HOUSE BILL NO. 5823
June 18, 2024, Introduced by Reps. Glanville, Tyrone Carter, Haadsma, Hood, Koleszar, Hoskins,
Skaggs, Arbit and Breen and referred to the Committee on Regulatory Reform.
A bill to establish standards and practices relating to
certain online services, products, and features that are likely to
be accessed by children; to prohibit certain acts and practices
related to certain online services, products, and features that are
likely to be accessed by children; to prescribe civil sanctions; to
create a fund; and to provide for the powers and duties of certain
state and local governmental officers and entities.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
1 Sec. 1. This act may be cited as the "age-appropriate design
2 code act".
VMP 04739'23
 2
1 Sec. 2. For purposes of this act, the words and phrases
2 defined in sections 3 and 4 have the meanings ascribed to them in
3 those sections.
4 Sec. 3. (1) "Best interest of children" means the best
5 interest of children considering the privacy, safety, mental and
6 physical health, access to information, freedom to participate in
7 society, meaningful access to digital technologies, and wellbeing
8 of children.
9 (2) "Business" means any of the following:
10 (a) A sole proprietorship, partnership, limited liability
11 company, corporation, association, or other legal entity to which
12 all of the following apply:
13 (i) It is organized or operated for the profit or financial
14 benefit of its shareholders or other owners.
15 (ii) It collects personal information of consumers or has
16 personal information of consumers collected on its behalf.
17 (iii) It alone, or jointly with others, determines the purpose
18 and means of processing the personal information of consumers.
19 (iv) It does business in this state.
20 (v) It satisfies at least 1 of the following:
21 (A) It has an annual gross revenue in excess of
22 $25,000,000.00. Beginning January 1, 2027, and every 2 years
23 thereafter, the department of treasury shall adjust the amount of
24 annual gross revenue to reflect the percentage change in the
25 Consumer Price Index.
26 (B) It annually buys, receives for a commercial purpose,
27 sells, or shares for a commercial purpose, or any combination
28 thereof, the personal information of at least 50,000 consumers or
29 households.
VMP 04739'23
 3
1 (b) A person that controls or is controlled by a legal entity
2 described in subdivision (a) and that shares common branding with
3 the legal entity. As used in this subdivision, "controls" or
4 "controlled" means any of the following:
5 (i) Ownership of, or the power to vote, more than 50% of the
6 outstanding shares of any class of voting security of the legal
7 entity.
8 (ii) Control in any manner over the election of a majority of
9 the directors of the legal entity, or of individuals exercising
10 similar functions in the legal entity.
11 (iii) Power to exercise a controlling influence over the
12 management of the legal entity.
13 (3) "Child" means a consumer who the business has actual
14 knowledge is under 18 years of age.
15 (4) "Collects" means buying, renting, gathering, obtaining,
16 receiving, or accessing any personal information pertaining to a
17 consumer by any means. Collects includes, but is not limited to,
18 receiving information from a consumer, either actively or
19 passively, or by observing the consumer's behavior.
20 (5) "Common branding" means a shared name, service mark, or
21 trademark for which the average consumer would understand that 2 or
22 more entities are commonly owned.
23 (6) "Consumer" means an individual who is a resident of this
24 state. Consumer does not include an individual acting in a
25 commercial or employment context or as an employee, owner,
26 director, officer, or contractor of a business whose communications
27 or transactions with the business occur solely within the context
28 of the individual's role with the business.
29 (7) "Consumer Price Index" means the most comprehensive index
VMP 04739'23
 4
1 of consumer prices available for this state from the Bureau of
2 Labor Statistics of the United States Department of Labor.
3 (8) "Dark pattern" means a user interface that is knowingly
4 designed or manipulated with the purpose of subverting or impairing
5 user autonomy, decision making, or choice.
6 (9) "Data protection impact assessment" means a systematic
7 survey that assesses compliance with the duty to act in the best
8 interest of children.
9 (10) "Default" means a preselected option adopted by a
10 business for an online service, product, or feature.
11 (11) "Deidentified data" means data that cannot reasonably be
12 used to infer information about, or otherwise be linked to, an
13 identified or identifiable child or a device linked to a child, if
14 the business that possesses the data does all of the following:
15 (a) Takes reasonable measures to ensure that the data cannot
16 be associated with an individual.
17 (b) Publicly commits to process the data only in a
18 deidentified fashion and to not attempt to reidentify the data.
19 (c) Contractually obligates each recipient of the data to
20 satisfy the criteria described in subdivisions (a) and (b).
21 Sec. 4. (1) "Likely to be accessed by children" means it is
22 reasonable to expect that the online service, product, or feature
23 would be accessed by children because either of the following apply
24 to the online service, product, or feature:
25 (a) It is considered a website or online service directed to
26 children, as that term is defined in 15 USC 6501.
27 (b) It is determined, based on competent and reliable evidence
28 regarding audience composition, to be routinely accessed by 5,000
29 or more children.
VMP 04739'23
 5
1 (2) "Online service, product, or feature" means an online
2 service, product, or feature that is offered to the public. Online
3 service, product, or feature does not include either of the
4 following:
5 (a) A telecommunications service, as that term is defined in
6 47 USC 153.
7 (b) The delivery or use of a physical product.
8 (3) "Personal information" means information that is linked or
9 reasonably linkable to an identified or identifiable individual.
10 Personal information does not include deidentified data or publicly
11 available information.
12 (4) "Precise geolocation information" means information that
13 is derived from a device and that is used or intended to be used to
14 locate a consumer within a geographic area that is not more than
15 the area of a circle with a radius of 1,850 feet.
16 (5) "Processor" means a person or automated system that
17 processes personal information on behalf of a business.
18 (6) "Profiling" means any form of automated processing of
19 personal information that uses the personal information to evaluate
20 an individual, including, but not limited to, analyzing or
21 predicting an individual's performance at work, economic situation,
22 health, personal preferences, interests, reliability, behavior,
23 location, or movements. Profiling does not include automated
24 processing that does not result in an assessment or judgment about
25 an individual.
26 (7) "Rights and freedoms of children" means rights afforded to
27 children under the United States constitution and the laws of this
28 state.
29 (8) "Sell" means to exchange personal information for monetary
VMP 04739'23
 6
1 consideration. Sell does not include any of the following:
2 (a) Disclosing personal information to a processor that
3 processes the personal information on behalf of the business.
4 (b) Disclosing personal information to a third party for the
5 purpose of providing a product or service that was requested by a
6 consumer.
7 (c) Disclosing or transferring personal information to an
8 affiliate of the business, except for an affiliate marketer that is
9 paid a commission by the business.
10 (d) Disclosing personal information to which both of the
11 following apply:
12 (i) The consumer intentionally made the personal information
13 available to the general public via a channel of mass media.
14 (ii) The consumer did not restrict the personal information to
15 a specific audience.
16 (e) Disclosing or transferring personal information to a third
17 party as an asset that is part of a merger, acquisition,
18 bankruptcy, or other transaction in which the third party assumes
19 control of all or part of the business's assets.
20 (9) "Third party" means a person, other than a consumer,
21 business, or processor, or an affiliate marketer that is paid a
22 commission by a business.
23 Sec. 5. (1) This act does not apply to any of the following
24 information:
25 (a) Protected health information that is collected by a
26 covered entity or business associate governed by the privacy,
27 security, and breach notification rules under the health insurance
28 portability and accountability act of 1996, Public Law 104-191, and
29 the regulations promulgated under that act, 45 CFR parts 160 and
VMP 04739'23
 7
1 164, and the health information technology for economic and
2 clinical health act, Public Law 111-5.
3 (b) Information that is collected as part of a clinical trial
4 that is subject to the federal policy for the protection of human
5 subjects under 45 CFR part 46.
6 (c) Information that is collected in accordance with the "Good
7 Clinical Practice Guidelines" issued by the International Council
8 for Harmonisation of Technical Requirements for Pharmaceuticals for
9 Human Use.
10 (d) Information that is collected in accordance with the human
11 subject protection requirements of the United States Food and Drug
12 Administration under 21 CFR part 50.
13 (e) Covered information under the student online personal
14 protection act, 2016 PA 368, MCL 388.1291 to 388.1295.
15 (2) This act does not apply to a covered entity governed by
16 the privacy, security, and breach notification rules under the
17 health insurance portability and accountability act of 1996, Public
18 Law 104-191, and the regulations promulgated under that act, 45 CFR
19 parts 160 and 164, if the covered entity maintains patient
20 information in the same manner as protected health information
21 under subsection (1)(a).
22 (3) This act does not apply to a person that complies with the
23 children's online privacy protection act of 1998, 15 USC 6501 to
24 6506, for a child who is under 13 years of age.
25 Sec. 7. (1) If, on the effective date of this act, a business
26 provides an existing online service, product, or feature that uses
27 a type of processing, particularly new technology, that is likely
28 to be accessed by children and to result in high-risk to children,
29 the business must complete a data protection impact assessment not
VMP 04739'23
 8
1 later than 1 year after the effective date of this act. In
2 determining whether the business must complete a data protection
3 impact assessment, the nature, scope, context, and purpose of the
4 processing must be taken into account.
5 (2) Beginning on the effective date of this act, a business
6 shall not provide a new online service, product, or feature that is
7 likely to be accessed by children until after the business
8 completes a data protection impact assessment.
9 (3) A business may complete a single data protection impact
10 assessment for multiple online services, products, or features, if
11 the online services, products, or features address a set of similar
12 processing operations that present similar risks.
13 (4) If a business completes a data protection impact
14 assessment under subsection (1) or (2), the business shall do both
15 of the following:
16 (a) Maintain documentation of the data protection impact
17 assessment until the time that the online service, product, or
18 feature that is subject to the data protection impact assessment is
19 not likely to do both of the following:
20 (i) Be accessed by children.
21 (ii) Use processing that is likely to result in high-risk to
22 children.
23 (b) Review and update the data protection impact assessment as
24 necessary to account for any significant changes to the processing
25 operations of the online service, product, or feature until the
26 time described in subdivision (a).
27 (5) A data protection impact assessment under subsection (1)
28 or (2) must include all of the following:
29 (a) The purpose of the online service, product, or feature.
VMP 04739'23
 9
1 (b) A description of how the online service, product, or
2 feature uses children's personal information.
3 (c) A determination of whether the online service, product, or
4 feature is designed and offered in a manner that is consistent with
5 the best interest of children who are likely to access the online
6 service, product, or feature as determined by examining at least
7 all of the following:
8 (i) A systematic description of the envisaged processing and
9 the purposes of the processing.
10 (ii) An assessment of the necessity and proportionality of the
11 processing operations in relation to the purposes.
12 (iii) An assessment of the risks to the rights and freedoms of
13 children.
14 (iv) The measures envisaged to address the risks described in
15 subparagraph (iii), including, but not limited to, safeguards,
16 security measures, and other mechanisms to ensure the protection of
17 personal information and to demonstrate compliance with this act
18 taking into account the rights and freedoms of children.
19 (6) The attorney general may submit a written request to a
20 business for either of the following:
21 (a) A list describing each data protection impact assessment
22 completed by the business under subsection (1) or (2).
23 (b) A copy of a data protection impact assessment completed by
24 the business under subsection (1) or (2).
25 (7) Except as otherwise provided in subsection (8), if a
26 request is made by the attorney general under subsection (6), the
27 business must provide the document to the attorney general not
28 later than 90 days after receiving the request.
29 (8) A business is not required to provide a document to the
VMP 04739'23
 10
1 attorney general if the disclosure would reveal a trade secret of
2 the business.
3 (9) A document provided by a business to the attorney general
4 under this section is exempt from disclosure under the freedom of
5 information act, 1976 PA 442, MCL 15.231 to 15.246.
6 (10) The disclosure of a document by a business to the
7 attorney general under this section is not a waiver of attorney-
8 client privilege or work product protected with respect to the
9 document or any information contained in the document.
10 (11) A data protection impact assessment completed by a
11 business under another law that otherwise satisfies the
12 requirements of this section is considered to comply with this
13 section.
14 Sec. 9. (1) A business that provides an online service,
15 product, or feature that is likely to be accessed by children may
16 conduct an age estimation to determine which users of the online
17 service, product, or feature are under 18 years of age. A business
18 that conducts an age estimation under this section shall use a
19 commercially reasonable method with a reasonable level of certainty
20 that is proportionate to the risks that arise from the data
21 processing practices of the business.
22 (2) If a business has made a good faith effort to estimate the
23 age of children using the online service, product, or feature with
24 a reasonable level of certainty that is appropriate to the risks
25 that arise from the data processing practices of the business or
26 the business has applied protections that are proportionate to the
27 risks to children that arise from the data management practices of
28 the business to all users of the online service, product, or
29 feature, the business is not liable for any of the following:
VMP 04739'23
 11
1 (a) Any data processing that is undertaken during the period
2 in which the business