SENATE BILL NO. 237

AMENDMENT IN THE NATURE OF A SUBSTITUTE

(Proposed by the Senate Committee on General Laws and Technology

on ________________)

(Patron Prior to Substitute—Senator Head)

A BILL to amend the Code of Virginia by adding in Title 59.1 a chapter numbered 60, consisting of sections numbered 59.1-614 through 59.1-619, relating to App Store Accountability Act; civil penalties; civil action.

Be it enacted by the General Assembly of Virginia:

1. That the Code of Virginia is amended by adding in Title 59.1 a chapter numbered 60, consisting of sections numbered 59.1-614 through 59.1-619 as follows:

CHAPTER 60.

APP STORE ACCOUNTABILITY ACT.

§ 59.1-614. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Account holder" means an individual who is associated with a mobile device.

"Age category" means information collected by an app store provider to designate an individual as follows:

1. For an individual who is younger than 13 years of age, a "child";

2. For an individual who is age 13 through 15, a "younger teenager";

3. For an individual who is age 16 through 17, an "older teenager"; and

4. For an individual who is 18 years of age or older, an "adult."

"Age category data" means information about an account holder's age category that is collected by an app store provider and is shared with a developer.

"Age rating" means one or more classifications that assess the suitability of the app's content and functions for different age groups.

"App" means a software application or electronic service that an individual may run or direct on a mobile device, including pre-installed applications.

"App store" means a publicly available website, software application, or other electronic service or platform that allows account holders in the Commonwealth to download apps from third-party developers onto a mobile device.

"App store provider" means any person doing business in the Commonwealth that owns, operates, or controls an app store made available to account holders.

"Content description" means a description of the specific elements or functions that inform an app's age rating.

"Developer" means any person doing business in the Commonwealth that owns, operates, or controls an app made available to account holders through an app store or an app pre-installed onto a mobile device.

"Knowingly" means to act with actual knowledge or to act with knowledge fairly inferred based on objective circumstances.

"Minor" means an individual who is younger than 18 years of age.

"Minor account" means an account with an app store provider that is established by an individual who is a minor and that is required to be affiliated with a parent account.

"Mobile device" means a portable, wireless electronic device, including a tablet or smartphone, that (i) provides cellular or wireless connectivity, (ii) is capable of connecting to the internet, (iii) runs a mobile operating system, and (iv) is capable of running apps through such mobile operating system.

"Mobile operating system" means software that (i) manages mobile device hardware resources, (ii) provides common services for mobile device programs, (iii) controls memory allocation, and (iv) provides interfaces for apps to access device programs.

"Parent" means an individual who is reasonably believed to be a parent, a legal guardian, an individual with legal custody, or any other individual who has the legal authority to make decisions on behalf of the minor under applicable state law.

"Parent account" means an account with an app store provider that (i) is associated with an individual who the app store provider has verified is 18 years of age or older through such app store provider's age verification methods and (ii) may be affiliated with one or more minor accounts.

"Parental consent disclosure" means:

1. If the app store provider has an age rating for an app or in-app purchase, such rating;

2. If the app store provider has a content description for an app or in-app purchase, such description;

3. A description of the personal data collected by the developer of an app from an account holder and the personal data shared by the app with any third party; and

4. If personal data is collected by the developer of an app, the methods implemented by the developer to protect such personal data.

"Pre-installed application" means any app or portion thereof that is present on a mobile device at the time of purchase, initial activation, or first use by a consumer, including a browser, search engine, or messaging app. "Pre-installed application" includes any app or portion thereof that is installed or partially installed by a manufacturer of a mobile device, wireless service provider, retailer, or any other party prior to the purchase, initial activation, or first use by the consumer and that may be updated thereafter. "Pre-installed application" does not include any core operating system function, essential device driver, or software application necessary for basic device operation, such as a phone, settings, or emergency services app.

"Significant change" means a material modification to an app's terms of service or privacy policy that (i) materially changes the categories of data collected, stored, or shared; (ii) materially changes the app's age rating or content description; or (iii) introduces in-app purchases or advertisements where no in-app purchases or advertisements were previously present.

"Verifiable parental consent" means authorization that is provided by the account holder of a parent account to an app store provider after such provider has clearly and conspicuously provided the parental consent disclosure as part of the app download or purchase or in-app purchase process. "Verifiable parental consent" requires a parent account holder to make an affirmative choice to either grant or decline consent to a minor account.

§ 59.1-615. App store providers; duties; prohibitions.

A. An app store provider shall:

1. For each app that the app store provider makes available to account holders on its app store, provide a clear, accurate, and conspicuous parental consent disclosure.

2. At the time that an individual in the Commonwealth creates an account with the app store provider or, for existing accounts, by July 1, 2028:

a. Request age category information from such individual; and

b. Verify such individual's age category using a commercially available method that is reasonably designed to ensure accuracy. Such method may include, if such individual is a minor, an affirmative age attestation by another individual who is reasonably believed to be the parent of such minor, along with other information collected in the ordinary course of account creation or use.

3. If the app store provider determines in the process of an individual creating an account with such provider that such individual is a minor:

a. Require such minor to create a minor account to be affiliated with a parent account; and

b. Obtain verifiable parental consent from the account holder of the affiliated parent account each time before allowing such minor to download or purchase an app or make an in-app purchase.

4. After receiving notice from a developer of a significant change to an app:

a. Notify each account holder that has downloaded such app of the significant change; and

b. For minor accounts, (i) notify each account holder of a parent account that is affiliated with a minor account that has downloaded such app of the significant change and (ii) obtain renewed verifiable parental consent before providing access to the significantly changed version of the app.

5. In response to a request made pursuant to subdivision A 4 of § 59.1-616, provide to a developer data relating to the age category for an account holder located in the Commonwealth and, if applicable, the status of verifiable parental consent for a minor account.

6. Provide a mechanism for an account holder of a parent account to withdraw consent, and notify a developer when verifiable parental consent has been withdrawn for a minor account.

7. Protect data associated with age category and other verification data by:

a. Limiting data collection and processing only to data necessary for verifying an account holder's age category, obtaining verifiable parental consent, or maintaining compliance records; and

b. Transmitting age category data using industry-standard encryption protocols that ensure data integrity and data confidentiality.

8. For pre-installed apps:

a. Provide available age category information in response to a request from a developer; and

b. Take reasonable measures to facilitate verifiable parental consent for use of the app in response to a request from a developer.

B. An app store provider shall not:

1. Enforce a contract or terms of service agreement against a minor account holder unless the app store provider has obtained verifiable parental consent;

2. Knowingly misrepresent information contained in the parental consent disclosure; or

3. Share data relating to age category except as required by this chapter or otherwise required by law.

§ 59.1-616. Developers; duties; prohibitions.

A. A developer shall:

1. Verify through an app store's data sharing methods the age category of an account holder located in the Commonwealth and, for a minor account, whether verifiable parental consent has been obtained;

2. Notify each app store provider that makes the developer's app available on its app store of a significant change to an app within a reasonable time frame;

3. Use data relating to age category received through an app store's data sharing methods to enforce any developer-created age-related restrictions, safety features, or defaults and ensure compliance with applicable laws and regulations; and

4. Request data relating to age category or verifiable parental consent (i) at the time that an account holder downloads or purchases an app or launches a pre-installed app for the first time, (ii) when implementing a significant change to the app, or (iii) to comply with applicable law.

B. A developer may request data relating to age category:

1. No more than once during each 12-month period to verify the accuracy of the age category of an account holder or continued account use within the age category;

2. When there is reasonable suspicion of account transfer or misuse outside of the age category; or

3. At the time that an account holder creates an account with the developer.

C. When implementing any developer-created age-related restrictions, safety features, or defaults, a developer shall use the lowest age category indicated by age category data received through an app store's data sharing methods or age data independently collected by the developer.

D. A developer shall not:

1. Enforce a contract or terms of service agreement against a minor unless the developer has verified through an app store's data sharing methods that verifiable parental consent has been obtained;

2. Knowingly misrepresent any information in the parental consent disclosure; or

3. Share data relating to age category with any person.

§ 59.1-617. Limitations.

Nothing in this chapter shall be construed to:

1. Prevent an app store provider or developer from taking reasonable measures to (i) block, detect, or prevent distribution to minors of unlawful, obscene, or harmful material; (ii) block or filter spam; (iii) prevent criminal activity; or (iv) protect app store or app security;

2. Require an app store provider to disclose account holder information to a developer beyond data relating to age category or status of verifiable parental consent;

3. Allow an app store provider or developer to implement measures required by this chapter in a manner that is arbitrary, capricious, anticompetitive, or unlawful;

4. Limit data collection to information necessary to comply with the federal Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.);

5. Require a developer to collect, retain, reidentify, or link any information beyond the developer's ordinary course of business or beyond what is necessary to verify an account holder's age category as required by this chapter;

6. Require an app store provider or developer to block access to an app that an account holder has downloaded or installed onto a mobile device prior to this chapter's effective date, except where an account holder of a parent account has withdrawn verifiable parental consent for an affiliated minor account or there has been a significant change to the app; or

7. Prevent an app store provider or developer from complying with the provisions of the Consumer Data Protection Act (§ 59.1-575 et seq.).

§ 59.1-618. Safe harbor.

A. A developer is not liable for a violation of this chapter if the developer relies in good faith on the age category received through an app store's data sharing methods and, if the account holder is a minor, on notification from an app store provider that verifiable parental consent has been obtained.

B. An app store provider is not liable for a violation of this chapter if the app store provider relies in good faith on a process to verify an individual's age category that is commercially reasonable and that such provider exercises reasonable care in conducting such process. An app store provider relies in good faith when, if there is reasonable suspicion that an account holder does not belong to the age category to which his account is assigned, such provider took reasonable measures to reverify the account holder's age category.

C. The provisions of this section apply only to actions brought under this chapter and do not limit a developer's or app store provider's liability under any other applicable law. Nothing in this chapter shall displace any other available remedies or rights authorized under state or federal law.

§ 59.1-619. Civil penalties; civil action.

A. The Attorney General may initiate an action against an app store provider or a developer in the name of the Commonwealth and may seek an injunction to restrain any violations of this chapter and civil penalties of up to $7,500 for each violation under this chapter. All civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. The Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, in any such action.

B. Any minor or parent of a minor who suffers harm by reason of a violation of any provision of this chapter may bring a civil action against an app store provider or a developer to enforce such provision and may seek the greater of actual damages or $1,000 for each violation under this chapter and, if the violation was egregious, punitive damages. Any person who is successful in an action brought pursuant to this subsection shall recover reasonable attorney fees, expert witness fees, and court costs incurred by bringing such action.

2. That the provisions of this act shall become effective on July 1, 2027.