HOUSE BILL NO. 5823

A bill to establish standards and practices relating to certain online services, products, and features that are likely to be accessed by children; to prohibit certain acts and practices related to certain online services, products, and features that are likely to be accessed by children; to prescribe civil sanctions; to create a fund; and to provide for the powers and duties of certain state and local governmental officers and entities.

the people of the state of michigan enact:

Sec. 1. This act may be cited as the "age-appropriate design code act".

Sec. 2. For purposes of this act, the words and phrases defined in sections 3 and 4 have the meanings ascribed to them in those sections.

Sec. 3. (1) "Best interest of children" means the best interest of children considering the privacy, safety, mental and physical health, access to information, freedom to participate in society, meaningful access to digital technologies, and wellbeing of children.

(2) "Business" means any of the following:

(a) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity to which all of the following apply:

(i) It is organized or operated for the profit or financial benefit of its shareholders or other owners.

(ii) It collects personal information of consumers or has personal information of consumers collected on its behalf.

(iii) It alone, or jointly with others, determines the purpose and means of processing the personal information of consumers.

(iv) It does business in this state.

(v) It satisfies at least 1 of the following:

(A) It has an annual gross revenue in excess of $25,000,000.00. Beginning January 1, 2027, and every 2 years thereafter, the department of treasury shall adjust the amount of annual gross revenue to reflect the percentage change in the Consumer Price Index.

(B) It annually buys, receives for a commercial purpose, sells, or shares for a commercial purpose, or any combination thereof, the personal information of at least 50,000 consumers or households.

(b) A person that controls or is controlled by a legal entity described in subdivision (a) and that shares common branding with the legal entity. As used in this subdivision, "controls" or "controlled" means any of the following:

(i) Ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of the legal entity.

(ii) Control in any manner over the election of a majority of the directors of the legal entity, or of individuals exercising similar functions in the legal entity.

(iii) Power to exercise a controlling influence over the management of the legal entity.

(3) "Child" means a consumer who the business has actual knowledge is under 18 years of age.

(4) "Collects" means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. Collects includes, but is not limited to, receiving information from a consumer, either actively or passively, or by observing the consumer's behavior.

(5) "Common branding" means a shared name, service mark, or trademark for which the average consumer would understand that 2 or more entities are commonly owned.

(6) "Consumer" means an individual who is a resident of this state. Consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a business whose communications or transactions with the business occur solely within the context of the individual's role with the business.

(7) "Consumer Price Index" means the most comprehensive index of consumer prices available for this state from the Bureau of Labor Statistics of the United States Department of Labor.

(8) "Dark pattern" means a user interface that is knowingly designed or manipulated with the purpose of subverting or impairing user autonomy, decision making, or choice.

(9) "Data protection impact assessment" means a systematic survey that assesses compliance with the duty to act in the best interest of children.

(10) "Default" means a preselected option adopted by a business for an online service, product, or feature.

(11) "Deidentified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable child or a device linked to a child, if the business that possesses the data does all of the following:

(a) Takes reasonable measures to ensure that the data cannot be associated with an individual.

(b) Publicly commits to process the data only in a deidentified fashion and to not attempt to reidentify the data.

(c) Contractually obligates each recipient of the data to satisfy the criteria described in subdivisions (a) and (b).

Sec. 4. (1) "Likely to be accessed by children" means it is reasonable to expect that the online service, product, or feature would be accessed by children because either of the following apply to the online service, product, or feature:

(a) It is considered a website or online service directed to children, as that term is defined in 15 USC 6501.

(b) It is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by 5,000 or more children.

(2) "Online service, product, or feature" means an online service, product, or feature that is offered to the public. Online service, product, or feature does not include either of the following:

(a) A telecommunications service, as that term is defined in 47 USC 153.

(b) The delivery or use of a physical product.

(3) "Personal information" means information that is linked or reasonably linkable to an identified or identifiable individual. Personal information does not include deidentified data or publicly available information.

(4) "Precise geolocation information" means information that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is not more than the area of a circle with a radius of 1,850 feet.

(5) "Processor" means a person or automated system that processes personal information on behalf of a business.

(6) "Profiling" means any form of automated processing of personal information that uses the personal information to evaluate an individual, including, but not limited to, analyzing or predicting an individual's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Profiling does not include automated processing that does not result in an assessment or judgment about an individual.

(7) "Rights and freedoms of children" means rights afforded to children under the United States constitution and the laws of this state.

(8) "Sell" means to exchange personal information for monetary consideration. Sell does not include any of the following:

(a) Disclosing personal information to a processor that processes the personal information on behalf of the business.

(b) Disclosing personal information to a third party for the purpose of providing a product or service that was requested by a consumer.

(c) Disclosing or transferring personal information to an affiliate of the business, except for an affiliate marketer that is paid a commission by the business.

(d) Disclosing personal information to which both of the following apply:

(i) The consumer intentionally made the personal information available to the general public via a channel of mass media.

(ii) The consumer did not restrict the personal information to a specific audience.

(e) Disclosing or transferring personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business's assets.

(9) "Third party" means a person, other than a consumer, business, or processor, or an affiliate marketer that is paid a commission by a business.

Sec. 5. (1) This act does not apply to any of the following information:

(a) Protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules under the health insurance portability and accountability act of 1996, Public Law 104-191, and the regulations promulgated under that act, 45 CFR parts 160 and 164, and the health information technology for economic and clinical health act, Public Law 111-5.

(b) Information that is collected as part of a clinical trial that is subject to the federal policy for the protection of human subjects under 45 CFR part 46.

(c) Information that is collected in accordance with the "Good Clinical Practice Guidelines" issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use.

(d) Information that is collected in accordance with the human subject protection requirements of the United States Food and Drug Administration under 21 CFR part 50.

(e) Covered information under the student online personal protection act, 2016 PA 368, MCL 388.1291 to 388.1295.

(2) This act does not apply to a covered entity governed by the privacy, security, and breach notification rules under the health insurance portability and accountability act of 1996, Public Law 104-191, and the regulations promulgated under that act, 45 CFR parts 160 and 164, if the covered entity maintains patient information in the same manner as protected health information under subsection (1)(a).

(3) This act does not apply to a person that complies with the children's online privacy protection act of 1998, 15 USC 6501 to 6506, for a child who is under 13 years of age.

Sec. 7. (1) If, on the effective date of this act, a business provides an existing online service, product, or feature that uses a type of processing, particularly new technology, that is likely to be accessed by children and to result in high-risk to children, the business must complete a data protection impact assessment not later than 1 year after the effective date of this act. In determining whether the business must complete a data protection impact assessment, the nature, scope, context, and purpose of the processing must be taken into account.

(2) Beginning on the effective date of this act, a business shall not provide a new online service, product, or feature that is likely to be accessed by children until after the business completes a data protection impact assessment.

(3) A business may complete a single data protection impact assessment for multiple online services, products, or features, if the online services, products, or features address a set of similar processing operations that present similar risks.

(4) If a business completes a data protection impact assessment under subsection (1) or (2), the business shall do both of the following:

(a) Maintain documentation of the data protection impact assessment until the time that the online service, product, or feature that is subject to the data protection impact assessment is not likely to do both of the following:

(i) Be accessed by children.

(ii) Use processing that is likely to result in high-risk to children.

(b) Review and update the data protection impact assessment as necessary to account for any significant changes to the processing operations of the online service, product, or feature until the time described in subdivision (a).

(5) A data protection impact assessment under subsection (1) or (2) must include all of the following:

(a) The purpose of the online service, product, or feature.

(b) A description of how the online service, product, or feature uses children's personal information.

(c) A determination of whether the online service, product, or feature is designed and offered in a manner that is consistent with the best interest of children who are likely to access the online service, product, or feature as determined by examining at least all of the following:

(i) A systematic description of the envisaged processing and the purposes of the processing.

(ii) An assessment of the necessity and proportionality of the processing operations in relation to the purposes.

(iii) An assessment of the risks to the rights and freedoms of children.

(iv) The measures envisaged to address the risks described in subparagraph (iii), including, but not limited to, safeguards, security measures, and other mechanisms to ensure the protection of personal information and to demonstrate compliance with this act taking into account the rights and freedoms of children.

(6) The attorney general may submit a written request to a business for either of the following:

(a) A list describing each data protection impact assessment completed by the business under subsection (1) or (2).

(b) A copy of a data protection impact assessment completed by the business under subsection (1) or (2).

(7) Except as otherwise provided in subsection (8), if a request is made by the attorney general under subsection (6), the business must provide the document to the attorney general not later than 90 days after receiving the request.

(8) A business is not required to provide a document to the attorney general if the disclosure would reveal a trade secret of the business.

(9) A document provided by a business to the attorney general under this section is exempt from disclosure under the freedom of information act, 1976 PA 442, MCL 15.231 to 15.246.

(10) The disclosure of a document by a business to the attorney general under this section is not a waiver of attorney-client privilege or work product protected with respect to the document or any information contained in the document.

(11) A data protection impact assessment completed by a business under another law that otherwise satisfies the requirements of this section is considered to comply with this section.

Sec. 9. (1) A business that provides an online service, product, or feature that is likely to be accessed by children may conduct an age estimation to determine which users of the online service, product, or feature are under 18 years of age. A business that conducts an age estimation under this section shall use a commercially reasonable method with a reasonable level of certainty that is proportionate to the risks that arise from the data processing practices of the business.

(2) If a business has made a good faith effort to estimate the age of children using the online service, product, or feature with a reasonable level of certainty that is appropriate to the risks that arise from the data processing practices of the business or the business has applied protections that are proportionate to the risks to children that arise from the data management practices of the business to all users of the online service, product, or feature, the business is not liable for any of the following:

(a) Any data processing that is undertaken during the period in which the business is estimating the age of children using the online service, product, or feature.

(b) Any data processing in the absence of reasonable evidence that users of the online service, product, or feature are children.

(c) An erroneous estimation.

Sec. 11. (1) A business that provides an online service, product, or feature that is likely to be accessed by children shall configure all default privacy settings provided to children by the online service, product, or feature to settings that offer a level of privacy that aligns with this act, unless either of the following apply:

(a) The business can demonstrate a compelling reason that the processing is in the best interest of children.

(b) The processing enhances children's experience of the online service, product, or feature and the business offers settings to control the use of children's personal information for that purpose.

(2) If a business complies with subsection (1), a default privacy setting is not a dark pattern.

Sec. 13. A business that provides an online service, product, or feature that is likely to be accessed by children shall provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children that are likely to access the online service, product, or feature.

Sec. 15. If a business provides an online service, product, or feature that is likely to be accessed by children and that allows a child's parent or legal guardian, or any other consumer, to monitor the child's online activity or track any precise geolocation information of the child, the business must provide an obvious signal to the child when the child is being monitored or tracked.

Sec. 17. A business that provides an online service, product, or feature that is likely to be accessed by children shall provide a prominent, accessible, and responsive tool to help children, or if applicable, their parents or legal guardians, exercise their privacy rights and report concerns about the online service, product, or feature to the business.

Sec. 19. A business that provides an online service, product, or feature that is likely to be accessed by children shall not do any of the following:

(a) Use the personal information of a child likely to access the online service, product, or feature in a way that the business knows is likely to result in high-risk to a child based on a data protection impact assessment and the business knows the high-risk has not been suitably mitigated through measures identified in the data protection impact assessment.

(b) Profile a child using default privacy settings unless both of the following apply:

(i) The default privacy settings comply with section 11.

(ii) At least 1 of the following is satisfied:

(A) The profiling is necessary to provide the online service, product, or feature and only with respect to the aspects of the online service, product, or feature with which the child is actively and knowingly engaged.

(B) The business can demonstrate a compelling reasoning that profiling is in the best interest of children.

(C) The profiling enhances children's experience on the online service, product, or feature, and the business offers settings to control the use of the children's personal information for that purpose.

(c) Collect, sell, process, or retain personal information of a child in a way that has been identified as high-risk based on a data protection impact assessment and the business knows the high-risk has not been suitably mitigated through measures identified in the data protection impact assessment.

(d) Collect, sell, process, or retain any precise geolocation information of a child through default privacy settings unless the default privacy settings comply with section 11.

(e) If the end user of the online service, product, or feature is a child, use personal information for any reason other than a reason for which the personal information was collected or another disclosed purpose that is compatible with the context in which the personal information was collected, unless the business can demonstrate a compelling reason that the use of the personal information is in the best interest of children.

(f) Track a precise geolocation information of a child without providing an obvious signal to the child when the child is being monitored or tracked.

(g) Use dark patterns to knowingly lead or encourage a child to do any of the following:

(i) Give personal information beyond what is reasonably expected to provide the online service, product, or feature.

(ii) Forego any privacy protection.

(iii) Take any action that the business knows is not in the best interest of children that are likely to access the online service, product, or feature.

Sec. 21. (1) The age-appropriate design code enforcement fund is created in the state treasury.

(2) The state treasurer shall deposit money and other assets received from civil fines collected under section 23 or from any other source in the age-appropriate design code enforcement fund. The state treasurer shall direct the investment of money in the age-appropriate design code enforcement fund and credit interest and earnings from the investments to the age-appropriate design code enforcement fund.

(3) The department of the attorney general is the administrator of the age-appropriate design code enforcement fund for audits of the age-appropriate design code enforcement fund.

(4) The department of the attorney general shall expend money from the age-appropriate design code enforcement fund on appropriation only to enforce this act.

Sec. 23. (1) Before initiating a civil action under subsection (3), if the attorney general believes that a business is engaged in a violation of this act, the attorney general shall provide the business with a written notice of the alleged violation, including the specific provision of this act that the attorney general alleges has been or is being violated, and shall grant the business a 90-day period to cure the alleged violation.

(2) If, not later than 90 days after receiving the written notice under subsection (1), the business cures the noticed violation and provides the attorney general with a written statement that the violation has been cured and sufficient measures have been taken to prevent future violations, the attorney general shall not initiate a civil action under subsection (3).

(3) Subject to subsection (1), if a business violates this act, the attorney general may bring an action seeking a civil fine of not more than $2,500.00 per affected child for each negligent violation, or not more than $7,500.00 per affected child for each intentional violation.

(4) A civil fine collected under this section must be deposited in the age-appropriate design code enforcement fund created in section 21.

(5) This act does not do any of the following:

(a) Impose liability in a manner that is inconsistent with 47 USC 230.

(b) Serve as the basis for a private right of action under this act or any other law.

(c) Infringe on the existing rights and freedoms of children.

Enacting section 1. This act takes effect 18 months after the date it is enacted into law.