Full Text of SB3324 103rd General Assembly
SB3324 103RD GENERAL ASSEMBLY | | | 103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024 SB3324 Introduced 2/7/2024, by Sen. Mary Edly-Allen SYNOPSIS AS INTRODUCED: | | | Creates Sammy's Law of 2024. Requires, before August 1, 2025, or within 30 days after a service becomes a large social media platform, a large social media platform provider to create, maintain, and make available to any third-party safety software provider a set of third-party-accessible real time application programming interfaces by which a child, or a parent or legal guardian of a child, may delegate permission to the third-party safety software provider to: (1) monitor the child's online interactions, content, and account settings on the large social media platform; and (2) initiate secure transfers of user data from the large social media platform in a commonly used and machine-readable format to the third-party safety software provider. Requires a third-party safety software provider to register with the Office of the Attorney General as a condition of accessing an application programming interface and any information or use data. Allows the Attorney General to deregister a third-party safety software provider if it is determined that the provider has violated or misrepresented a required affirmation or has not notified the Attorney General, a child, or a parent or legal guardian of a child of a change to a required affirmation. Requires, before August 1, 2025, or within 30 days after a service becomes a large social media platform, a large social media platform provider of the platform to register the platform with the Attorney General by submitting to the Attorney General a statement indicating that the platform is a large social media platform. Requires the Attorney General to establish a process to deregister a service if the service is no longer a large social media platform. Provides that in any civil action, a large social media platform provider shall not be held liable for damages arising out of the transfer of user data to a third-party safety software provider if the large social media platform provider has in good faith complied with the requirements of the Act and the guidance issued by the Attorney General in accordance with the Act. Effective June 1, 2025. |
| |
| | A BILL FOR |
| | | | SB3324 | | LRB103 38089 JRC 68221 b |
|
| 1 | | AN ACT concerning civil law. | 2 | | Be it enacted by the People of the State of Illinois, | 3 | | represented in the General Assembly: | 4 | | Section 1. Short title. This Act may be cited as Sammy's | 5 | | Law of 2024. | 6 | | Section 5. Legislative findings and intent. | 7 | | (a) The General Assembly finds and declares all of the | 8 | | following: | 9 | | (1) Parents and legal guardians should be empowered to | 10 | | use the services of third-party safety software providers | 11 | | to protect their children from certain harms on large | 12 | | social media platforms. | 13 | | (2) Dangers like cyberbullying, human trafficking, | 14 | | illegal drug distribution, sexual harassment, and violence | 15 | | perpetrated, facilitated, or exacerbated through the use | 16 | | of certain large social media platforms have harmed | 17 | | children on those platforms. | 18 | | (b) It is the intent of the General Assembly to require | 19 | | large social media platform providers to create, maintain, and | 20 | | make available to third-party safety software providers a set | 21 | | of real-time application programming interfaces, through which | 22 | | a child or a parent or legal guardian of a child may delegate | 23 | | permission to a third-party safety software provider to manage |
| | | SB3324 | - 2 - | LRB103 38089 JRC 68221 b |
|
| 1 | | the child's online interactions, content, and account settings | 2 | | on the large social media platform on the same terms as the | 3 | | child, and for other purposes. | 4 | | Section 10. Definitions. In this Act: | 5 | | "Child" means any individual under 18 years of age who has | 6 | | registered an account with a large social media platform. | 7 | | "Large social media platform" means a service that meets | 8 | | all of the following: | 9 | | (1) the service is provided through an Internet | 10 | | website or a mobile application, or both; | 11 | | (2) the terms of service do not prohibit the use of the | 12 | | service by a child; | 13 | | (3) the service includes features that enable a child | 14 | | to share images, text, or video through the Internet with | 15 | | other users of the service whom the child has met, | 16 | | identified, or become aware of solely through the use of | 17 | | the service; and | 18 | | (4) the service has more than 100,000,000 monthly | 19 | | global active users or generates more than $1,000,000,000 | 20 | | in gross revenue per year, adjusted yearly for inflation, | 21 | | or both. | 22 | | "Large social media platform" does not include any of the | 23 | | following: | 24 | | (A) a service that primarily serves to facilitate the | 25 | | sale or provision of professional services or the sale of |
| | | SB3324 | - 3 - | LRB103 38089 JRC 68221 b |
|
| 1 | | commercial products; | 2 | | (B) a service that primarily serves to provide news or | 3 | | information and the service does not offer the ability for | 4 | | content to be sent by a user directly to a child; or | 5 | | (C) a service that has features that enable a user who | 6 | | communicates directly with a child through a message, | 7 | | including a text, audio, or video message, not otherwise | 8 | | available to other users of the service, to add other | 9 | | users to that message that the child may not have | 10 | | otherwise met, identified, or become aware of solely | 11 | | through the use of the service and does not have any | 12 | | features described in paragraph (3). | 13 | | "Large social media platform provider" means any person | 14 | | who, for commercial purposes, provides, manages, operates, or | 15 | | controls a large social media platform. | 16 | | "Third-party safety software provider" means any person | 17 | | who, for commercial purposes, is authorized by a child, if the | 18 | | child is 13 years of age or older, or a parent or legal | 19 | | guardian of a child, to interact with a large social media | 20 | | platform to manage the child's online interactions, content, | 21 | | or account settings for the sole purpose of protecting the | 22 | | child from harm, including physical or emotional harm. | 23 | | "User data" means any information needed to have a profile | 24 | | on a large social media platform or content on a large social | 25 | | media platform, including images, video, audio, or text, that | 26 | | is created by or sent to a child on or through the child's |
| | | SB3324 | - 4 - | LRB103 38089 JRC 68221 b |
|
| 1 | | account with that platform, and the information or content is | 2 | | created by or sent to the child while a delegation under | 3 | | Section 20 is in effect with respect to the account. | 4 | | Information shall only be considered "user data" for 30 days, | 5 | | beginning on the date on which the information or content is | 6 | | created by or sent to the child. | 7 | | Section 15. List of third-party safety software providers. | 8 | | The Attorney General shall make publicly available on the | 9 | | Attorney General's Internet website a list of the third-party | 10 | | safety software providers registered under Section 25, a list | 11 | | of the large social media platforms registered under Section | 12 | | 30, and a list of the third-party safety software providers | 13 | | deregistered under Section 25. | 14 | | Section 20. Delegation of permission to third-party | 15 | | software provider. | 16 | | (a) Before August 1, 2025, or within 30 days after a | 17 | | service becomes a large social media platform, as applicable, | 18 | | a large social media platform provider shall create, maintain, | 19 | | and make available to any third-party safety software provider | 20 | | registered with the Attorney General under Section 25 a set of | 21 | | third-party-accessible real time application programming | 22 | | interfaces, including any information necessary to use the | 23 | | interfaces, by which a child (if the child is 13 years of age | 24 | | of older), or a parent or legal guardian of a child, may |
| | | SB3324 | - 5 - | LRB103 38089 JRC 68221 b |
|
| 1 | | delegate permission to the third-party safety software | 2 | | provider to: | 3 | | (1) manage the child's online interactions, content, | 4 | | and account settings on the large social media platform on | 5 | | the same terms as the child; and | 6 | | (2) initiate secure transfers of user data from the | 7 | | large social media platform in a commonly used and | 8 | | machine-readable format to the third-party safety software | 9 | | provider, and the frequency of the transfers may not be | 10 | | limited by the large social media platform provider to | 11 | | less than once per hour. | 12 | | (b) Once a child or a parent or legal guardian of a child | 13 | | makes a delegation under subsection (a), the large social | 14 | | media platform provider shall make the application programming | 15 | | interfaces and information available to the third-party safety | 16 | | software provider on an ongoing basis until one of the | 17 | | following applies: | 18 | | (1) the child (if the child made the delegation) or | 19 | | the parent or legal guardian of such child revokes the | 20 | | delegation; | 21 | | (2) the child or a parent or legal guardian of such | 22 | | child revokes or disables the registration of the account | 23 | | of such child with the large social media platform; | 24 | | (3) the third-party safety software provider rejects | 25 | | the delegation; or | 26 | | (4) one or more of the affirmations made by the |
| | | SB3324 | - 6 - | LRB103 38089 JRC 68221 b |
|
| 1 | | third-party safety software provider under Section 25 is | 2 | | no longer true. | 3 | | (c) A large social media platform provider shall establish | 4 | | and implement reasonable policies, practices, and procedures | 5 | | regarding the secure transfer of user data pursuant to a | 6 | | delegation under subsection (a) from the large social media | 7 | | platform to a third-party safety software provider in order to | 8 | | mitigate any risks related to user data. | 9 | | (d) If a delegation is made by a child or a parent or legal | 10 | | guardian of a child under subsection (a) with respect to the | 11 | | account of the child with a large social media platform, the | 12 | | large social media platform provider shall: | 13 | | (1) disclose to the child and, if the parent or legal | 14 | | guardian made the delegation, the parent or legal guardian | 15 | | the fact that the delegation has been made; | 16 | | (2) provide to the child and, if the parent or legal | 17 | | guardian made the delegation, the parent or legal guardian | 18 | | a summary of what user data is being transferred to the | 19 | | third-party safety software provider; and | 20 | | (3) provide any update to the summary under paragraph | 21 | | (2) as necessary to reflect any change to what user data is | 22 | | being transferred to the third-party safety software | 23 | | provider. | 24 | | (e) A third-party safety software provider shall not | 25 | | disclose any user data obtained under this Section to any | 26 | | person except as follows: |
| | | SB3324 | - 7 - | LRB103 38089 JRC 68221 b |
|
| 1 | | (1) Pursuant to a lawful request from a government | 2 | | body, including, but not limited to, for law enforcement | 3 | | purposes or for judicial or administrative proceedings by | 4 | | means of a court order or a court ordered warrant, a | 5 | | subpoena or summons issued by a judicial officer, or a | 6 | | grand jury subpoena. | 7 | | (2) To the extent that the disclosure is required by | 8 | | law and the disclosure complies with and is limited to the | 9 | | relevant requirements of that law. | 10 | | (3) To the child, or a parent or legal guardian of the | 11 | | child, who made a delegation under this Section and whose | 12 | | data is at issue. The disclosure shall be limited, by a | 13 | | good faith effort on the part of the third-party safety | 14 | | software provider, only to the user data strictly | 15 | | sufficient for a reasonable parent or caregiver to | 16 | | understand that the child is at foreseeable risk or | 17 | | currently experiencing any of the following harms: | 18 | | (A) suicide; | 19 | | (B) anxiety; | 20 | | (C) depression; | 21 | | (D) eating disorders; | 22 | | (E) violence, including being the victim of or | 23 | | planning to commit or facilitate battery under Section | 24 | | 12-3 of the Criminal Code of 2012 and assault under | 25 | | Section 12-1 of the Criminal Code of 2012; | 26 | | (F) substance abuse; |
| | | SB3324 | - 8 - | LRB103 38089 JRC 68221 b |
|
| 1 | | (G) fraud; | 2 | | (H) trafficking in persons under Section 10-9 of | 3 | | the Criminal Code 2012; | 4 | | (I) sexual abuse; | 5 | | (J) physical injury; | 6 | | (K) harassment, including hate-based harassment, | 7 | | sexual harassment, and stalking under Section 12-7.3 | 8 | | of the Criminal Code of 2012; | 9 | | (L) exposure to harmful material under Section | 10 | | 11-21 of the Criminal Code of 2012; | 11 | | (M) communicating with a terrorist organization as | 12 | | defined under Section 219 of the federal Immigration | 13 | | and Nationality Act, 8 U.S.C. 1189; | 14 | | (N) academic dishonesty, including cheating, | 15 | | plagiarism, or other forms of academic dishonesty that | 16 | | are intended to gain an unfair academic advantage; or | 17 | | (O) sharing personal information limited to: | 18 | | (i) home address; | 19 | | (ii) telephone number; | 20 | | (iii) social security number; and | 21 | | (iv) personal banking information. | 22 | | (4) In the case of a reasonably foreseeable serious | 23 | | and imminent threat to the health or safety of any | 24 | | individual, if the disclosure is made to a person or | 25 | | persons reasonably able to prevent or lessen the threat. | 26 | | (5) to a public health authority or other appropriate |
| | | SB3324 | - 9 - | LRB103 38089 JRC 68221 b |
|
| 1 | | government authority authorized by law to receive reports | 2 | | of child abuse or neglect. | 3 | | (6) A third-party safety software provider that makes | 4 | | a disclosure permitted by paragraphs (1), (2), (4), or (5) | 5 | | shall promptly inform the child with respect to whose | 6 | | account with a large social media platform the delegation | 7 | | was made under subsection (a) and (if a parent or legal | 8 | | guardian of the child made the delegation) the parent or | 9 | | legal guardian that such a disclosure has been or will be | 10 | | made, except if | 11 | | (A) the third-party safety software provider, in | 12 | | the exercise of professional judgment, believes | 13 | | informing such child or parent or legal guardian would | 14 | | place such child at risk of serious harm; or | 15 | | (B) the third-party safety software provider is | 16 | | prohibited by law (including a valid order by a court | 17 | | or administrative body) from informing such child or | 18 | | parent or legal guardian. | 19 | | Section 25. Third-party safety software registration, | 20 | | affirmations, and deregistration. | 21 | | (a) A third-party safety software provider shall register | 22 | | with the Office of the Attorney General as a condition of | 23 | | accessing an application programming interface and any | 24 | | information or use data under Section 20. | 25 | | (b) The registration shall require the third-party safety |
| | | SB3324 | - 10 - | LRB103 38089 JRC 68221 b |
|
| 1 | | software provider to affirm that the third-party safety | 2 | | software provider meets all of the following requirements: | 3 | | (1) it is solely engaged in the business of Internet | 4 | | safety; | 5 | | (2) it will use any user data obtained under Section | 6 | | 20 solely for the purpose of protecting a child from any | 7 | | harm; | 8 | | (3) it will only disclose user data obtained under | 9 | | Section 20 as permitted by Section 20; and | 10 | | (4) it will disclose, in an easy-to-understand, | 11 | | human-readable format, to each child with respect to whose | 12 | | account with a large social media platform the service of | 13 | | the third-party safety software provider is operating and | 14 | | (if a parent or legal guardian of the child made the | 15 | | delegation under section 20 with respect to the account) | 16 | | to the parent or legal guardian, sufficient information | 17 | | detailing the operation of the service and what | 18 | | information the third-party safety software provider is | 19 | | collecting to enable such child and (if applicable) such | 20 | | parent or legal guardian to make informed decisions | 21 | | regarding the use of the service. | 22 | | (c) Within 30 days after there is any change to an | 23 | | affirmation made under subsection (a) by a third-party safety | 24 | | software provider that is registered under subsection (a), the | 25 | | provider shall notify the following of the change: | 26 | | (1) the Attorney General; and |
| | | SB3324 | - 11 - | LRB103 38089 JRC 68221 b |
|
| 1 | | (2) each child with respect to whose account with a | 2 | | large social media platform the service of the third-party | 3 | | safety software provider is operating and, if a parent or | 4 | | legal guardian of the child made the delegation under | 5 | | Section 20 with respect to the account, the parent or | 6 | | legal guardian. | 7 | | (d) The Attorney General may deregister a third-party | 8 | | safety software provider if it is determined that the provider | 9 | | has violated or misrepresented the affirmations made under | 10 | | subsection (b) or has not notified the Attorney General, a | 11 | | child, or a parent or legal guardian of a child of a change to | 12 | | an affirmation as required by subsection (c). | 13 | | If the Attorney General deregisters a third-party safety | 14 | | software provider under this subsection, the Attorney General | 15 | | shall notify each large social media platform provider of the | 16 | | deregistration of the third-party safety software provider and | 17 | | the specific reason for the deregistration. | 18 | | A large social media platform provider that receives a | 19 | | notification from the Attorney General under this subsection | 20 | | that the Attorney General has deregistered a third-party | 21 | | safety software provider shall notify each child with respect | 22 | | to whose account with the large social media platform the | 23 | | service of the third-party safety software provider was | 24 | | operating and, if a parent or legal guardian of the child made | 25 | | the delegation under Section 20 with respect to the account, | 26 | | the parent or legal guardian of the deregistration of the |
| | | SB3324 | - 12 - | LRB103 38089 JRC 68221 b |
|
| 1 | | third-party safety software provider and the specific reason | 2 | | for the deregistration provided by the Attorney General. | 3 | | Section 30. Registering as a large social media platform. | 4 | | (a) Before August 1, 2025, or within 30 days after a | 5 | | service becomes a large social media platform, as applicable, | 6 | | a large social media platform provider of the platform shall | 7 | | register the platform with the Attorney General by submitting | 8 | | to the Attorney General a statement indicating that the | 9 | | platform is a large social media platform. | 10 | | (b) The Attorney General shall establish a process to | 11 | | deregister a service registered under subsection (a) if the | 12 | | service is no longer a large social media platform. | 13 | | Section 35. Liability of third-party safety software | 14 | | provider. In any civil action, other than an action brought by | 15 | | the Attorney General, a large social media platform provider | 16 | | shall not be held liable for damages arising out of the | 17 | | transfer of user data to a third-party safety software | 18 | | provider in accordance with this Act, if the large social | 19 | | media platform provider has in good faith complied with the | 20 | | requirements of this Act and the guidance issued by the | 21 | | Attorney General in accordance with this Act. | 22 | | Section 99. Effective date. This Act takes effect June 1, | 23 | | 2025. |
|