income level, race, or ethnicity to the specific child or teen to whom the product or service is marketed;

(ii) profiling of a child or teen or group of children or teens; or

(iii) a unique identifier of the connected device.

(B) Exclusions.--The term `individual-specific advertising to children or teens' shall not include–

(i) advertising or marketing to an individual or the device of an individual in response to the individual's specific request for information or feedback, such as a child's or teen's current search query;

(ii) contextual advertising, such as when an advertisement is displayed based on the content of the website, online service, online application, mobile application, or connected device in which the advertisement appears and does not vary based on personal information related to the viewer; or

(iii) processing personal information solely for measuring or reporting advertising or content performance, reach, or frequency, including independent measurement; or.

(iv) advertising or marketing directed to a device used by both adult and child or teen members of a household where such advertising or marketing is directed only to services accessible through an adult user profile.

(C) Rule of construction.--Nothing in subparagraph (A) shall be construed to prohibit an operator with >actual knowledge or knowledge fairly implied on the basis of objective circumstances that a user is under the age of 17 from delivering advertising or marketing that is age-appropriate and intended for a child or teen audience, so long as the operator does not use any personal information other than whether the user is under the age of 17.

​​(21) Educational agency or institution.—The term ‘educational agency or institution means—

(A) a State educational agency or a local local educational agency (as such terms are defined in section 8101 of the Elementary and Secondary Education Act of 1965 (20 U.S.C. 7801)); and

(B) an institutional day or residential school, including a public school, charter school, or private school, that provides elementary or secondary education, as determined under State law.

§6502. Online collection, use, disclosure, and deletion of personal information of children and teens.

(a) Acts prohibited

(1) In general.–

It is unlawful for an operator of a website, online service, online application, or mobile application directed to children>, or for any operator of a website, online service, online application, or mobile application with knowledge actual knowledge or knowledge fairly implied on the basis of objective circumstances that a user is a child or teen–

(A) to collect personal information from a child or teen, in a manner that violates the regulations prescribed under subsection (b);

(B) except as provided in subparagraphs (B) and (C) of section 1302(18), to collect, use, disclose to third parties, or maintain personal information of a child or teen for purposes of individual-specific advertising to children or teens (or to allow another person to collect, use, disclose, or maintain such information for such purpose);

(C) to collect the personal information of a child or teen except when the collection of the personal information is–

(i) consistent with the context of a particular transaction or service or the relationship of the child or teen with the operator, including collection necessary to fulfill a transaction or provide a product or service requested by the child or teen; or

(ii) required or specifically authorized by Federal or State law; or

(D) to store or transfer the personal information of a child or teen outside of the United States unless the operator provides direct notice to the parent of the child, in the case of a child, or to the teen, in the case of a teen, that the child's or teen's personal information is being stored or transferred outside of the United States; or

(E) to retain the personal information of a child or teen for longer than is reasonably necessary to fulfill a transaction or provide a service requested by the child or teen, except as required or specifically authorized by Federal or State law.

(2) Disclosure to ‘parent or teen’ protected

Notwithstanding paragraph (1)(A), neither an operator nor the operator's agent shall be held to be liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under subsection (b)(1)(B)(iv) to the parent of a child or under subsection (b)(1)(C)(iv) to a teen.

(b) Regulations

(1) In general

Not later than 1 year after October 21, 1998, the Commission shall promulgate under section 553 of title 5 regulations that—

(A) require the operator of website, online service, online application, or mobile application directed to children or that has knowledge actual knowledge or knowledge fairly implied on the basis of objective circumstances that a user is a child or teen

(i) to provide clear and conspicuous notice on the website of what information is collected from children or teens by the operator, how the operator uses such information, the operator's disclosure practices for such information, the rights and opportunities available to the parent of the child or teen under subparagraphs (B) and (C), and the procedures or mechanisms the operator uses to ensure that personal information is not collected from children or teens except in accordance with the regulations promulgated under this Paragraph;

(ii) to obtain verifiable consent for the collection, use, or disclosure of personal information from children or teens; and

(iii) to obtain verifiable consent from a parent of a child or from a teen before using or disclosing personal information of the child or teen for any purpose that is a material change from the original purposes and disclosure practices specified to the parent of the child or the teen under clause (i);

(B) require the operator to provide, upon request of a parent under this subparagraph whose child has provided personal information to that operator, upon proper identification of that parent, to such parent—

(i) a description of the specific types of personal information collected from the child by that operator and the method by which the operator obtained the personal information, and the purposes for which the operator collects, uses, discloses, and retains the personal information;

(ii) the opportunity at any time to delete personal information collected from the child or content or information submitted by the child to a website, online service, online application, or mobile application and to refuse to permit the operator's further use or maintenance in retrievable form, or future online collection, of personal information from that child;

(iii) the opportunity to challenge the accuracy of the personal information and, if the parent of the child establishes the inaccuracy of the personal information, to have the inaccurate personal information corrected;

(iv) notwithstanding any other provision of law, a means that is reasonable under the circumstances for the parent to obtain any personal information collected from that child, if such information is available to the operator at the time the parent makes the request;

(C) require the operator to provide, upon the request of a parent of a teen or a teen under this subparagraph who has provided personal information to the operator, upon proper identification of that parent or that teen–

(i) a description of the specific types of personal information collected from the teen by the operator, the method by which the operator obtained the personal information, and the purposes for which the operator collects, uses, discloses, and retains the personal information;

(ii) the opportunity at any time to delete personal information collected from the teen or content or information submitted by the teen to a website, online service, online application, or mobile application and to refuse to permit the operator's further use or maintenance in retrievable form, or online collection, of personal information from the teen;

(iii) the opportunity to challenge the accuracy of the personal information and, if the parent or the teen establishes the inaccuracy of the personal information, to have the inaccurate personal information corrected; and

(iv) a means that is reasonable under the circumstances for the parent or the teen to obtain any personal information collected from the teen, if such information is available to the operator at the time the parent or the teen makes the request;

(D) prohibit conditioning a child's or teen's participation in a game, the offering of a prize, or another activity on the child or teen disclosing more personal information than is reasonably necessary to participate in such activity; and

(E) require the operator to establish, implement, and maintain reasonable security practices to protect the confidentiality, integrity, and accessibility of personal information of children or teens collected by the operator, and to protect such personal information against unauthorized access.

(2) When consent not required

The regulations shall provide that verifiable consent under paragraph (1)(A)(ii) is not required in the case of—

(A) online contact information collected from a child or teen that is used only to respond directly on a one-time basis to a specific request from the child or teen and is not used to recontact the child or teen or to contact another child or teen and is not maintained in retrievable form by the operator;

(B) a request for the name or online contact information of a parent or teen that is used for the sole purpose of obtaining verifiable consent or providing notice under this section and where such information is not maintained in retrievable form by the operator if verifiable consent is not obtained after a reasonable time;

(C) online contact information collected from a child or teen that is used only to respond more than once directly to a specific request from the child or teen and is not used to recontact the child or teen beyond the scope of that request—

(i) if, before any additional response after the initial response to the child or teen, the operator uses reasonable efforts to provide a parent or teen, as applicable, notice of the online contact information collected from the child or teen, the purposes for which it is to be used, and an opportunity for the parent or teen, as applicable, to request that the operator make no further use of the information and that it not be maintained in retrievable form; or

(ii) without notice to the parent or teen, as applicable, in such circumstances as the Commission may determine are appropriate, taking into consideration the benefits to the child or teen of access to information and services, and risks to the security and privacy of the child or teen, in regulations promulgated under this subsection;

(D) the name of the child or teen and online contact information (to the extent reasonably necessary to protect the safety of a child or teen participant on the site)—

(i) used only for the purpose of protecting such safety;

(ii) not used to recontact the child or teen or for any other purpose; and

(iii) not disclosed on the site, if the operator uses reasonable efforts to provide a parent or teen, as applicable, notice of the name and online contact information collected from the child or teen, the purposes for which it is to be used, and an opportunity for the parent or teen, as applicable, to request that the operator make no further use of the information and that it not be maintained in retrievable form; or

(E) the collection, use, or dissemination of such information by the operator of such a website or online service necessary—

(i) to protect the security or integrity of its website;

(ii) to take precautions against liability;

(iii) to respond to judicial process; or

(iv) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety.

(3) Application to operators acting under agreements with educational agencies or institutions.--The regulations may provide that verifiable consent under paragraph (1)(A)(ii) is not required for an operator that is acting under a written agreement with an educational agency or institution (as defined in section 444 of the General Education Provisions Act (commonly known as the `Family Educational Rights and Privacy Act of 1974') (20 U.S.C. 1232g(a)(3)) that, at a minimum, requires the–

(A) operator to–

(i) limit its collection, use, and disclosure of the personal information from a child or teen to solely educational purposes and for no other commercial purposes;

(ii) provide the educational agency or institution with a notice of the specific types of personal information the operator will collect from the child or teen, the method by which the operator will obtain the personal information, and the purposes for which the operator will collect, use, disclose, and retain the personal information;

(iii) provide the educational agency or institution with a link to the operator's online notice of information practices as required under subsection (b)(1)(A)(i); and

(iv) provide the educational agency or institution, upon request, with a means to review the personal information collected from a child or teen, to prevent further use or maintenance or future collection of personal information from a child or teen, and to delete personal information collected from a child or teen or content or information submitted by a child or teen to the operator's website, online service, online application, or mobile application;,

(B) representative of the educational agency or institution to acknowledge and agree that they have authority to authorize the collection, use, and disclosure of personal information from children or teens on behalf of the educational agency or institution, along with such authorization, their name, and title at the educational agency or institution; and

(C) educational agency or institution to–

(i) provide on its website a notice that identifies the operator with which it has entered into a written agreement under this subsection and provides a link to the operator's online notice of information practices as required under paragraph (1)(A)(i);

(ii) provide the operator's notice regarding its information practices, as required under subparagraph (A)(ii), upon request, to a parent, in the case of a child, or a parent or teen, in the case of a teen; and

(iii) upon the request of a parent, in the case of a child, or a parent or teen, in the case of a teen, request the operator provide a means to review the personal information from the child or teen and provide the parent, in the case of a child, or parent or teen, in the case of the teen, a means to review the personal information.

(4) Termination of service.--The regulations shall permit the operator of a website, online service, online application, or mobile application to terminate service provided to a child whose parent has refused, under the regulations prescribed under paragraph (1)(B)(ii) and (1)(C)(ii), to permit the operator's further use or maintenance in retrievable form, or future online collection of, personal information from that child or teen.

(5) Continuation of service.--The regulations shall prohibit an operator from discontinuing service provided to a child or teen on the basis of a request by the parent of the child or by the teen, under the regulations prescribed under subparagraph (B) or (C) of paragraph (1), respectively, to delete personal information collected from the child or teen, to the extent that the operator is capable of providing such service without such information.

(6) Rule of construction.--A request made pursuant to subparagraph (B) or (C) of paragraph (1) to delete or correct personal information of a child or teen shall not be construed–

(A) to limit the authority of a law enforcement agency to obtain any content or information from an operator pursuant to a lawfully executed warrant or an order of a court of competent jurisdiction;

(B) to require an operator or third party delete or correct information that–

(i) any other provision of Federal or State law requires the operator or third party to maintain; or

(ii) was submitted to the website, online service, online application, or mobile application of the operator by any person other than the user who is attempting to erase or otherwise eliminate the content or information, including content or information submitted by the user that was republished or resubmitted by another person; or

(C) to prohibit an operator from–

(i) retaining a record of the deletion request and the minimum information necessary for the purposes of ensuring compliance with a request made pursuant to subparagraph (B) or (C);

(ii) preventing, detecting, protecting against, or responding to security incidents, identity theft, or fraud, or reporting those responsible for such actions;

(iii) protecting the integrity or security of a website, online service, online application or mobile application; or

(iv) ensuring that the child's or teen's information remains deleted.

(7) Common verifiable consent mechanism.--

(A) In general.--

(i) Feasibility of mechanism.--The Commission shall assess the feasibility, with notice and public comment, of allowing operators the option to use a common verifiable consent mechanism that fully meets the requirements of this title.

(ii) Requirements.--The feasibility assessment described in clause (i) shall consider whether a single operator could use a common verifiable consent mechanism to obtain verifiable consent, as required under this title, from a parent of a child or from a teen on behalf of multiple, listed operators that provide a joint or related service.

(B) Report.--Not later than 1 year after the date of the enactment of this paragraph, the Commission shall submit a report to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives with the findings of the assessment required by subparagraph (A).

(C) Regulations.--If the Commission finds that the use of a common verifiable consent mechanism is feasible and would meet the requirements of this title, the Commission shall issue regulations to permit the use of a common verifiable consent mechanism in accordance with the findings outlined in such report.

(c) Enforcement
Subject to sections 6503 and 6505 of this title, a violation of a regulation prescribed under subparagraph (B), (C), (D), or (E) of subsection (a)(1), or of a regulation prescribed under subsection (b), shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 57a(a)(1)(B) of this title.
(d) Relationship to State Law.--The provisions of this title shall preempt any State law, rule, or regulation only to the extent that such State law, rule, or regulation conflicts with a provision of this title. Nothing in this title shall be construed to prohibit any State from enacting a law, rule, or regulation that provides greater protection to children or teens than the provisions of this title.

§6503. Safe harbors

(a) Guidelines
An operator may satisfy the requirements of regulations issued under section 6502(b) of this title by following a set of self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, approved under subsection (b).
(b) Incentives

(1) Self-regulatory incentives

In prescribing regulations under section 6502 of this title, the Commission shall provide incentives for self-regulation by operators to implement the protections afforded children and teens under the regulatory requirements described in subsection (b) of that section.

(2) Deemed compliance

Such incentives shall include provisions for ensuring that a person will be deemed to be in compliance with the requirements of the regulations under section 6502 of this title if that person complies with guidelines that, after notice and comment, are approved by the Commission upon making a determination that the guidelines meet the requirements of the regulations issued under section 6502 of this title.

(3) Expedited response to requests

The Commission shall act upon requests for safe harbor treatment within 180 days of the filing of the request, and shall set forth in writing its conclusions with regard to such requests.

(c) Appeals
Final action by the Commission on a request for approval of guidelines, or the failure to act within 180 days on a request for approval of guidelines, submitted under subsection (b) may be appealed to a district court of the United States of appropriate jurisdiction as provided for in section 706 of title 5.
(d) Publication.--

(1) In general.--Subject to the restrictions described in paragraph (2), the Commission shall publish on the internet website of the Commission any report or documentation required by regulation to be submitted to the Commission to carry out this section.

(2) Restrictions on publication.--The restrictions described in section 6(f) and section 21 of the Federal Trade Commission Act (15 U.S.C. 46(f), 57b-2) applicable to the disclosure of information obtained by the Commission shall apply in same manner to the disclosure under this subsection of information obtained by the Commission from a report or documentation described in paragraph (1).

§6504. Actions by States

(a) In general

(1) Civil actions

In any case in which the attorney general of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of any person in a practice that violates section 1303(a)(1) or any regulation of the Commission prescribed under section 6502(b) of this title, the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction to—

(A) enjoin that practice;

(B) enforce compliance with section 1303(a)(1) or the regulation;

(C) obtain damage, restitution, or other compensation on behalf of residents of the State; or

(D) obtain such other relief as the court may consider to be appropriate.

(2) Notice

(A) In general

Before filing an action under paragraph (1), the attorney general of the State involved shall provide to the Commission—

(i) written notice of that action; and

(ii) a copy of the complaint for that action.

(B) Exemption

(i) In general

Subparagraph (A) shall not apply with respect to the filing of an action by an attorney general of a State under this subsection, if the attorney general determines that it is not feasible to provide the notice described in that subparagraph before the filing of the action.

(ii) Notification

In an action described in clause (i), the attorney general of a State shall provide notice and a copy of the complaint to the Commission at the same time as the attorney general files the action.

(b) Intervention

(1) In general

On receiving notice under subsection (a)(2), the Commission shall have the right to intervene in the action that is the subject of the notice.

(2) Effect of intervention

If the Commission intervenes in an action under subsection (a), it shall have the right—

(A) to be heard with respect to any matter that arises in that action; and

(B) to file a petition for appeal.

(3) Amicus curiae

Upon application to the court, a person whose self-regulatory guidelines have been approved by the Commission and are relied upon as a defense by any defendant to a proceeding under this section may file amicus curiae in that proceeding.

(c) Construction
For purposes of bringing any civil action under subsection (a), nothing in this chapter shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to—

(1) conduct investigations;

(2) administer oaths or affirmations; or

(3) compel the attendance of witnesses or the production of documentary and other evidence.

(d) Actions by Commission
In any case in which an action is instituted by or on behalf of the Commission for violation of section 1303(a)(1) or any regulation prescribed under section 6502 of this title, no State may, during the pendency of that action, institute an action under subsection (a) against any defendant named in the complaint in that action for violation of section 1303(a)(1) or that regulation.
(e) Venue; service of process

(1) Venue

Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28.

(2) Service of process

In an action brought under subsection (a), process may be served in any district in which the defendant—

(A) is an inhabitant; or

(B) may be found.

§6505. Administration and applicability

(a) In general
Except as otherwise provided, this chapter shall be enforced by the Commission under the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
(b) Provisions
Compliance with the requirements imposed under this chapter shall be enforced under—

(1) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), in the case of– by the appropriate Federal banking agency, with respect to any insured depository institution (as those terms are defined in section 3 of that Act (12 U.S.C. 1813));

(A) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;

(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25(a) 1 of the Federal Reserve Act (12 U.S.C. 601 et seq. and 611 et. seq.), by the Board; and

(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation;

(2) section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818), by the Director of the Office of Thrift Supervision, in the case of a savings association the deposits of which are insured by the Federal Deposit Insurance Corporation;

(3 2) the Federal Credit Union Act (12 U.S.C. 1751 et seq.) by the National Credit Union Administration Board with respect to any Federal credit union;

(4 3) part A of subtitle VII of title 49 by the Secretary of Transportation with respect to any air carrier or foreign air carrier subject to that part;

(5 4) the Packers and Stockyards Act, 1921 (7 U.S.C. 181 et. seq.) (except as provided in section 406 of that Act (7 U.S.C. 226, 227)), by the Secretary of Agriculture with respect to any activities subject to that Act; and

(6 5) the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.) by the Farm Credit Administration with respect to any Federal land bank, Federal land bank association, Federal intermediate credit bank, or production credit association.

(c) Exercise of certain powers
For the purpose of the exercise by any agency referred to in subsection (a) of its powers under any Act referred to in that subsection, a violation of any requirement imposed under this chapter shall be deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in subsection (a), each of the agencies referred to in that subsection may exercise, for the purpose of enforcing compliance with any requirement imposed under this chapter, any other authority conferred on it by law.
(d) Actions by Commission
The Commission shall prevent any person from violating section 1303(a)(1) or a rule of the Commission under section 6502 of this title in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this chapter. Any entity that violates section 1303(a)(1) or a rule of the Commission under section 1303 shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act in the same manner, by the same means, and with the same jurisdiction, power, and duties as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this chapter.
(e) Effect on other laws
Nothing contained in this chapter shall be construed to limit the authority of the Commission under any other provisions of law.
(f) Additional Requirement.—Any regulations issues under this title shall include a description and analysis of the impact of proposed and final Rules on small entities per the Regulatory Flexibility Act of 1980 (5 U.S.C. 601 et seq.).
(f) Determination of Whether an Operator Has Knowledge Fairly Implied on the Basis of Objective Circumstances.--

(1) Rule of construction.--For purposes of enforcing this title or a regulation promulgated under this title, in making a determination as to whether an operator has knowledge fairly implied on the basis of objective circumstances that a specific user is a child or teen, the Commission or State attorneys general shall rely on competent and reliable evidence, taking into account any guidance issued by the Commission the totality of the circumstances, including whether a reasonable and prudent person under the circumstances would have known that the user is a child or teen. Nothing in this title, including a determination described in the preceding sentence, shall be construed to require an operator to–

(A) affirmatively collect any personal information with respect to the age of a child or teen that an operator is not already collecting in the normal course of business; or

(B) implement an age gating or age verification functionality.

(2) Commission guidance.--

(A) In general.--Within 180 days of enactment, the Commission shall issue guidance to provide information, including best practices and examples for operators to understand the Commission's determination of whether an operator has knowledge fairly implied on the basis of objective circumstances that a user is a child or teen.

(B) Limitation.--No guidance issued by the Commission with respect to this title shall confer any rights on any person, State, or locality, nor shall operate to bind the Commission or any person to the approach recommended in such guidance. In any enforcement action brought pursuant to this title, the Commission or State attorney general, as applicable, shall allege a specific violation of a provision of this title. The Commission or State attorney general, as applicable, may not base an enforcement action on, or execute a consent order based on, practices that are alleged to be inconsistent with any such guidance, unless the practices allegedly violate this title. For purposes of enforcing this title or a regulation promulgated under this title, State attorneys general shall take into account any guidance issued by the Commission under subparagraph (A).

(g) Additional Requirement.--Any regulations issued under this title shall include a description and analysis of the impact of proposed and final Rules on small entities per the Regulatory Flexibility Act of 1980 (5 U.S.C. 601 et seq.).

§6506. Review

Not later than 5 years after the effective date of the regulations initially issued under section 6502 of this title, the Commission shall—

(1) review the implementation of this chapter, including the effect of the implementation of this chapter on practices relating to the collection and disclosure of information relating to children, children's ability to obtain access to information of their choice online, and on the availability of websites directed to children; and

(2) prepare and submit to Congress a report on the results of the review under paragraph (1).

SEC. 3 202 STUDY AND REPORTS OF MOBILE AND ONLINE APPLICATION OVERSIGHT AND ENFORCEMENT.

(a) Oversight Report.--Not later than 3 years after the date of enactment of this Act, title, the Federal Trade Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report on the processes of platforms that offer mobile and online applications for ensuring that, of those applications that are websites, online services, online applications, or mobile applications directed to children, the applications operate in accordance with--

(1) this Act, title, the amendments made by this Act, title, and regulations rules promulgated under this Act; title; and

(2) rules promulgated by the Commission under section 18 of the Federal Trade Commission Act (15 U.S.C. 57a) relating to unfair or deceptive acts or practices in marketing.

(b) Enforcement Report.--Not later than 1 year after the date of enactment of this Act, and each year thereafter, the Federal Trade Commission shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that addresses, at a minimum--

(1) the number of actions brought by the Commission during the reporting year to enforce the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501) (referred to in this subsection as the "Act'') and the outcome of each such action;

(2) the total number of investigations or inquiries into potential violations of the Act; during the reporting year;

(3) the total number of open investigations or inquiries into potential violations of the Act as of the time the report is submitted;

(4) the number and nature of complaints received by the Commission relating to an allegation of a violation of the Act during the reporting year; and

(5) policy or legislative recommendations to strengthen online protections for children and teens.

SEC. 203. GAO STUDY.

(a) Study.--The Comptroller General of the United States (in this section referred to as the "Comptroller General'') shall conduct a study on the privacy of teens who use financial technology products. Such study shall--

(1) identify the type of financial technology products that teens are using;

(2) identify the potential risks to teens' privacy from using such financial technology products; and

(3) determine whether existing laws are sufficient to address such risks to teens' privacy.

(b) Report.--Not later than 1 year after the date of enactment of this section, the Comptroller General shall submit to Congress a report containing the results of the study conducted under subsection (a), together with recommendations for such legislation and administrative action as the Comptroller General determines appropriate.

SEC. 204. 4. SEVERABILITY.

If any provision of this Act, title, or an amendment made by this Act, title, is determined to be unenforceable or invalid, the remaining provisions of this Act title and the amendments made by this Act title shall not be affected.