Read the full stored bill text
A BILL to amend the Code of Virginia by adding in Title 59.1 a chapter numbered 60, consisting of sections numbered
59.1-614
through
59.1-619
, relating to App Store Accountability Act; civil penalties; civil action.
Be it enacted by the General Assembly of Virginia:
1. That the Code of Virginia is amended by adding in Title 59.1 a chapter numbered 60, consisting of sections numbered
59.1-614
through
59.1-619
as follows:
CHAPTER 60.
APP STORE ACCOUNTABILITY ACT.
§ 59.1-
614.
Definitions.
As used in this chapter, unless the context requires a different meaning:
"Account holder" means
an
individual who is associated with
a
mobile device.
"Age category" means information collected by
an
app store
provider
to designate a
n individual
as follows:
1.
For an individual who is younger than 13 years of age, a "child";
2. For an individual
who is age 13 through 15,
a "younger teenager";
3. For an individual who is age 16 through 17, an "older teenager"; and
4. For an individual who is 18 years of age or older, an "adult."
"Age rating" means
one or more classifications
that
(i)
correspond to one or more age categories
and
(ii)
are
assigned to
an app or in-app purcha
se to
assess the suitability of
the
app's content and functions
.
"App" means a software application or electronic s
ervice that an individual may run or direct on a mobile device, including pre-installed applications.
"App store" means a publicly available website,
software
application, or other electronic service
or platform that
allows account holders in the Commonwealth to download ap
ps from third-party developers onto a mobile device
.
"App store provider" means a
ny
person
doing business in the Commonwealth
that owns, operates, or controls an app sto
re
made available to account holders
.
"Co
ntent description"
means a description of the specific elements or functions that
inform an app's age rating.
"Developer" means any person doing business in the Commonwealth that
owns
, operates, or
controls an app made available
to account holders
through an app store or an app pre-installed onto a mobile device
.
"Minor" means an individual who is
younger than 18 years of age.
"Minor account" means an account with
an app store provider that is established by an individual who is a minor
and that is required to be affiliated with a parent account.
"Mobile device" means a portable, w
ireless electronic device, including a tablet or smartphone, that
(i) provides cellular o
r
wireless
connectivity
, (ii)
is capable of
connecting to the internet, (iii) runs a mobile operating system, and (iv) is capable of running apps through
such
mobile operating system
.
"Mobile operating system" means software that (i) manages mobile device hardware resources, (ii) provides common services for mobile device programs, (iii
) controls memory allocation, and (iv) provides interfaces for apps to access device programs.
"Parent" means
an individual who is reasonably believed to be
a parent or
legal guardian
of a
minor
.
"P
arent account" means an account with an app store provider that
(i)
is
associated with
an individual who
the
app store provider has
verified
is 18 years of age or older
through
such
app store provider's age verification methods and (ii) may be affiliated with one or more minor accounts.
"Parental consent disclosure" means
:
1.
T
he age rating for
an
app or in-app purchase;
2.
T
he content description for
an
app or in-app purchase;
3. A description of the personal data collected by the
developer of
an
app from an account holder and
shared by
such developer
with a
ny
third party; and
4. If personal data is collected by
the developer of an app
, the methods implemented by the developer to protect
such
personal data.
"Pre-installed application" means any app or portion thereof that is present on a mobile device at the time of purchase, initial
activation
, or first use by
a consumer, including
a
brow
s
er, search engine,
or
messaging
app
.
"Pre-installed application"
includes
any
app or portion thereof that
is
installed or partially installed by
a
manufacturer of
a
mobile device, wireless service provider, retailer, or any other party prior to the purchase, initial activation, or first use by the consumer and that may be upda
ted thereafter.
"Pre-installed application" does not include
any
core operating system function, essential device driver,
or
software
application necessary for
basic device operation, such as
a
phone
, settings,
or
emergency services
app
.
"Significant change" means
a
material modification to an app's terms of service or privacy policy that (i)
materially
changes the categories of data collected, stored, or shared; (ii)
materially
changes
the app's age rating or content description; or (i
ii) introduces in-app purchases or advertisements where no in-app purchases
or advertisements
were previously presen
t
.
"
Verifiable parental consent" means authorization that is provided
by
the account holder of
a parent account
to
an
app store provider
after
such
provider has clearly and conspicuously provided the parental consent disclosu
re as part of the app download or purchase or in-app purchase process. "Verifiable parental consent" requires a parent
account holder
to make an affirmative choice to either grant or decline consent
to a minor account
.
§
59.1-615
.
A
pp store providers
; duties; prohibitions
.
A. An app store provider shall:
1.
For each app that the app store provider makes available to account holders
on its app store
, provide a clear, accurate, and conspicuous parental consent disclosure.
2.
At the time that an individual
in the Commonwealth creates an account with
the
app store provider or
,
for existing accounts, by July 1, 2028:
a. Request age category information from
such
individual; and
b. Verify
such
individual's age category using
a
commercially available method that
is
reasonably designed to ensure accura
cy
. Such method
may
include
, if such individual is a minor,
an
affirmative age attestation by
another individual
who is reasonably believed to be the parent of
such
minor
.
3.
If the app store provider determines
in the
process
of an individual creating an account with such provider
that
such
individual
is a minor
:
a. Require
such
minor
to create a
minor
account to be affiliated with a parent account; and
b. Obtain verifiable parental consent
from the
account
holder of the affiliated parent account each time before allowing
such minor to download or purchase an app or make an in-app purchase.
4
. After receiving notice
from a developer
of a
significant
change
to an app
:
a. Notify
each
account holder
that has downloaded such app
of the significant change; and
b. For minor account
s
,
(i)
notify
each account holder of
a
parent account
that is affiliated with a minor account that has downloaded such app of the significant change
and
(ii)
obtain renewe
d verifiable parental consent before providing access to the significantly changed version of
the
app.
5
. In response to a request made pur
suant to
subdivision A 4 of
§ 59.1-
616
, provide to a developer
data relating to
the
a
ge category
for
an account holder located in the Commonwealth and
, if applicable, t
he status of verifiable parental consent for a minor
account.
6
. Provide a mechanism for
an account holder of
a parent account to withdraw consent
,
and notify a developer when verifiable parental consent
has been withdrawn for a minor account
.
7
.
P
rotect
data associated
with age category and other
verification data by:
a. Limiting data collection and processing only to data necessary for verifying an account holder's age category, obtaining verifi
able parental consent, or maintaining compliance records; and
b. Transmitting age category data using industry-standard encryption protocols that ensure data integrity and data confidentiality.
8
. For
pre-installed apps:
a. Provide available age category information in response to a request from a developer; and
b. Take reasonable measures to facilitate verifiable parental consent for
account holders'
use of
such an
app in response to a request from a developer.
B. An app store provider shall not:
1. Enforce a contract or terms
of service agreement against a minor
account holder
unless the app store provider has obtained verifiable parental consent;
2. Knowingly misrepresent information
contained
in the parental consent disclosure; or
3.
Share data
relating to age category
except as required by this chapter or otherwise required by law.
§
59.1-616
.
Developers; dutie
s
; prohibitions
.
A. A developer shall:
1.
For each
of its
app
s
and in-app purchase
s
, assign
an age rating
and
provide a content description
, and
,
for each of its apps,
provide each app store provider
that makes the developer's app available on its app store
a parental consent disclosure that includes such information;
2.
Verify through
an
app store's data sharing methods the age category
of an
account holder located in the Commonwealth and, for
a
minor account, whether verifiable parental consent has been obtained;
3
.
Notify
each
app store provider
tha
t
makes the developer's app available on its app store
of a significant change to an app
within a reasonable time frame
;
4
. Use
data relat
ing
to
age category received through
an
app store's data sharing methods to
enforce any developer-created age-related restrictions, safety features, or defaults and ensure compliance with applicable laws; and
5
. Request
data relating to
age c
ategory or verifiable parental consent (i) at the time that
an
account holder downloads or purchases an app or launches a pre-installed app for the first time, (ii) when implementing a significant change to the app,
or (iii) to comply with applicable law.
B. A developer may request
data relating to
age category:
1. No more than once during each 12-month period to verify the accuracy of
the
age category
of
an account holder or continued account use within the age category;
2. When there is reasonable suspicion of account transfer or misuse outside of the age category; or
3. At the time that an acc
ount holder creates
an
account with the developer.
C. When implementing any
developer-created age-related restrictions, safety features, or defaults, a developer shall use the lowest age category indicated by age category data received through
an
app store's data sharing methods or age data independently collected by the developer.
D. A developer shall
not:
1. Enforce a contract or terms of service agreement against a minor unless the developer has verified through an app store's data sharing methods that verifiable parental consent has been obtained;
2. Knowingly misrepresent any information in the parental consent disclosur
e; or
3. Share
data relating to
age category with any person.
§
59.1-61
7
.
Limitations
.
Nothing in this chapter shall be construed to:
1. Prevent an app store provider or developer from taking reasonable measures to (i) block, detect, or prevent distribution to minors of un
lawful, obscene, or harmful material; (ii) block or filter spam; (iii) prevent criminal activity; or (i
v) protect app store or app security;
2. Require an app store provider to disclose
account holder
information to a developer beyond
data relating to
age category or status of
verifiable
parental consent;
3. Allow an app store provider or developer to implement measures required by this chapter in a
manner that is arbitrary, capricious, anticompetitive, or unlawful;
4. Require an app store provider or developer to obtain verifiable parental consent for an app that:
a. Provide
s direct access to emergency services, including 911, crisis hotlines, or emergency assistance services legally available to minors;
b. Limits data collection to information necessary to provide such
access
in compliance with
the
federal
Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.);
c. Provides
such access without requiring account creation or collection of unnecessary personal information; and
d. Is operated by or in partnershi
p with a government entity, a nonprofit organization, or an authorized emergency services provider;
5. Require a developer to
collect, retain, reidentify, or link any information beyond
the developer's ordinary course of business
or
beyond
what is
necessary to verify
an account holder's
age category as required by this chapter
;
6. Require an app store provider or developer to block access to an app that an account holder has downloaded or installed onto a mob
ile device prior to this chapter's effective date, except
where
a
n account holder of a
parent account
has withdrawn
verifiable parental consent for an affiliated minor account or there has been a significant change to the
app
; or
7.
Prevent
an app store provider or developer
from complying
with the provisions of the Consumer Data Protection Act (§
59.1-575
et seq.)
.
§
59.1-61
8
.
Safe harbor
.
A.
A developer is not liable for a violation of this chapter if
:
1. T
he developer
r
elie
s
in
good faith on
the
age category received through an app store's data sharing methods and
, if the account holder is a minor,
on notif
ication from an app store provider that verifiable parental consent has been obtained.
2. In determining an app's age rating and content description,
the developer uses widely adopted industry standards in making such determinations and applies such standards consistently and in good faith.
B.
An
app store provider
is not liable for a violation of this chapter if
t
he app store provider relies in good faith
on
a
process
to verify an individual's age category
that is commercially reasonable and that such provider exercises reasonable care in conducting such process
. An app store provider
relies in good faith when
, if
there is
reasonable suspicion that an account holder does not belong to the age category to which
his
account is assigned,
such provider took reasonable measures to
reverify the account holder's age category
.
§
59.1-61
9
.
Civil penalties; civil action
.
A.
The Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of this chapter and civil penalties of up to $7,500 for each violation under this chapter. All civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.
The Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, in any
such
action.
B
.
A
n
y
minor or parent of a minor
who suffers
harm
by reason of a violation of any provision of this chapter may bring a civil action
against an app store provider or a developer
to enforce such provision
and may seek the greater of actual damages
or $1,000 for each violation under this chapter and, if the violation was egregious,
punitive damages
. A
n
y person who is successful in
an
action
brought
pursuant to
this
subsection
shall recover reasonable attorney fees, expert witness fees, and court costs incurred by bringing such action
.
2. That the provisions of this act shall become effective on July 1, 2027.