[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2657 Introduced in House (IH)]
<DOC>
119th CONGRESS
1st Session
H. R. 2657
To require large social media platform providers to create, maintain,
and make available to third-party safety software providers a set of
real-time application programming interfaces, through which a child or
a parent or legal guardian of a child may delegate permission to a
third-party safety software provider to manage the online interactions,
content, and account settings of such child on the large social media
platform on the same terms as such child, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 3, 2025
Ms. Wasserman Schultz (for herself, Mr. Carter of Georgia, Ms. Schrier,
Mrs. Miller-Meeks, Mr. Suozzi, and Mr. Fitzpatrick) introduced the
following bill; which was referred to the Committee on Energy and
Commerce
_______________________________________________________________________
A BILL
To require large social media platform providers to create, maintain,
and make available to third-party safety software providers a set of
real-time application programming interfaces, through which a child or
a parent or legal guardian of a child may delegate permission to a
third-party safety software provider to manage the online interactions,
content, and account settings of such child on the large social media
platform on the same terms as such child, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Sammy's Law''.
SEC. 2. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) parents and legal guardians should be empowered to use
the services of third-party safety software providers to
protect the children of such parents and legal guardians from
certain harms on large social media platforms; and
(2) dangers like cyberbullying, human trafficking, illegal
drug distribution, sexual harassment, and violence perpetrated,
facilitated, or exacerbated through the use of certain large
social media platforms have harmed children on such platforms.
SEC. 3. DEFINITIONS.
In this Act:
(1) Child.--The term ``child'' means any individual under
the age of 17 years who has registered an account with a large
social media platform.
(2) Commerce.--The term ``commerce'' has the meaning given
such term in section 4 of the Federal Trade Commission Act (15
U.S.C. 44).
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Large social media platform.--The term ``large social
media platform''--
(A) means a service--
(i) provided through an internet website or
a mobile application (or both);
(ii) the terms of service of which do not
prohibit the use of the service by a child;
(iii) with any feature or features that
enable a child to share images, text, or video
through the internet with other users of the
service whom such child has met, identified, or
become aware of solely through the use of the
service; and
(iv) that has more than 100,000,000 monthly
global active users or generates more than
$1,000,000,000 in gross revenue per year,
adjusted yearly for inflation; and
(B) does not include--
(i) a service that primarily serves--
(I) to facilitate--
(aa) the sale or provision
of professional services; or
(bb) the sale of commercial
products; or
(II) to provide news or
information, where the service does not
offer the ability for content to be
sent by a user directly to a child; or
(ii) a service that--
(I) has a feature that enables a
user who communicates directly with a
child through a message (including a
text, audio, or video message) not
otherwise available to other users of
the service to add other users to that
message that such child may not have
otherwise met, identified, or become
aware of solely through the use of the
service; and
(II) does not have any feature or
features described in subparagraph
(A)(iii).
(5) Large social media platform provider.--The term ``large
social media platform provider'' means any person who, for
commercial purposes in or affecting commerce, provides,
manages, operates, or controls a large social media platform.
(6) State.--The term ``State'' means each State of the
United States, the District of Columbia, each commonwealth,
territory, or possession of the United States, and each
federally recognized Indian Tribe.
(7) Third-party safety software provider.--The term
``third-party safety software provider'' means any person who,
for commercial purposes in or affecting commerce, is authorized
by a child (if the child is 13 years of age or older) or a
parent or legal guardian of a child to interact with a large
social media platform to manage the online interactions,
content, or account settings of such child for the sole purpose
of protecting such child from harm, including physical or
emotional harm.
(8) User data.--The term ``user data'' means any
information needed to have a profile on a large social media
platform or content on a large social media platform, including
images, video, audio, or text, that is created by or sent to a
child on or through the account of such child with such
platform, but only--
(A) if the information or content is created by or
sent to such child while a delegation under section
4(a) is in effect with respect to the account; and
(B) during a 30-day period beginning on the date on
which the information or content is created by or sent
to such child.
SEC. 4. PROVIDING ACCESS TO THIRD-PARTY SAFETY SOFTWARE.
(a) Duty of Large Social Media Platform Providers.--
(1) In general.--Not later than 30 days after the effective
date of this Act (in the case of a service that is a large
social media platform on such effective date) or not later than
30 days after a service becomes a large social media platform
(in the case of a service that becomes a large social media
platform after such effective date), the large social media
platform provider shall create, maintain, and make available to
any third-party safety software provider registered with the
Commission under subsection (b)(1) a set of third-party-
accessible real-time application programming interfaces,
including any information necessary to use such interfaces, by
which a child (if the child is 13 years of age or older) or a
parent or legal guardian of a child may delegate permission to
the third-party safety software provider to--
(A) manage the online interactions, content, and
account settings of such child on the large social
media platform on the same terms as such child; and
(B) initiate secure transfers of user data from the
large social media platform in a commonly-used and
machine-readable format to the third-party safety
software provider, where the frequency of such
transfers may not be limited by the large social media
platform provider to less than once per hour.
(2) Revocation.--Once a child or a parent or legal guardian
of a child makes a delegation under paragraph (1), the large
social media platform provider shall make the application
programming interfaces and information described in such
paragraph available to the third-party safety software provider
on an ongoing basis until--
(A) the child (if the child made the delegation) or
the parent or legal guardian of such child revokes the
delegation;
(B) the child or a parent or legal guardian of such
child revokes or disables the registration of the
account of such child with the large social media
platform;
(C) the third-party safety software provider
rejects the delegation; or
(D) one or more of the affirmations made by the
third-party safety software provider under subsection
(b)(1)(A) is no longer true.
(3) Secure transfer of user data.--A large social media
platform provider shall establish and implement reasonable
policies, practices, and procedures regarding the secure
transfer of user data pursuant to a delegation under paragraph
(1) from the large social media platform to a third-party
safety software provider in order to mitigate any risks related
to user data.
(4) Disclosure.--In the case of a delegation made by a
child or a parent or legal guardian of a child under paragraph
(1) with respect to the account of such child with a large
social media platform, the large social media platform provider
shall--
(A) disclose to such child and (if the parent or
legal guardian made the delegation) the parent or legal
guardian the fact that the delegation has been made;
(B) provide to such child and (if such parent or
legal guardian made the delegation) such parent or
legal guardian a summary of the user data that is
transferred to the third-party safety software
provider; and
(C) update the summary provided under subparagraph
(B) as necessary to reflect any change to the user data
that is transferred to the third-party safety software
provider.
(5) Limitation.--Any management by a third-party safety
software provider of online interactions, content, and account
settings of a child under this subsection shall be limited to
such management that protects such child from harm, including
the optimization of the privacy settings of the account, stated
user age, and marketing settings of the child.
(b) Third-Party Safety Software Providers.--
(1) Registration with commission.--A third-party safety
software provider shall register with the Commission as a
condition of accessing an application programming interface and
any information under subsection (a). As a condition of such
registration, the third-party safety software provider shall--
(A) satisfactorily demonstrate to the Commission
that the third-party safety software provider--
(i) is a company based in the United
States;
(ii) is not a subsidiary of any foreign-
owned company or otherwise controlled by a
foreign person or persons;
(iii) will solely use any user data
obtained under subsection (a) for the purpose
of protecting a child from harm in accordance
with any applicable terms of service and the
provisions of this Act;
(iv) will only disclose user data obtained
under subsection (a) as permitted by subsection
(f);
(v) will process and maintain all user data
obtained under subsection (a) and copies of any
communications generated in relation thereto
exclusively on hardware and devices located
within the territorial boundaries of the United
States;
(vi)(I) will delete any user data obtained
under this section as soon as possible but not
later than 14 days after receiving such data
from the large social media platform, not
including any data the third-party safety
software provider discloses under subsection
(f);
(II) for any data disclosed under
subsection (f)(1)(C), will maintain such data
until the child or a parent or legal guardian
of the child who made a delegation under
subsection (a) and whose data is at issue
requests that the third-party safety software
provider delete such data; and
(III) in the event that the child or a
parent or legal guardian of the child who made
a delegation under subsection (a) cancels their
account with the third-party safety software
provider, will delete all applicable user data
no later than 30 days after the request for
account cancellation has been made; and
(vii) will disclose, in an easy-to-
understand, human-readable format, to each
child with respect to whose account with a
large social media platform the service of the
third-party safety software provider is
operating and (if a parent or legal guardian of
the child made the delegation under subsection
(a) with respect to the account) to the parent
or legal guardian, sufficient information
detailing the operation of the service and what
information the third-party safety software
provider is collecting to enable such child and
(if applicable) such parent or legal guardian
to make informed decisions regarding the use of
the service; and
(B) as part of the registration process, undergo a
security review in such form as the Commission may
proscribe but which may include requiring that a
qualified independent auditing firm conduct such a
review to independently verify and confirm via a
written report (which shall be exempt from disclosure
under section 552(b)(3) of title 5, United States Code)
that the third-party safety software provider--
(i) is in compliance, or has the ability to
comply, with the requirements of subparagraph
(A);
(ii) is able to provide services in
accordance with any applicable terms of service
and any relevant disclosures made to any
consumer, including whether such terms and
disclosures are clear and conspicuous and are
written in plain and easy-to-understand
English;
(iii) has taken appropriate steps to assess
potential risks and to protect the
confidentiality, integrity, and security of any
user data, including a determination of the
adequacy of business and technology-related
controls, policies, procedures, and other
safeguards employed by the third-party safety
software provider based on guidance issued by
the Commission and other industry standards and
best practices; and
(iv) assesses compliance with applicable
Federal law, including the requirements of this
Act.
(2) Annual audit.--
(A) Audit process; audit report.--For each year or
partial year during which a third-party safety software
provider is registered with the Commission under
paragraph (1), the third-party safety software provider
shall retain the services of a qualified independent
auditing firm to complete an annual audit and write an
audit report (which shall be exempt from disclosure
under section 552(b)(3) of title 5, United States
Code), and such audit report shall--
(i) include a review and assessment of the
third-party safety software provider's initial
security review and any subsequent written
reports, including whether the third-party
safety software provider has remained in
compliance with the requirements described in
paragraph (1)(B); and
(ii) identify whether the third-party
safety software provider has made any material
changes in how the third-party safety software
provider provides services, and in the event of
any such material changes, provide an
explanation as to how such changes have
impacted users.
(B) Submissio