103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
SB3324

 

Introduced 2/7/2024, by Sen. Mary Edly-Allen

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates Sammy's Law of 2024. Requires, before August 1, 2025, or within 30 days after a service becomes a large social media platform, a large social media platform provider to create, maintain, and make available to any third-party safety software provider a set of third-party-accessible real time application programming interfaces by which a child, or a parent or legal guardian of a child, may delegate permission to the third-party safety software provider to: (1) monitor the child's online interactions, content, and account settings on the large social media platform; and (2) initiate secure transfers of user data from the large social media platform in a commonly used and machine-readable format to the third-party safety software provider. Requires a third-party safety software provider to register with the Office of the Attorney General as a condition of accessing an application programming interface and any information or use data. Allows the Attorney General to deregister a third-party safety software provider if it is determined that the provider has violated or misrepresented a required affirmation or has not notified the Attorney General, a child, or a parent or legal guardian of a child of a change to a required affirmation. Requires, before August 1, 2025, or within 30 days after a service becomes a large social media platform, a large social media platform provider of the platform to register the platform with the Attorney General by submitting to the Attorney General a statement indicating that the platform is a large social media platform. Requires the Attorney General to establish a process to deregister a service if the service is no longer a large social media platform. Provides that in any civil action, a large social media platform provider shall not be held liable for damages arising out of the transfer of user data to a third-party safety software provider if the large social media platform provider has in good faith complied with the requirements of the Act and the guidance issued by the Attorney General in accordance with the Act. Effective June 1, 2025.


LRB103 38089 JRC 68221 b

 

 

A BILL FOR

 

SB3324LRB103 38089 JRC 68221 b

1    AN ACT concerning civil law.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as Sammy's
5Law of 2024.
 
6    Section 5. Legislative findings and intent.
7    (a) The General Assembly finds and declares all of the
8following:
9        (1) Parents and legal guardians should be empowered to
10    use the services of third-party safety software providers
11    to protect their children from certain harms on large
12    social media platforms.
13        (2) Dangers like cyberbullying, human trafficking,
14    illegal drug distribution, sexual harassment, and violence
15    perpetrated, facilitated, or exacerbated through the use
16    of certain large social media platforms have harmed
17    children on those platforms.
18    (b) It is the intent of the General Assembly to require
19large social media platform providers to create, maintain, and
20make available to third-party safety software providers a set
21of real-time application programming interfaces, through which
22a child or a parent or legal guardian of a child may delegate
23permission to a third-party safety software provider to manage

 

 

SB3324- 2 -LRB103 38089 JRC 68221 b

1the child's online interactions, content, and account settings
2on the large social media platform on the same terms as the
3child, and for other purposes.
 
4    Section 10. Definitions. In this Act:
5    "Child" means any individual under 18 years of age who has
6registered an account with a large social media platform.
7    "Large social media platform" means a service that meets
8all of the following:
9        (1) the service is provided through an Internet
10    website or a mobile application, or both;
11        (2) the terms of service do not prohibit the use of the
12    service by a child;
13        (3) the service includes features that enable a child
14    to share images, text, or video through the Internet with
15    other users of the service whom the child has met,
16    identified, or become aware of solely through the use of
17    the service; and
18        (4) the service has more than 100,000,000 monthly
19    global active users or generates more than $1,000,000,000
20    in gross revenue per year, adjusted yearly for inflation,
21    or both.
22"Large social media platform" does not include any of the
23following:
24        (A) a service that primarily serves to facilitate the
25    sale or provision of professional services or the sale of

 

 

SB3324- 3 -LRB103 38089 JRC 68221 b

1    commercial products;
2        (B) a service that primarily serves to provide news or
3    information and the service does not offer the ability for
4    content to be sent by a user directly to a child; or
5        (C) a service that has features that enable a user who
6    communicates directly with a child through a message,
7    including a text, audio, or video message, not otherwise
8    available to other users of the service, to add other
9    users to that message that the child may not have
10    otherwise met, identified, or become aware of solely
11    through the use of the service and does not have any
12    features described in paragraph (3).
13    "Large social media platform provider" means any person
14who, for commercial purposes, provides, manages, operates, or
15controls a large social media platform.
16    "Third-party safety software provider" means any person
17who, for commercial purposes, is authorized by a child, if the
18child is 13 years of age or older, or a parent or legal
19guardian of a child, to interact with a large social media
20platform to manage the child's online interactions, content,
21or account settings for the sole purpose of protecting the
22child from harm, including physical or emotional harm.
23    "User data" means any information needed to have a profile
24on a large social media platform or content on a large social
25media platform, including images, video, audio, or text, that
26is created by or sent to a child on or through the child's

 

 

SB3324- 4 -LRB103 38089 JRC 68221 b

1account with that platform, and the information or content is
2created by or sent to the child while a delegation under
3Section 20 is in effect with respect to the account.
4Information shall only be considered "user data" for 30 days,
5beginning on the date on which the information or content is
6created by or sent to the child.
 
7    Section 15. List of third-party safety software providers.
8The Attorney General shall make publicly available on the
9Attorney General's Internet website a list of the third-party
10safety software providers registered under Section 25, a list
11of the large social media platforms registered under Section
1230, and a list of the third-party safety software providers
13deregistered under Section 25.
 
14    Section 20. Delegation of permission to third-party
15software provider.
16    (a) Before August 1, 2025, or within 30 days after a
17service becomes a large social media platform, as applicable,
18a large social media platform provider shall create, maintain,
19and make available to any third-party safety software provider
20registered with the Attorney General under Section 25 a set of
21third-party-accessible real time application programming
22interfaces, including any information necessary to use the
23interfaces, by which a child (if the child is 13 years of age
24of older), or a parent or legal guardian of a child, may

 

 

SB3324- 5 -LRB103 38089 JRC 68221 b

1delegate permission to the third-party safety software
2provider to:
3        (1) manage the child's online interactions, content,
4    and account settings on the large social media platform on
5    the same terms as the child; and
6        (2) initiate secure transfers of user data from the
7    large social media platform in a commonly used and
8    machine-readable format to the third-party safety software
9    provider, and the frequency of the transfers may not be
10    limited by the large social media platform provider to
11    less than once per hour.
12    (b) Once a child or a parent or legal guardian of a child
13makes a delegation under subsection (a), the large social
14media platform provider shall make the application programming
15interfaces and information available to the third-party safety
16software provider on an ongoing basis until one of the
17following applies:
18        (1) the child (if the child made the delegation) or
19    the parent or legal guardian of such child revokes the
20    delegation;
21        (2) the child or a parent or legal guardian of such
22    child revokes or disables the registration of the account
23    of such child with the large social media platform;
24        (3) the third-party safety software provider rejects
25    the delegation; or
26        (4) one or more of the affirmations made by the

 

 

SB3324- 6 -LRB103 38089 JRC 68221 b

1    third-party safety software provider under Section 25 is
2    no longer true.
3    (c) A large social media platform provider shall establish
4and implement reasonable policies, practices, and procedures
5regarding the secure transfer of user data pursuant to a
6delegation under subsection (a) from the large social media
7platform to a third-party safety software provider in order to
8mitigate any risks related to user data.
9    (d) If a delegation is made by a child or a parent or legal
10guardian of a child under subsection (a) with respect to the
11account of the child with a large social media platform, the
12large social media platform provider shall:
13        (1) disclose to the child and, if the parent or legal
14    guardian made the delegation, the parent or legal guardian
15    the fact that the delegation has been made;
16        (2) provide to the child and, if the parent or legal
17    guardian made the delegation, the parent or legal guardian
18    a summary of what user data is being transferred to the
19    third-party safety software provider; and
20        (3) provide any update to the summary under paragraph
21    (2) as necessary to reflect any change to what user data is
22    being transferred to the third-party safety software
23    provider.
24    (e) A third-party safety software provider shall not
25disclose any user data obtained under this Section to any
26person except as follows:

 

 

SB3324- 7 -LRB103 38089 JRC 68221 b

1        (1) Pursuant to a lawful request from a government
2    body, including, but not limited to, for law enforcement
3    purposes or for judicial or administrative proceedings by
4    means of a court order or a court ordered warrant, a
5    subpoena or summons issued by a judicial officer, or a
6    grand jury subpoena.
7        (2) To the extent that the disclosure is required by
8    law and the disclosure complies with and is limited to the
9    relevant requirements of that law.
10        (3) To the child, or a parent or legal guardian of the
11    child, who made a delegation under this Section and whose
12    data is at issue. The disclosure shall be limited, by a
13    good faith effort on the part of the third-party safety
14    software provider, only to the user data strictly
15    sufficient for a reasonable parent or caregiver to
16    understand that the child is at foreseeable risk or
17    currently experiencing any of the following harms:
18            (A) suicide;
19            (B) anxiety;
20            (C) depression;
21            (D) eating disorders;
22            (E) violence, including being the victim of or
23        planning to commit or facilitate battery under Section
24        12-3 of the Criminal Code of 2012 and assault under
25        Section 12-1 of the Criminal Code of 2012;
26            (F) substance abuse;

 

 

SB3324- 8 -LRB103 38089 JRC 68221 b

1            (G) fraud;
2            (H) trafficking in persons under Section 10-9 of
3        the Criminal Code 2012;
4            (I) sexual abuse;
5            (J) physical injury;
6            (K) harassment, including hate-based harassment,
7        sexual harassment, and stalking under Section 12-7.3
8        of the Criminal Code of 2012;
9            (L) exposure to harmful material under Section
10        11-21 of the Criminal Code of 2012;
11            (M) communicating with a terrorist organization as
12        defined under Section 219 of the federal Immigration
13        and Nationality Act, 8 U.S.C. 1189;
14            (N) academic dishonesty, including cheating,
15        plagiarism, or other forms of academic dishonesty that
16        are intended to gain an unfair academic advantage; or
17            (O) sharing personal information limited to:
18                (i) home address;
19                (ii) telephone number;
20                (iii) social security number; and
21                (iv) personal banking information.
22        (4) In the case of a reasonably foreseeable serious
23    and imminent threat to the health or safety of any
24    individual, if the disclosure is made to a person or
25    persons reasonably able to prevent or lessen the threat.
26        (5) to a public health authority or other appropriate

 

 

SB3324- 9 -LRB103 38089 JRC 68221 b

1    government authority authorized by law to receive reports
2    of child abuse or neglect.
3        (6) A third-party safety software provider that makes
4    a disclosure permitted by paragraphs (1), (2), (4), or (5)
5    shall promptly inform the child with respect to whose
6    account with a large social media platform the delegation
7    was made under subsection (a) and (if a parent or legal
8    guardian of the child made the delegation) the parent or
9    legal guardian that such a disclosure has been or will be
10    made, except if
11            (A) the third-party safety software provider, in
12        the exercise of professional judgment, believes
13        informing such child or parent or legal guardian would
14        place such child at risk of serious harm; or
15            (B) the third-party safety software provider is
16        prohibited by law (including a valid order by a court
17        or administrative body) from informing such child or
18        parent or legal guardian.
 
19    Section 25. Third-party safety software registration,
20affirmations, and deregistration.
21    (a) A third-party safety software provider shall register
22with the Office of the Attorney General as a condition of
23accessing an application programming interface and any
24information or use data under Section 20.
25    (b) The registration shall require the third-party safety

 

 

SB3324- 10 -LRB103 38089 JRC 68221 b

1software provider to affirm that the third-party safety
2software provider meets all of the following requirements:
3        (1) it is solely engaged in the business of Internet
4    safety;
5        (2) it will use any user data obtained under Section
6    20 solely for the purpose of protecting a child from any
7    harm;
8        (3) it will only disclose user data obtained under
9    Section 20 as permitted by Section 20; and
10        (4) it will disclose, in an easy-to-understand,
11    human-readable format, to each child with respect to whose
12    account with a large social media platform the service of
13    the third-party safety software provider is operating and
14    (if a parent or legal guardian of the child made the
15    delegation under section 20 with respect to the account)
16    to the parent or legal guardian, sufficient information
17    detailing the operation of the service and what
18    information the third-party safety software provider is
19    collecting to enable such child and (if applicable) such
20    parent or legal guardian to make informed decisions
21    regarding the use of the service.
22    (c) Within 30 days after there is any change to an
23affirmation made under subsection (a) by a third-party safety
24software provider that is registered under subsection (a), the
25provider shall notify the following of the change:
26        (1) the Attorney General; and

 

 

SB3324- 11 -LRB103 38089 JRC 68221 b

1        (2) each child with respect to whose account with a
2    large social media platform the service of the third-party
3    safety software provider is operating and, if a parent or
4    legal guardian of the child made the delegation under
5    Section 20 with respect to the account, the parent or
6    legal guardian.
7    (d) The Attorney General may deregister a third-party
8safety software provider if it is determined that the provider
9has violated or misrepresented the affirmations made under
10subsection (b) or has not notified the Attorney General, a
11child, or a parent or legal guardian of a child of a change to
12an affirmation as required by subsection (c).
13    If the Attorney General deregisters a third-party safety
14software provider under this subsection, the Attorney General
15shall notify each large social media platform provider of the
16deregistration of the third-party safety software provider and
17the specific reason for the deregistration.
18    A large social media platform provider that receives a
19notification from the Attorney General under this subsection
20that the Attorney General has deregistered a third-party
21safety software provider shall notify each child with respect
22to whose account with the large social media platform the
23service of the third-party safety software provider was
24operating and, if a parent or legal guardian of the child made
25the delegation under Section 20 with respect to the account,
26the parent or legal guardian of the deregistration of the

 

 

SB3324- 12 -LRB103 38089 JRC 68221 b

1third-party safety software provider and the specific reason
2for the deregistration provided by the Attorney General.
 
3    Section 30. Registering as a large social media platform.
4    (a) Before August 1, 2025, or within 30 days after a
5service becomes a large social media platform, as applicable,
6a large social media platform provider of the platform shall
7register the platform with the Attorney General by submitting
8to the Attorney General a statement indicating that the
9platform is a large social media platform.
10    (b) The Attorney General shall establish a process to
11deregister a service registered under subsection (a) if the
12service is no longer a large social media platform.
 
13    Section 35. Liability of third-party safety software
14provider. In any civil action, other than an action brought by
15the Attorney General, a large social media platform provider
16shall not be held liable for damages arising out of the
17transfer of user data to a third-party safety software
18provider in accordance with this Act, if the large social
19media platform provider has in good faith complied with the
20requirements of this Act and the guidance issued by the
21Attorney General in accordance with this Act.
 
22    Section 99. Effective date. This Act takes effect June 1,
232025.