App Store Accountability Act

OVERVIEW

The App Store Accountability Act focuses on the regulation of conduct and upholds the legal reality of contractual obligations on app stores. Multi-trillion-dollar companies cannot enter into sophisticated contracts with minors. In accordance with the America First Policy Institute’s issue brief “Defending Children from Online Dangers that Threaten their Innocence and Future Wellbeing,” the Act institutes age verification requirements and parental consent in their child’s online activities.

Protecting kids online is a core principle of AFPI’s America First Federal AI Framework. Such protection should begin well before the child has access to any app requiring them to sign a terms of service or privacy policy. AFPI’s federal framework recommends that app store providers implement age verification requirements. The model also calls on providers to develop and enforce age verification systems based on technical best practices, as sellers and distributors must know whether they are engaging with a minor or, at the very least, know the identity of the person with whom they are contracting, similar to how brick-and-mortar stores must generally know the identity of their buyers. The app store is the gateway to downloading any app, so it should be the first line of defense for defending children's safety online.

The model policy below is an outgrowth of AFPI’s research and recommendations, and it ensures that parents have the fundamental responsibility for raising their child in the digital age and protecting their child’s welfare online.

SECTION 1. PURPOSE

The stated goal of this legislation is to protect minor children under the age of 18 years old from harmful contracts, and online predators by establishing minimum mandatory safety requirements for app stores, requiring parental consent, and ensuring age-appropriate experiences.

SECTION 2. FINDINGS

Congress finds the following:

1. 100% of teenagers that access mobile apps either own an iPhone or an Android device;
2. There is a concerning lack of safeguards to protect children from the addictive features present on mobile devices;
3. The leading app store providers do not offer sufficient parental controls;
4. Many complex online child safety problems with which American parents and children struggle as a nation could be solved with more parental controls at the operating system and app store layer;
5. Parental controls rely heavily on app age ratings for default safety settings;
6. App store ratings can be deceptive, vague, hidden, and can be inaccurate;

SECTION 3. DEFINTIONS

1. AGE CATEGORY. —The term “age category” means the category of an individual based on their age, including the following categories:
   • ADULT.—An “adult” is such an individual who has attained 18 years of age.
   • MINOR.—A “minor” is such an individual who has not attained 18 years of age.
   • TEENAGER.—A “teenager” is such an individual who has attained 16 years of age but has not attained 18 years of age.
   • CHILD.—A “child” is such an individual who has attained 13 years of age but has not attained 16 years of age.
   • YOUNG CHILD.—A “young child” is such an individual who has not attained 13 years of age.
2. AGE CATEGORY DATA.—The term “age category data” means information that identifies the age category of a user and is collected by a covered app store provider and shared with an app developer.
3. AGE RATING.—The term “age rating” means a publicly displayed assessment of an app’s appropriateness for different age categories.
4. APP.—The term “app” means a software application or electronic service that may be run or directed by a user on a computer, mobile device, or any other general purpose computing device.
5. APP DEVELOPER.—The term “app developer” means any person or entity that creates, owns, controls or distributes an app on the app store of a covered app store provider and is available in the United States
6. APP STORE.—The term “app store” means a publicly available website, software application, or other electronic service that distributes and facilitates the download onto a mobile device of an app from a third-party developer by a user of a computer, a mobile device, or any other general purpose computing device.
7. COMMISSION.—The term “Commission” means the Federal Trade Commission.
8. COVERED APP STORE PROVIDER.—The term “covered app store provider” means any person that owns or controls an app store available in the United States and for which users in the United States exceed 5,000,000.
9. KNOW.—The term “know” means to have actual knowledge or willful disregard.
10. MINOR.—The term “minor” means an individual who has not attained 18 years of age.
11. MOBILE DEVICE.—The term “mobile device” means a phone or general purpose tablet that provides cellular or wireless connectivity, is capable of connecting to the Internet, runs a mobile operating system, and is capable of running apps through the mobile operating system.
12. MOBILE OPERATING SYSTEM.—The term “mobile operating system” means a set of software that manages mobile device hardware resources, provides common services for mobile device programs, controls memory allocation, and provides interfaces for applications to access device functionality.
13. PARENT.—The term “parent,” with respect to a minor, means an adult with the legal right to make decisions on behalf of the minor, including—
    • a natural parent;
    • an adoptive parent;
    • a legal guardian; or
    • an individual with legal custody over the minor.
14. PARENTAL ACCOUNT.—The term “parental account” means an account with a covered app store provider that is— (A) verified to be established by an individual who the app store provider has determined is at least 18 years of age through the covered app store provider’s age verification method or process; and (B) affiliated with one or more account of a user or prospective user who is a minor.
15. PARENTAL CONSENT DISCLOSURE.—The term “parental consent disclosure” means the following information that is provided to a parent before obtaining parental consent— (A) a description of— (i) the personal data collected by the app from a user; and (ii) the personal data shared by the app with a third party; (B) a description of the measures taken by the app developer to protect the confidentiality of the user’s personal data; (C) if there is an age rating for the app or an in-app purchase, the app’s or in-app purchase’s age rating; and (D) if there is a content description for the app or in-app purchase, the app’s or in-app purchase’s content description.
16. PERSONAL DATA.—The term “personal data” has the same meaning as the term “personal information” as defined in section 1302 of the Children’s Online Privacy Protection Act (15 U.S.C. 6501).
17. SIGNAL.—The term “signal” means age-bracketed data sent by a real-time secure application programming interface or operating system that is likely to be accessed by minors.
18. SIGNIFICANT CHANGE.—The term “significant change” means a material modification of an app’s terms of service or privacy policy that—
    • changes the category of data collected or stored;
    • changes the category of data shared with an unaffiliated third party that is not a service provider or processor;
    • alters the app’s age rating or content description;
    • adds new monetization features, including in-app purchases or advertisements; or
    • changes the app’s user experience or functionality in a manner that a reasonable individual would view as material.
19. VERIFIABLE PARENTAL CONSENT.—The term “verifiable parental consent” means authorization that is provided— (A) at setup (B) by a parental account; (C) in response to a clear and conspicuous parental content disclosure; and (D) signifies a parent’s freely given, specific, informed, and unambiguous agreement. Parents must be able to revoke consent at any time, instantly removing access to the app.

SECTION 4. APP STORE OBLIGATIONS

(a) IN GENERAL.—Each covered app store provider shall—

1. at the time an individual creates an account with the covered app store provider—
   • request age information from the individual; and
   • verify the individual’s age category using a commercially available method or process that is reasonably designed to ensure accuracy;
2. if the age verification method or process determines the individual is a minor—
   • require the account to be affiliated with a parental account; and
   • obtain verifiable parental consent from the holder of the affiliated parental account before allowing the minor to download or purchase an app or make an in-app purchase;
3. after receiving notice of a significant change from an app developer—
   • notify the user of a significant change; and
   • for a minor account, notify the holder of the affiliated parental account and obtain a new verifiable parental consent;
4. provide to an app developer the user’s age category and the status of verified parental consent if the user is a minor;
5. notify an app developer when a parent revokes verifiable parental consent;
6. protect the confidentiality of personal data related to age verification by—
   • limiting its collection, processing, and storage to what is strictly necessary to verify a user’s age, obtain verifiable parental consent, or maintain compliance records; and
   • safeguarding personal data related to age verification by adopting reasonable administrative, technical, and physical safeguards to secure the collection, processing, storage, and transmission of this data, including through industry-standard encryption;
7. if a covered app store provider displays an age rating or description of an app’s content, the age rating and description must be clearly and prominently displayed and be in plain and concise language; and
8. provide to an app developer the ability to determine, in real time, the age category of any user and, with respect to any user that is a minor, whether the covered app store provider has obtained verifiable parental consent.

(b) RULES OF CONSTRUCTION.—Nothing in this section shall be construed—

1. to prevent a covered app store provider from taking reasonable measures to block, detect, or prevent the distribution of unlawful or obscene material to minors, to block or filter spam, to prevent criminal activity, or to protect the security of an app store or app;
2. to require a covered app store provider to disclose to an app developer information other than such user’s age category and, with respect to any user that is a minor, whether the covered app store provider has obtained verifiable parental consent in accordance with this section;
3. to allow a covered app store provider to use any measures required by this section in a way that is arbitrary, capricious, anti-competitive, or unlawful; or
4. to affect or restrict the expression of political, religious, or other viewpoints.

SECTION 5. DEVELOPER OBLIGATIONS

1. IN GENERAL.—An app developer shall— (1) verify through a covered app store’s method or process the age category of the app developer’s users or potential users and, for a minor account, whether verifiable parental consent has been obtained; (2) notify a covered app store provider of a significant change to the app; (3) request age category data or verifiable parental consent—
   1. at the time a potential app user downloads or purchases an app;
   2. when the app developer implements a significant change to the app; or
   3. to comply with an applicable law or regulation.
2. APP DEVELOPER REQUESTS.—An app developer may request age category data or verifiable parental consent— (1) no more than once during each 12-month period to verify the accuracy of user age verification data or continued account use within the verified age category; (2) when there is reasonable suspicion of account transfer or misuse outside the verified age category; or (3) at the time a user creates a new account with the app developer.
3. PERMISSIBLE USES.—An app developer may use age category data to— (1) enforce any app developer-created age-related restrictions; (2) ensure compliance with applicable laws and regulations; and (3) implement any app developer-created features or defaults.
4. RESTRICTIONS.—An app developer may not— (1) enforce a contract or terms of service against a minor unless the app developer has verified through the covered app store provider that verifiable parental consent has been obtained; (2) knowingly misrepresent any material information in the parental consent disclosure; or (3) share age category data with an unaffiliated third party that is not a service provider or processor.
5. APP AGE RATING.—If an app developer provides an age rating or description of an app’s content to a covered app store or user, the age rating or description must be in plain and concise language.
6. COVERED APP STORE PROVIDER SIGNAL.— (1) IN GENERAL.—Each app developer shall use a covered app store provider’s signal to determine the age category of a user. (2) RULE OF CONSTRUCTION.—Receipt of a covered app store provider’s signal serves as actual knowledge of a user’s age category.

SECTION 6. ENFORCEMENT

1. IN GENERAL.—The Federal Trade Commission, the Attorney General, and any attorney general of a State shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) as appropriate, were incorporated into and made a part of this Act.
2. FEDERAL TRADE COMMISSION INDEPENDENT LITIGATION AUTHORITY.—If the Federal Trade Commission has reason to believe that a covered company violated this Act, the Federal Trade Commission may commence a civil action, in its own name by any of its attorneys designated by it for such purpose, to recover a civil penalty and seek other appropriate relief in a district court of the United States against the covered company.
3. PARENS PATRIAE.—Any attorney general of a State may bring a civil action in the name of such State for a violation of this Act as parens patriae on behalf of natural persons residing in such State, in any district court of the United States having jurisdiction of the defendant, and may secure any form of relief provided for in this section.

SECTION 7. SAFEHARBOR

(a) IN GENERAL.—An app developer is deemed not liable for a violation of this Act if the app developer demonstrates it has—

(1) relied in good faith on age verification data provided by a covered app store provider or it obtained a signal from a covered app store provider that indicates the user is a minor;

(2) complied with the requirements of section 4; and

(3) reasonably conforms to widely accepted industry standards or best practices, or to standards or best practices identified by the Commission, for age ratings and app content descriptions and applies those standards or best practices consistently and in good faith.

(b) LIMITATIONS.—The safe harbor described in this section applies only to actions brought under this Act and does not limit the liability of an app developer under any other applicable law.

SECTION 8. SEVERABILITY.

If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the remainder of this Act, and the application of such provision to other persons not similarly situated or to other circumstances, shall not be affected by the invalidation.