S.F. 2197 Section 1. NEW SECTION . 554J.1 Definitions. 1 1. “Account holder” means the individual who is associated 2 with the mobile device. 3 2. “Age category” means one of the following categories of 4 individuals based on age: 5 a. “Adult” which means an individual who is at least 6 eighteen years old. 7 b. “Child” which means an individual who is under thirteen 8 years old. 9 c. “Older teenager” which means an individual who is at 10 least sixteen years old and under eighteen years old. 11 d. “Younger teenager” which means an individual who is at 12 least thirteen years old and under sixteen years old. 13 3. “Age category data” means information about an account 14 holder’s age category that is collected by an app store 15 provider and is shared with a developer. 16 4. “Age rating” means one or more classifications that 17 assess the suitability of an app’s content and functions for 18 different age groups. 19 5. “App” means a software application or electronic service 20 that a user may run or direct on a mobile device. 21 6. “App store” means a publicly available internet site, 22 software application, or electronic service that allows an 23 account holder to download an app from a third-party developer 24 onto a mobile device. 25 7. “App store provider” means a person that owns, operates, 26 or controls an app store that allows account holders in the 27 state to download apps onto a mobile device. 28 8. “Content description” means a description of the specific 29 content elements or functions that informed an app’s age 30 rating. 31 9. “Developer” means a person that owns or controls an app 32 made available through an app store in the state. 33 10. “Knowingly” means to act with actual knowledge or 34 to act with knowledge fairly inferred based on objective 35 -1- LSB 5588XS (9) 91 dg/jh 1/ 14

S.F. 2197 circumstances. 1 11. “Minor” means an individual under eighteen years old 2 unless the individual is married or legally emancipated. 3 12. “Minor account” means an account with an app store 4 provider that is established by an individual who is a minor. 5 A minor account must be affiliated with a parent account. 6 13. “Mobile device” means a phone or general-purpose tablet 7 described by all of the following: 8 a. The phone or general-purpose tablet provides cellular or 9 wireless connectivity. 10 b. The phone or general-purpose tablet is capable of 11 connecting to the internet. 12 c. The phone or general-purpose tablet runs a mobile 13 operating system. 14 d. The phone or general-purpose tablet is capable of running 15 apps through the mobile operating system. 16 14. “Mobile operating system” means software that does all 17 of the following: 18 a. Manages mobile device hardware resources. 19 b. Provides common services for mobile device programs. 20 c. Controls memory allocation. 21 d. Provides interfaces for apps to access device 22 functionality. 23 15. “Parent” means, with respect to a minor, an individual 24 who is reasonably believed to be a parent, a legal guardian, an 25 individual with legal custody, or any other individual who has 26 the legal authority to make decisions on behalf of the minor. 27 16. “Parent account” means an account with an app store 28 provider that is described by all of the following: 29 a. The account is verified to be established by an 30 individual the app store provider has determined through 31 the app store provider’s age verification methods that 32 the individual is at least eighteen years old, married, or 33 emancipated. 34 b. The account may be affiliated with one or more minor 35 -2- LSB 5588XS (9) 91 dg/jh 2/ 14

S.F. 2197 accounts. 1 17. “Parental consent disclosure” means a statement about 2 an app or an in-app purchase containing all of the following 3 information: 4 a. If the app store provider has an age rating for the app 5 or in-app purchase, the app’s or in-app purchase’s age rating. 6 b. If the app store provider has a content description for 7 the app or in-app purchase, the app’s or in-app purchase’s 8 content description. 9 c. A description of all of the following: 10 (1) The personal data collected by the app from an account 11 holder. 12 (2) The personal data shared by the app with a third party. 13 d. If personal data is collected by the app, the methods 14 implemented by the developer to protect the personal data. 15 18. “Significant change” means a material modification to 16 an app’s terms of service or privacy policy that is described 17 by any of the following: 18 a. The modification changes the categories of data 19 collected, stored, or shared. 20 b. The modification alters the app’s age rating or content 21 descriptions. 22 c. The modification adds new monetization features, 23 including any of the following: 24 (1) In-app purchases. 25 (2) Advertisements. 26 d. The modification materially changes any of the following: 27 (1) The app’s functionality. 28 (2) The app’s user experience. 29 19. “Verifiable parental consent” means authorization that 30 is described by all of the following: 31 a. The authorization is provided by a parent account. 32 b. The authorization is given after the app store provider 33 has clearly and conspicuously provided the parental consent 34 disclosure as part of the app download, purchase, or in-app 35 -3- LSB 5588XS (9) 91 dg/jh 3/ 14

S.F. 2197 purchase process. 1 c. The authorization requires the parent to make an 2 affirmative choice to do any of the following: 3 (1) Grant consent. 4 (2) Decline consent. 5 Sec. 2. NEW SECTION . 554J.2 App store provider 6 requirements. 7 1. An app store provider shall do all of the following: 8 a. At the time an individual who is located in the state 9 creates an account with the app store provider, the app store 10 provider shall do all of the following: 11 (1) Request age category information from the individual. 12 (2) Verify the individual’s age category using any of the 13 following: 14 (a) Commercially available methods that are reasonably 15 designed to ensure accuracy. 16 (b) An age verification method or process that complies with 17 rules adopted by the attorney general. 18 b. If the app store provider determines the individual is a 19 minor, the app store provider shall do all of the following: 20 (1) Require the account to be affiliated with a parent 21 account. 22 (2) Obtain verifiable parental consent from the holder of 23 the affiliated parent account each time before allowing the 24 minor to any of the following: 25 (a) Download an app. 26 (b) Purchase an app. 27 (c) Make an in-app purchase. 28 c. After receiving notice of a significant change from 29 a developer, the app store provider shall do all of the 30 following: 31 (1) Notify the account holder of the significant change. 32 (2) For a minor account, all of the following: 33 (a) Notify the parent account. 34 (b) Obtain renewed verifiable parental consent. 35 -4- LSB 5588XS (9) 91 dg/jh 4/ 14

S.F. 2197 d. Provide to a developer, in response to a request 1 authorized under section 554J.3, all of the following: 2 (1) Age category data for an account holder located in the 3 state. 4 (2) The status of verifiable parental consent for a minor 5 located in the state. 6 e. Notify a developer when a parent revokes verifiable 7 parental consent. 8 f. Protect age category data and any associated verification 9 data through all of the following: 10 (1) Limiting collection and processing to data necessary to 11 all of the following: 12 (a) Verifying an account holder’s age category. 13 (b) Obtaining verifiable parental consent. 14 (c) Maintaining compliance records. 15 (2) Transmitting age category data using industry-standard 16 encryption protocols that ensure data integrity and data 17 confidentiality. 18 2. An app store provider shall not do any of the following: 19 a. Enforce a contract or terms of service against a minor 20 unless the app store provider has obtained verifiable parental 21 consent. 22 b. Knowingly misrepresent the information in the parental 23 consent disclosure. 24 c. Share age category data and any associated data except as 25 required by this chapter or otherwise required by law. 26 Sec. 3. NEW SECTION . 554J.3 Developer requirements. 27 1. A developer shall do all of the following: 28 a. Verify through the app store’s data sharing methods the 29 age category data of account holders located in the state, and 30 for a minor’s account, whether verifiable parental consent has 31 been obtained. 32 b. Notify app store providers of a significant change to an 33 app. 34 c. Use age category data received through the app store’s 35 -5- LSB 5588XS (9) 91 dg/jh 5/ 14

S.F. 2197 data sharing methods to do all of the following: 1 (1) Enforce any developer-created, age-related 2 restrictions, safety-related features, or defaults. 3 (2) Ensure compliance with applicable laws and regulations. 4 d. Request age category data or verifiable parental consent 5 at all of the following times: 6 (1) At the time an account holder downloads an app. 7 (2) At the time an account holder purchases an app. 8 (3) When implementing a significant change to the app. 9 (4) When necessitated to comply with applicable law. 10 2. A developer may request age category data at all of the 11 following times: 12 a. No more than once during each twelve-month period to 13 verify any of the following: 14 (1) The accuracy of age category data associated with an 15 account holder. 16 (2) Continued account use within the age category. 17 b. When there is reasonable suspicion of any of the 18 following: 19 (1) An account transfer. 20 (2) Misuse outside of the age category. 21 c. At the time an account holder creates a new account with 22 the developer. 23 3. When implementing any developer-created, age-related 24 restrictions, safety-related features, or defaults, a developer 25 shall use the lowest age category indicated by any of the 26 following: 27 a. Age category data received through the app store’s data 28 sharing methods. 29 b. Age data independently collected by the developer. 30 4. A developer shall not do any of the following: 31 a. Enforce a contract or terms of service against a minor 32 unless the developer has verified through an app store’s data 33 sharing methods that verifiable parental consent has been 34 obtained. 35 -6- LSB 5588XS (9) 91 dg/jh 6/ 14

S.F. 2197 b. Knowingly misrepresent any information in the parental 1 consent disclosure. 2 c. Share age category data with any person. 3 Sec. 4. NEW SECTION . 554J.4 Attorney general —— rulemaking 4 authority. 5 The attorney general shall adopt rules to establish 6 processes and means by which an app store provider may verify 7 an account holder’s age category as required under section 8 554J.2. 9 Sec. 5. NEW SECTION . 554J.5 Enforcement. 10 1. a. A minor, or the parent of a minor, who has been 11 harmed by a violation of this chapter may bring a civil action 12 against an app store provider or a developer. 13 b. In an action brought under this subsection, the court 14 shall award a prevailing plaintiff any combination of the 15 following: 16 (1) The greater of actual damages or one thousand dollars 17 per violation. 18 (2) Punitive damages if the violation was egregious. 19 (3) Reasonable attorney fees. 20 (4) Court costs. 21 2. a. A violation of this chapter is an unfair practice 22 under section 714.16 subject to the civil penalty limitation in 23 paragraph “b” , subparagraph (1). 24 b. In addition to any other available remedy, the attorney 25 general may bring an action against an app store provider or a 26 developer to do any combination of the following: 27 (1) Recover a civil penalty not to exceed seven thousand 28 five hundred dollars per violation. 29 (2) Restrain or enjoin the app store provider or developer 30 from violating this chapter. 31 (3) Seek injunctive relief. 32 (4) Recover reasonable attorney fees. 33 (5) Recover litigation costs and the costs of investigating 34 the violation. 35 -7- LSB 5588XS (9) 91 dg/jh 7/ 14

S.F. 2197 Sec. 6. NEW SECTION . 554J.6 Safe harbor. 1 1. A developer is not liable for a violation of this chapter 2 if the developer demonstrates that the developer did all of the 3 following: 4 a. Relied in good faith on applicable age category data 5 received through an app store’s data sharing methods. 6 b. Relied in good faith on notification from an app store 7 provider that verifiable parental consent was obtained if the 8 account holder was a minor. 9 c. Complied with the requirements described in section 10 554J.3. 11 2. In determining an app’s age rating and content 12 description for purposes of section 554J.3, a developer is not 13 liable for a violation of this chapter if the developer uses 14 widely adopted industry standards to determine the app’s age 15 category and content description and applies the standards 16 consistently and in good faith. 17 3. The safe harbor described in this section applies only 18 to actions brought under this chapter, and does not limit a 19 developer or app store provider’s liability under any other 20 applicable law. 21 4. Nothing in this chapter shall displace any other 22 available remedies or rights authorized under the laws of this 23 state or the United States. 24 Sec. 7. NEW SECTION . 554J.7 Severability. 25 The provisions of this chapter are severable pursuant to 26 section 4.12. 27 Sec. 8. NEW SECTION . 554J.8 Application and limitations. 28 This chapter shall not be construed to do any of the 29 following: 30 1. Prevent an app store provider or developer from taking 31 reasonable measures to do any of the following: 32 a. Block, detect, or prevent distribution of any of the 33 following to a minor: 34 (1) Unlawful material. 35 -8- LSB 5588XS (9) 91 dg/jh 8/ 14

S.F. 2197 (2) Obscene material. 1 (3) Other harmful material. 2 b. Block or filter spam. 3 c. Prevent criminal activity. 4 d. Protect app store or app security. 5 2. Require an app store provider to disclose user 6 information to a developer beyond age category data. 7 3. Allow an app store provider or developer to implement 8 measures required by this chapter in a manner that is 9 arbitrary, capricious, anticompetitive, or unlawful. 10 4. Require an app store provider or developer to obtain 11 verifiable parental consent for an app that is described by all 12 of the following: 13 a. The app provides direct access to emergency services, 14 including any of the following: 15 (1) 911. 16 (2) A crisis hotline. 17 (3) Emergency assistance services legally available to 18 minors. 19 b. The app limits data collection to information necessary 20 to provide emergency services in compliance with 15 U.S.C. 21 §6501, et seq. 22 c. The app provides access without requiring any of the 23 following: 24 (1) Account creation. 25 (2) Collection of unnecessary personal information. 26 d. The app is operated by or in partnership with any of the 27 following: 28 (1) A government entity. 29 (2) A nonprofit organization. 30 (3) An authorized emergency service provider. 31 5. Require a developer to collect, retain, re-identify, 32 or link any information beyond what is necessary to verify 33 age category data as required by this chapter and collected, 34 retained, re-identified, or linked in the developer’s ordinary 35 -9- LSB 5588XS (9) 91 dg/jh 9/ 14

S.F. 2197 course of business. 1 6. Relieve a developer of its obligation to conduct age 2 verification as otherwise required by law. A developer may 3 rely on age category data obtained under this chapter to the 4 extent those signals satisfy the requirements of applicable 5 law. 6 Sec. 9. Section 714.16, subsection 2, Code 2026, is amended 7 by adding the following new paragraph: 8 NEW PARAGRAPH . t. It is an unlawful practice for a person 9 to violate chapter 554J. 10 Sec. 10. APPLICABILITY. The following apply December 1, 11 2026: 12 The sections of this Act enacting sections 554J.2 and 13 554J.3. 14 EXPLANATION 15 The inclusion of this explanation does not constitute agreement with 16 the explanation’s substance by the members of the general assembly. 17 This bill relates to app store provider and app developer 18 requirements concerning minor users. 19 The bill defines “developer” as a person that owns or 20 controls an app made available through an app store in the 21 state. 22 The bill also defines “account holder”, “age category”, “age 23 category data”, “age rating”, “app”, “app store”, “app store 24 provider”, “content description”, “knowingly”, “minor”, “minor 25 account”, “mobile device”, “mobile operating system”, “parent”, 26 “parent account”, “parental consent disclosure”, “significant 27 change”, and “verifiable parental consent”. 28 The bill requires an app store provider to request age 29 category information and verify the age of an individual 30 located in this state at the time the individual creates an 31 account with the app store provider. If the app store provider 32 determines the individual is a minor, the app store provider 33 must require the account to be affiliated with a parent account 34 and obtain verifiable parental consent from the holder of 35 -10- LSB 5588XS (9) 91 dg/jh 10/ 14

S.F. 2197 the affiliated parent account each time before allowing the 1 minor to download an app, purchase an app, or make an in-app 2 purchase. 3 The bill requires an app store provider to provide notices 4 and receive verifiable parental consent as described in 5 the bill after the app store provider receives notice of a 6 significant change from a developer. 7 The bill requires an app store provider to provide 8 age category data for an account holder and the status of 9 verifiable parental content for a minor when a developer 10 requests such information. The app store provider must also 11 notify the developer when a parent revokes verifiable parental 12 consent. 13 The bill requires an app store provider to protect age 14 category data and any associated verification data through 15 methods described in the bill. 16 The bill prohibits an app store provider from enforcing 17 a contract or terms of service against a minor unless the 18 app store provider has obtained verifiable parental consent, 19 knowingly misrepresenting the information in the parental 20 consent disclosure, or sharing age category data and any 21 associated data except as required by the new Code chapter or 22 otherwise required by law. 23 The bill requires a developer to verify through the app 24 store’s data sharing methods the age category data of account 25 holders located in the state, and for a minor’s account, 26 whether verifiable parental consent has been obtained; notify 27 app store providers of a significant change to an app; use age 28 category data received through the app store’s data sharing 29 methods to perform acts detailed in the bill; and request age 30 category data or verifiable parental consent at times detailed 31 in the bill. 32 The bill allows a developer to request age category data at 33 times detailed in the bill. 34 When implementing any developer-created, age-related 35 -11- LSB 5588XS (9) 91 dg/jh 11/ 14

S.F. 2197 restrictions, safety-related features, or defaults, the 1 bill requires a developer to use the lowest age category as 2 indicated by age category data received through the app store’s 3 data sharing methods or age data independently collected by the 4 developer. 5 The bill prohibits a developer from enforcing a contract 6 or terms of service against a minor unless the developer has 7 verified through an app store’s data sharing methods that 8 verifiable parental consent has been obtained, knowingly 9 misrepresenting any information in the parental consent 10 disclosure, or sharing age category data with any person. 11 The bill requires the attorney general to adopt rules to 12 establish processes and means by which an app store provider 13 may verify an account holder’s age category. 14 The bill allows a minor, or the parent of a minor, who has 15 been harmed by a violation of the bill to bring a civil action 16 against an app store provider or a developer. The court shall 17 award a prevailing plaintiff any combination of the greater of 18 actual damages or $1,000 per violation, punitive damages if the 19 violation was egregious, reasonable attorney fees, and court 20 costs. 21 A violation of the bill is an unfair practice under Code 22 chapter 714.16 (consumer fraud), punishable by disgorgement of 23 money, return of money to a plaintiff, enjoinment of fraudulent 24 acts, and a civil penalty of up to $7,500. 25 In addition to other available remedies, the bill allows 26 the attorney general to bring an action against an app store 27 provider or a developer to restrain or enjoin the app store 28 provider or developer from violating the bill, seek injunctive 29 relief, recover reasonable attorney fees, and recover 30 litigation costs and the costs of investigating the violation. 31 A developer is not liable for a violation of the bill if the 32 developer demonstrates that the developer relied in good faith 33 on applicable age category data received through an app store’s 34 data sharing methods, relied in good faith on notification from 35 -12- LSB 5588XS (9) 91 dg/jh 12/ 14

S.F. 2197 an app store provider that verifiable parental consent was 1 obtained if the account holder was a minor, and complied with 2 the bill’s other requirements. 3 In determining an app’s age rating and content description, 4 a developer is not liable for a violation of the bill if the 5 developer uses widely adopted industry standards to determine 6 the app’s age category and content description and applies the 7 standards consistently and in good faith. 8 The safe harbor described in the bill applies only to actions 9 brought under the bill’s provisions, and does not limit a 10 developer or app store provider’s liability under any other 11 applicable law. 12 Nothing in the bill shall displace any other available 13 remedies or rights authorized under the laws of this state or 14 the United States. 15 The provisions of the bill are severable. 16 Nothing in the bill shall be construed to prevent an app 17 store provider or developer from taking reasonable measures 18 against certain objectionable materials or criminal activity 19 or otherwise protect app store or security as detailed in 20 the bill; require an app store provider to disclose user 21 information to a developer beyond age category data; allow 22 an app store provider or developer to implement measures 23 required by the bill in a manner that is arbitrary, capricious, 24 anticompetitive, or unlawful; require an app store provider 25 or developer to obtain verifiable parental consent for an app 26 that is related to emergency services as described in the 27 bill; require a developer to collect, retain, re-identify, or 28 link any information beyond what is necessary to verify age 29 category data as required by the bill and collected, retained, 30 re-identified, or linked in the developer’s ordinary course of 31 business; or relieve a developer of its obligation to conduct 32 age verification, as otherwise required by law. A developer 33 may rely on age category data obtained under the bill to the 34 extent those signals satisfy the requirements of applicable 35 -13- LSB 5588XS (9) 91 dg/jh 13/ 14