ARIZONA STATE SENATE

RESEARCH STAFF

 

ZACK DEAN

LEGISLATIVE RESEARCH ANALYST

TRANSPORTATION & TECHNOLOGY COMMITTEE

Telephone: (602) 926-3171

 

TO:                  MEMBERS OF THE SENATE

                        APPROPRIATIONS COMMITTEE

DATE:            March 29, 2021

SUBJECT:      Strike everything amendment to H.B. 2262, relating to data portability


 


Purpose

Requires a communications platform provider to maintain third-party-accessible interfaces to facilitate the transfer of user data to a custodial third-party agent.

Background

The Children's Online Privacy Protection Act (COPPA) was enacted in 1998 and was updated on July 1, 2013. The purpose of the COPPA is to provide parents with access and control over what information is collected from children under 13 years old by website and online services operators. Among other requirements, the COPPA requires covered operators to: 1) post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; 2) provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; and 3) provide parent's access to their child's personal information to review or have information deleted (16 CFR Part 312).

An application programming interface is a software intermediary that enables the communication between multiple types of computer software or hardware, allowing web applications to function across various operating platforms or devices. Application programming interfaces are responsible for the presentation of digital information that can be understood by an individual.

There is no anticipated fiscal impact to the state General Fund associated with this legislation.

Provisions

1.   Requires a communications platform provider to maintain a set of transparent third-party-accessible interfaces, including application programming interfaces, to initiate the secure transfer of user data to a user or a custodial third-party agent at the direction of the user.

2.   Specifies that the transfer of user data must be done in a structured, commonly used and machine-readable format.

3.   Requires a custodial third-party agent that receives user data from a communications platform provider to:

a)   comply with a standard security framework that is annually audited by a third party; and

b)   reasonably secure any user data that is acquired.

4.   Prohibits a custodial third-party agent from using or sharing any user data for commercial benefit beyond what is required for the custodial third-party agent to deliver services to the user.

5.   Defines communications platform provider as an entity that operates a platform with more than 10 million monthly active users in the United States and that offers consumers the ability to communicate with others over the internet or through short message service, including social media, voice chat and messaging platforms.

6.   Defines custodial third-party agent as an entity that is duly authorized by a user to interact with a communications platform provider on that user's behalf to manage, process or analyze the user's online interactions, content and account settings.

7.   Defines user as a person who is under 18 years old or the user's legal guardian.

8.   Defines user data as information about a user who is under eighteen years of age that is:

a)   collected directly by a communications platform provider;

b)   linked or reasonably linkable to the user's account on a communications platform;

c)   a communication typical to online messaging, multimedia sharing and social networking, including a message, post or comment and any associated attachment such as an image or video, that is transmitted to or from the user within the preceding 30-day period, including any deleted communication; and

i. does not include information that is deidentified or anonymized.

9.   Becomes effective on the general effective date.