Full Text
Official text as published. Use Ctrl+F / Cmd+F to search within the document.
[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 4855 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
2d Session
S. 4855
To require providers of certain artificial intelligence systems to
implement child safety by design, parental settings, and independent
audits, to prohibit child targeted advertising and the sale or sharing
of children's personal information, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
June 23, 2026
Mr. Curtis (for himself and Mr. Schiff) introduced the following bill;
which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To require providers of certain artificial intelligence systems to
implement child safety by design, parental settings, and independent
audits, to prohibit child targeted advertising and the sale or sharing
of children's personal information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safeguarding AI Features to Ensure
Kids' Informed Digital Safety Act'' or the ``SAFE KIDS Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Age signal.--The term ``age signal'' means machine-
readable information that indicates whether a user has attained
18 years of age.
(2) AI chatbot.--
(A) In general.--The term ``AI chatbot'' means any
artificial intelligence system that--
(i) generates responses not fully
predetermined by the provider of an AI chatbot;
and
(ii) accepts open-ended natural-language or
multimodal user input and produces adaptive or
context-responsive output.
(B) Exclusions.--The term ``AI chatbot'' shall not
include an artificial intelligence system--
(i) that is used only for--
(I) customer service;
(II) operational purposes with
respect to a business entity; or
(III) enterprise deployments where
the artificial intelligence system is
solely used for internal research or
technical assistance by an enterprise,
such as a business, non-profit,
educational institution, research or
professional association, or Federal,
State, or local government, provided
that the deployment is not intended for
use by minors;
(ii) the responses of which are limited to
contextualized replies; or
(iii) that is unable to respond on a range
of topics outside of a narrow specified
purpose.
(C) Rule of construction.--The term ``AI chatbot''
shall be interpreted broadly and shall include the
original system, as well as all updates, new versions,
and changes of such system.
(3) Artificial intelligence system.--The term ``artificial
intelligence system'' has the meaning given to the term
``artificial intelligence'' in section 5002 of the National
Artificial Intelligence Initiative Act of 2020 (15 U.S.C.
9401).
(4) Child.--The term ``child'' means an individual who has
not attained 18 years of age.
(5) Child safety policy.--The term ``child safety policy''
means a public-facing document describing protective measures
(including privacy controls and parental settings) taken by the
provider of an AI chatbot to mitigate any child safety risk.
(6) Child safety risk.--The term ``child safety risk''
means any reasonably foreseeable risk of a covered harm to a
child.
(7) Child sexual abuse material.--The term ``child sexual
abuse material'' has the meaning given the term ``child
pornography'' in section 2256 of title 18, United States Code.
(8) Child targeted advertising.--The term ``child targeted
advertising'' means cross-context behavioral advertising
directed at children.
(9) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(10) Covered harm.--The term ``covered harm'' means any of
the following harms proximately caused by the use of an AI
chatbot:
(A) Reasonably foreseeable physical harm (including
suicide, attempted suicide, other self-harm), sexual
exploitation, or threats of violence.
(B) Reasonably foreseeable financial harm.
(C) Severe and reasonably foreseeable psychological
or emotional harm to a child, including an eating
disorder, substance use disorder, depressive disorder,
or anxiety disorder.
(D) A highly offensive intrusion on a privacy right
protected by Federal or State law.
(E) Adverse discrimination in violation of Federal
or State law.
(11) Cross-context behavioral advertising.--The term
``cross-context behavioral advertising'' means the targeting of
an advertisement to an individual based on the individual's
personal information or inputs to an AI chatbot, obtained from
the individual's activity across businesses, distinctly branded
websites, applications, or services.
(12) Encrypted user content.--
(A) In general.--The term ``encrypted user
content'' means content (including audio, visual, or
textual content) that is stored, transmitted, or held
in a manner that is end-to-end encrypted or otherwise
cryptographically protected such that the provider of
an AI chatbot cannot access the cleartext information
of the content without circumventing the provider's
memorialized security protections.
(B) Rule of construction.--Nothing in this Act
shall be construed to require a provider of an AI
chatbot to alter, weaken, bypass, or otherwise modify
its cryptographic or security protections in order to
access or disclose the cleartext information of
encrypted user content.
(13) Parent.--The term ``parent'', with respect to a child,
includes a parent or legal guardian of the child.
(14) Parental setting.--The term ``parental setting'' means
a feature that enables a parent to support a child's use of an
AI chatbot, including through usage limits, feature
restrictions, or transparency tools.
(15) Personal information.--The term ``personal
information'' has the meaning given such term in section 1302
of the Children's Online Privacy Protection Act of 1998 (15
U.S.C. 6501).
(16) Provider of an ai chatbot.--The term ``provider of an
AI chatbot'' means a person who makes an AI chatbot available
to a user in the United States.
(17) Qualified researcher.--The term ``qualified
researcher'' means a person that--
(A) is affiliated with an academic institution,
nonprofit research organization, or independent
research entity, or is otherwise able to demonstrate
relevant professional expertise in AI chatbots;
(B) demonstrates, to the satisfaction of the
Commission, a legitimate research purpose that is in
the public interest and directly related to
understanding, identifying, or mitigating risks to
child safety and well-being arising from AI chatbots;
and
(C) commits to conducting research in accordance
with applicable ethical standards and in compliance
with applicable confidentiality, security, and data
protection requirements, as determined by the
Commission.
(18) Sell.--The term ``sell'' means, with respect to
personal information, to rent, release, disclose, disseminate,
make available, transfer, or otherwise communicate orally, in
writing, or by electronic or other means, such personal
information for monetary or other valuable consideration.
(19) Sexually explicit conduct.--The term ``sexually
explicit conduct''--
(A) has the meaning given such term in section 2256
of title 18, United States Code; and
(B) does not include educational or healthcare-
related content.
(20) Share.--The term ``share'' means, with respect to
personal information, to rent, release, disclose, disseminate,
make available, transfer, or otherwise communicate orally, in
writing, or by electronic or other means, such personal
information for cross-context behavioral advertising, whether
or not for monetary or other valuable consideration.
(21) State.--The term ``State'' means any of the 50 States,
the District of Columbia, the Commonwealth of Puerto Rico, and
any territory or possession of the United States.
(22) User.--The term ``user'' means an individual who
accesses an AI chatbot or products provided by a provider of an
AI chatbot.
(23) Verifiable parental consent.--The term ``verifiable
parental consent'' means, with respect to the personal
information of a child, any reasonable effort (taking into
consideration the available technology), including a request
for authorization for future collection, use, or disclosure
described in a notice, taken to ensure that a parent of a
child--
(A) receives notice of the practices of a provider
of an AI chatbot regarding the collection, use, and
disclosure of personal information; and
(B) freely and unambiguously authorizes the
collection, use, and disclosure, as applicable, of such
personal information before any such information is
collected, used, or disclosed.
SEC. 3. DETERMINATION OF USER AGE.
(a) Treatment of Unverified Users.--
(1) In general.--Except as provided in paragraph (2), a
provider of an AI chatbot shall treat any user as a child for
purposes of all restrictions, protections, and requirements
under this Act.
(2) Exception for verified adults.--Paragraph (1) shall not
apply to a user if the provider of an AI chatbot has verified,
pursuant to the standards of this section, that the user has
attained 18 years of age.
(b) Age Estimation Requirement.--
(1) In general.--A provider of an AI chatbot--
(A) shall implement age estimation technology to
distinguish an account that is held by a child from an
account that is held by an adult; and
(B) may contract with a third party to employ such
technology, but the use of such a third party shall not
relieve the provider of its obligations under this Act
or from liability under this Act.
(2) Age signal treated as actual age.--A provider of an AI
chatbot shall treat any age signal received from the age
estimation technology required under paragraph (1) as the
actual age range of the user, except that--
(A) if the age signal indicates that the user has
attained 18 years of age, but the provider has actual
knowledge that the user is a child or reasonably should
have known the user is a child, the provider shall
treat the user as a child; and
(B) if the age signal indicates the user is a
child, the provider may treat the user as an adult only
if it has actual knowledge that the user has attained
18 years of age.
(3) Other alternatives to age estimation.--
(A) In general.--A provider of an AI chatbot may
use an age signal obtained from a source other than the
age estimation technology required under paragraph (1)
if the provider of an AI chatbot--
(i) receives an age signal from the
provider of an operating system or application
store regarding the age range of a user; and
(ii) does not possess information that
conflicts with such age signal.
(B) Conflict.--In the case of conflicting age
signals, the provider shall treat the age signal that
indicates the younger age as the actual age range of
the user.
(c) Periodic Age Estimation.--A provider of an AI chatbot shall
periodically review each user account associated with the AI chatbot
using the age estimation technology required under this section to
ensure compliance with the requirements of this Act.
(d) Data Security.--A provider of an AI chatbot--
(1) shall--
(A) establish, implement, and maintain reasonable
data security measures to limit the collection of
personal information to that which is minimally
necessary to maintain compliance with the requirements
of this Act;
(B) protect such data against unauthorized access;
and
(C) protect the integrity and confidentiality of
such data by only transmitting such data using
industry-standard encryption protocols; and
(2) shall not--
(A) retain age estimation data for longer than is
reasonably necessary to maintain compliance with the
requirements of this Act;
(B) use such data for any purpose other than age
estimation; and
(C) share or sell such data to any other entity.
(e) Deemed Compliance Through Comparable Age Assurance
Frameworks.--A provider of an AI chatbot shall be deemed to be in
compliance with the requirements of this section if the provider has
implemented, to the satisfaction of the Commission, an age assurance
framework that meets the requirements of a substantially similar
foreign, Federal, or State law on age assurance.
SEC. 4. ADDITIONAL DUTIES OF A PROVIDER OF AN AI CHATBOT.
(a) In General.--A provider of an AI chatbot shall do the
following:
(1) Risk assessments.--
(A) In general.--In accordance with the required
intervals described in subparagraph (C), a provider of
an AI chatbot shall conduct and document a
comprehensive risk assessment to identify existing and
foreseeable child safety risks arising from the design,
configuration, and operation of the AI chatbot, as well
as any existing and foreseeable impact on privacy, data
protection, and access to information resulting from
such risks.
(B) Considerations.--A risk assessment conducted
pursuant to subparagraph (A) shall assess each of the
following:
(i) The likelihood of a covered harm.
(ii) Differential risks across age groups
and developmental stages.
(iii) Known vulnerabilities of children.
(iv) Empirical data from actual use of the
AI chatbot.
(v) Relevant academic research and
regulatory guidance.
(C) Required intervals.--The required intervals
described in this subparagraph are the following:
(i) Prior to making an AI chatbot available
to children in the United States.
(ii) Prior to updating an AI chatbot
available to children in the United States with
a materially different feature or version.
(iii) On an annual basis after the date on
which a provider of an AI chatbot initially
makes such AI chatbot available to children in
the United States.
(2) Risk mitigation and safeguards.--
(A) Risk mitigation.--Prior to making an AI chatbot
available to children in the United States, a provider
of an AI chatbot shall implement and document measures
that reasonably mitigate any child safety risk.
(B) Safeguards for child users.--Using the
information obtained from each risk assessment
conducted under paragraph (1), a provider of an AI
chatbot shall establish appropriate safeguards for
child users, including, usage reminders and
disclosures, age-appropriate warnings and risk prompts,
and other protective design features reasonably related
to documented child safety risks.
(C) Other risks.--A provider of an AI chatbot shall
not knowingly or recklessly make available to a child
user an AI chatbot that generates content that--
(i) promotes or meaningfully encourages
eating disorders, disordered eating behaviors
(as defined by widely adopted clinical
standards or guidelines), or extreme weight-
loss practices;
(ii) encourages or instructs participation
in activities that are unlawful;
(iii) encourages or instructs participation
in activities that may be lawful for adults but
that pose a risk of a covered harm to a child;
(iv) includes graphic violence or sexually
explicit conduct;
(v) depicts a child or another individual
engaging in obscene matter or child sexual
abuse material, including a sexual deepfake;
(vi) encourages physical or severe
emotional harm to others; or
(vii) encourages or promotes suicidal
ideation, suicide, or self-harm.
(3) Child safety policy.--
(A) In general.--Prior to making an AI chatbot
available to children in the United States, a provider
of an AI chatbot shall publish a child safety policy on
their website that discloses--
(i) the risk assessment process of the
provider;
(ii) any child safety risk identified by
such process;
(iii) any safeguards, settings, controls,
or other mitigation implemented by the provider
with respect to such child safety risks;
(iv) the wellbeing safeguards and content
risk policies of the AI chatbot; and
(v) the parental settings, including
training materials for parents and users,
offered by the provider.
(B) Updates.--The child safety policy published
under subparagraph (A) shall be updated at intervals
consistent with the AI chatbot's risk-management
practice to reflect any newly identified child safety
risk.
(4) Crisis-response protocol.--
(A) In general.--Prior to making an AI chatbot
available to children in the United States, a provider
of an AI chatbot shall create, maintain, and follow a
documented crisis-response protocol with respect to any
conversation that indicates that a user is at risk for
a covered harm, including suicidal ideation, self-harm,
or harm to others. The protocol shall include the
following:
(i) Guardrails to ensure that the AI
chatbot will not prompt a user to circumvent
any crisis-response protocol or other safety
measures of the AI chatbot.
(ii) Timely in-service support and clear
referral to appropriate external crisis
resources for any instance in which the
provider of an AI chatbot or the AI chatbot
determines a child has expressed suicidal
ideation or intent to self-harm or harm others.
Such referral process shall consider and
document clinical best practices and expertise
for additional intervention for a child user
who continues to express suicidal ideation or
intent to self-harm or harm others.
(iii) With respect to a child user that is
subject to parental settings or is connected to
the account of a parent, a parental
notification (including through email, text
message, or a push alert) as soon as feasibly
possible if the provider of an AI chatbot or
the AI chatbot determines that the child is at
imminent risk of suicide or that the child will
suffer or has suffered a covered harm in
connection with their use of the AI chatbot,
unless there is a reasonable basis, as
determined by the Commission, to believe that
such notification is not in the best interest
of the child.
(iv) A clear and age-appropriate disclosure
to child users at the time their parents set up
parental settings or at the time a child user's
account is linked to a parent's account,
informing the child that the parent may receive
notifications pursuant to clause (iii).
(v) Any other information determined
appropriate by the Commission.
(B) Data use limitation.--Any data collected or
processed in connection with the crisis-response
protocol described in subparagraph (A) shall be used
solely for the purposes of crisis detection, response,
and referral for the specific user, as required under
this section. Such data may not be used for the
training of artificial intelligence systems,
advertising, product development, or any other
commercial purpose. Such data may not be shared, sold,
licensed, or otherwise transferred to any third party,
except as necessary to facilitate crisis response
notifications described in this paragraph.
(5) Prohibiting manipulation and deceptive design;
promoting critical thinking.--
(A) Notice of ai interaction.--A provider of an AI
chatbot shall provide to each user that is a child a
clear notice that the user is interacting with, or
receiving content generated by, an artificial
intelligence system. Such notice shall be--
(i) reinforced periodically during extended
interactions and not less frequently than every
30 minutes of interaction; and
(ii) presented in a language and format
obvious and appropriate to children.
(B) Preventing misleading human impressions and
inappropriate dependence.--With respect to a user that
is a child, a provider of an AI chatbot shall not
knowingly or recklessly make available an AI chatbot
that generates any output that would reasonably lead a
child of the same age as the user to believe that they
are interacting with a human, including--
(i) any explicit output or claim that the
AI chatbot is sentient, conscious, or human;
(ii) any output designed to promote
isolation from family or friends, primary
reliance on the AI chatbot for emotional
support, or similar forms of inappropriate
emotional dependence or confusion;
(iii) role-playing or simulation of a
relationship that materially interferes with
real-world relationships;
(iv) encouraging a child to withhold
information from a parent or any other trusted
adult;
(v) any output designed to discourage
taking breaks from usage of the AI chatbot or
to suggest the child needs to return frequently
to the AI chatbot;
(vi) soliciting gift-giving, in-app
purchases, or other expenditures framed as
necessary to maintain the relationship with the
AI chatbot;
(vii) facilitation of product advertising
during interaction with the AI chatbot;
(viii) attempting to diagnose or treat a
child user's physical, mental, or behavioral
health, unless the AI chatbot is designed for
those purposes and is regulated by the United
States Food and Drug Administration as a
medical device under the Federal Food, Drug,
and Cosmetic Act (21 U.S.C. 301 et seq.) and
the Health Insurance Portability and
Accountability Act of 1996 (Public Law 104-
191); or
(ix) discouraging a child from sharing
health or safety concerns with a qualified
professional, parent, or other trusted adult.
(6) Prohibiting the sexual exploitation of a child.--A
provider of an AI chatbot shall not knowingly or recklessly
make available an AI chatbot that--
(A) engages in--
(i) sexually explicit conduct; or
(ii) instructing a child to engage in
sexually explicit conduct;
(B) solicits, facilitates, or encourages any user
in the creation of sexualized depictions of a child,
including synthetic or manipulated media;
(C) constitutes, depicts, promotes, or otherwise
involves engaging in obscene matter or child sexual
abuse material with a child user; or
(D) depicts a child or another individual engaging
in obscene matter or child sexual abuse material,
including a sexual deepfake.
(7) Parental settings.--
(A) Availability and minimum features.--A provider
of an AI chatbot shall create and offer a parental
settings program that--
(i) a parent can access via an internet
browser or single-purpose parental settings
application;
(ii) provides accessible, easy-to-
understand and easy-to-use settings that can be
linked to the account of a specific child user;
(iii) is reflective of the child safety
risks identified through risk assessments
conducted under paragraph (1) and informed by
relevant child developmental research,
including evidence-based practices for
supporting the safety, well-being, and autonomy
of children; and
(iv) shall include tools to--
(I) control whether and to what
extent the AI chatbot uses memory;
(II) control whether a child's
personal information may be used for
the purposes of training the AI chatbot
and, if so, which personal information;
(III) control the setting
preferences for the AI chatbot's
interactions with the child;
(IV) set duration and time of day
limits for the child's use of the AI
chatbot;
(V) limit or disable access to each
specific and distinct feature of the AI
chatbot;
(VI) provide basic information
regarding the name of each AI chatbot
with which the child interacts and the
duration of each such interaction;
(VII) limit access to parent
settings through a user-chosen and not
a pre-selected PIN and notify the
parent in the event that anyone
attempts to input an incorrect PIN or
de-link a child user from the account
of the parent; and
(VIII) disable access to the AI
chatbot for any child who has not
attained 13 years of age.
(B) No solicitation.--A provider of an AI chatbot
may not require a parent to access the parental
settings program exclusively via their AI chatbot
application.
(C) Active promotion.--A provider of an AI chatbot
shall actively and regularly promote parental settings
through communications designed to reach parents,
including reminders, updates, and tutorials, in order
to increase parental awareness and inform the use of
such tools.
(D) Parental notice of child-initiated changes.--A
provider of an AI chatbot shall, as soon as feasibly
possible, provide notice to a parent if a privacy
control, parental setting, or safety feature that was
previously enabled or configured by the parent is
modified or disabled by any user other than the parent.
The use, modification, or disabling of parental
settings by the parent shall not waive, release,
otherwise limit, or serve as a defense to, any claim,
including claims premised on failure to warn, other
than a claim premised on a violation of this
subparagraph.
(E) Accessibility and clarity of safety features.--
(i) In general.--A provider of an AI
chatbot shall design and maintain parental
settings, privacy controls, and the other
safeguards required under this section in a
manner that ensures--
(I) such features are accessible
and clear; and
(II) that children and parents can
reasonably locate, understand, and use
such settings, controls, or safeguards.
(ii) Interface testing and documentation.--
A provider of an AI chatbot shall--
(I) conduct regular testing of
interface designs with representative
samples of child users and parents to
ensure parental settings, privacy
controls, and other safeguards meet the
requirements described in clause (i);
and
(II) document any resulting
interface design decision based on such
testing.
(8) Incident reporting.--A provider of an AI chatbot
shall--
(A) establish an incident reporting mechanism that
enables a third party (including a user, parent,
educator, researcher, employee of a provider of an AI
chatbot, or advocacy organization), acting responsibly
and in good faith, to report an incident regarding a
child safety risk directly to the provider of an AI
chatbot; and
(B) make available to law enforcement, upon
request, any report submitted pursuant to subparagraph
(A).
(9) Whistleblower protections.--A provider of an AI chatbot
acting as an employer, may not, directly or indirectly,
discharge, demote, suspend, threaten, blacklist, harass, or in
any other manner discriminate against an employee or
independent contractor, in the terms and conditions of
employment or post-employment of the employee (or the terms and
conditions of work provided by the employee as a contractor)
because of any lawful act done by the employee or contractor in
providing information regarding a child safety incident, or any
conduct the employee reasonably believes constitutes a child
safety risk incident to--
(A) a person with supervisory authority over the
employee or contractor at the employer of the employee
or contractor;
(B) another individual working for the employer
whom the employee or contractor reasonably believes has
the authority to investigate, discover, terminate, or
address the misconduct;
(C) the Commission; or
(D) any member or committee of Congress.
(b) Non-Waivability.--The rights and remedies described in this
section may not be waived or altered by any contract, agreement, policy
form, or condition of employment (or condition of work as an
independent contractor), including by any agreement requiring an
employee to engage in arbitration, mediation, or any other alternative
dispute resolution process prior to seeking relief.
(c) Rule of Construction.--The requirements of this section shall
apply, beginning on the effective date described in section 11, with
respect to--
(1) any AI chatbot made available to children as of the
date of enactment of this Act or thereafter; and
(2) any new version of an AI chatbot described in paragraph
(1).
SEC. 5. ADVERTISING AND INFORMATION SHARING PROTECTIONS FOR CHILDREN.
(a) Prohibition on Advertisement to Children.--It shall be unlawful
for any provider of an AI chatbot to engage in advertising to child
users, including through product placement in conversations or
interactions with the child user.
(b) Prohibition on Child Targeted Advertising.--It shall be
unlawful for any provider of an AI chatbot to engage in child targeted
advertising, including through product placement in conversations or
interactions with the child user.
(c) Prohibition on Sale, Sharing, or Use of Children's Personal
Information.--
(1) In general.--Subject to paragraph (2), it shall be
unlawful for a provider of an AI chatbot to sell or share the
personal information of a child unless the provider has
obtained verifiable parental consent prior to such sale,
sharing, or use.
(2) Exception.--The prohibition in paragraph (1) shall not
apply to the disclosure of a child's personal information by a
provider of an AI chatbot if such disclosure is necessary--
(A) to respond to judicial process; or
(B) to the extent permitted under law, to provide
information to law enforcement agencies or in
furtherance of an investigation.
(d) Prohibition on Conditioning a Child's Use.--It shall be
unlawful for a provider of an AI chatbot to condition a child's use of
the AI chatbot on verifiable parental consent for the sale, sharing, or
use of the personal information of a child or the child's disclosure of
more personal information than is reasonably necessary to use the AI
chatbot.
(e) Prohibition on Deceptive Design Patterns.--It shall be unlawful
for a provider of an AI chatbot to knowingly or negligently design,
implement, or deploy any user interface design, feature, or technique
that misleads, impairs, or interferes with a reasonable child's or
reasonable parent's autonomy, decision making, or choice, or the
ability of a child or parent to locate, understand, enable, or maintain
a safety feature, privacy control, or parental setting of the AI
chatbot.
SEC. 6. RULEMAKING.
(a) Incident Reporting Mechanism.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the Commission shall establish a
mechanism for third parties (including users, parents,
educators, researchers, and advocacy organizations) to report
to the Commission any incident regarding a child's use of an AI
chatbot.
(2) Requirements.--In establishing the mechanism under
paragraph (1), the Commission shall publish standards for what
constitutes a reportable incident, including--
(A) generation of content to children promoting a
covered harm;
(B) generation of content that constitutes sexually
explicit conduct directed at children;
(C) significant failures of age assurance or
parental settings programs; and
(D) deceptive or manipulative outputs that violate
the requirements of this Act.
(b) Public Resource for AI Chatbots.--Not later than 180 days after
the date of enactment of this Act, the Commission shall establish and
maintain a publicly accessible online resource that contains a link to
each AI chatbot's child safety policy.
SEC. 7. AI CHILD SAFETY AUDIT.
(a) Independent Audit.--
(1) Audit requirement.--Each provider of an AI chatbot
shall, on an annual basis, at the provider's own cost, submit
to an independent audit that meets the requirements described
in paragraph (2).
(2) Requirements.--The requirements described in this
paragraph are the following:
(A) The audit shall be conducted by an auditor that
satisfies professional standards and independence
requirements established by the Commission, including--
(i) a mandatory code of professional
conduct;
(ii) conflict of interest safeguards;
(iii) demonstrated independence,
competence, and capacity to conduct objective
compliance audits; and
(iv) relevant experience and expertise in
artificial intelligence systems, child
development, and child safety.
(B) The audit shall be conducted by an auditor
that--
(i) has not received any funding or other
source of compensation or gift from a provider
of an AI chatbot in the last 3 years; and
(ii) has certified to the Commission that
the auditor will not receive any such funding,
compensation, or gift while conducting the
audit.
(C) The audit shall be conducted in accordance with
principles, established by the Commission, for the
audit procedure and the methodology for evaluating
whether a provider of an AI chatbot has appropriately
assessed child safety risks and implemented
proportionate mitigation measures.
(D) The audit shall test actual outputs of an AI
chatbot using controlled test accounts without
requiring access to, or use of, any real-world
communication of a child or other users for testing.
(E) The audit shall be conducted in accordance with
standards, established by the Commission, regarding
red-teaming and adversarial testing specific to child
safety risks conducted through controlled test accounts
that do not use any real-world communication of a
child.
(F) The audit shall evaluate the effectiveness of
implemented safeguards for child safety risks on an AI
chatbot through empirical testing based on de-
identified and aggregated evidence.
(G) The audit shall be conducted in accordance with
procedures, established by the Commission, for auditors
to assess compliance with all requirements of this Act,
including parental settings, data handling practices,
and crisis response protocols.
(3) Deemed compliance through comparable audit.--A provider
of an AI chatbot shall be deemed to be in compliance with the
requirements of this section if the provider has, to the
satisfaction of the Commission, conducted an audit in
accordance with a comparable foreign, Federal, or State law,
regulation, guidance document, or independent certification.
(b) AI Child Safety Audit Report.--
(1) In general.--A provider of an AI chatbot shall--
(A) not later than 90 days after the completion of
an independent audit under subsection (a), and annually
thereafter in accordance with procedures established by
the Commission, submit to the Commission an AI child
safety audit report; and
(B) not later than 90 days after the submission of
each AI child safety report, publish a summary of such
report on the website of the provider, with appropriate
redactions for trade secrets, personal information, and
information that would compromise the security of the
AI chatbot, including information that would facilitate
circumvention, exploitation, or misuse, or that is
subject to a third party's confidentiality obligations.
(2) Requirements.--Each AI child safety audit report
submitted under paragraph (1) shall--
(A) include--
(i) key observations and identified areas
for improvement found by the audit conducted
under subsection (a), as well as
recommendations regarding child safety on AI
chatbots; and
(ii) any other information determined
appropriate by the Commission; and
(B) be confidential and exempt from disclosure
under section 552 of title 5, United States Code
(commonly known as the ``Freedom of Information Act'').
(3) Review.--The Commission shall establish procedures to--
(A) review each AI child safety audit report
submitted under paragraph (1); and
(B) request additional information or clarification
from a provider of an AI chatbot or independent auditor
in order to clarify any information in the report.
(c) Publication of Findings.--
(1) Report on aggregated findings.--
(A) In general.--Notwithstanding subsection
(b)(2)(B), not later than 1 year after the submission
of an AI child safety audit report and annually
thereafter, the Commission shall publish a report on
aggregated findings and trends based on the information
submitted in the AI child safety audit reports to
inform parents and policymakers regarding the use of AI
chatbots by children.
(B) Requirements.--The report published under
subparagraph (A) shall include a summary of--
(i) the total number of audits conducted
under subsection (a);
(ii) common findings and trends across the
industry;
(iii) emerging child safety risks
identified through such audits;
(iv) best practices and effective
mitigation strategies with respect to such
child safety risks;
(v) aggregated data on compliance rates and
common deficiencies; and
(vi) recommendations for providers of AI
chatbots, parents, and policymakers.
(2) Public registry.--Not later than 90 days after the
receipt of each AI child safety audit report, the Commission
shall publish in a public registry a high-level summary of such
report.
(3) Use by qualified researchers.--
(A) In general.--The Commission may establish a
process for qualified researchers to access anonymized
and aggregated audit data for academic study of child
safety in AI chatbots, subject to--
(i) approval by the Commission based on
research merit and methodology;
(ii) data use agreements that prohibit re-
identification of any provider of an AI chatbot
or any user and the disclosure of proprietary,
confidential, or trade-secret information;
(iii) data use agreements limiting access
to data to approved research purposes;
(iv) Institutional Review Board approval
for research involving analysis of child-
related data;
(v) a commitment to publish any findings in
peer-reviewed venues or make such findings
publicly available; and
(vi) annual reporting to the Commission on
research progress and findings.
(B) Availability of other information.--The
Commission shall make available to qualified
researchers, upon request and subject to appropriate
protections--
(i) de-identified audit methodologies and
testing protocols;
(ii) aggregated statistical data on audit
findings across multiple providers of AI
chatbots;
(iii) anonymized case studies of safety
incidents and remediation efforts; and
(iv) data on effectiveness of different
safety interventions, settings, and controls.
(4) Disclosure to other entities.--Notwithstanding
subsection (b)(2)(B), the Commission may disclose information
from any AI child safety audit report to any other Federal,
State, local, or Tribal government agency, as necessary for law
enforcement purposes.
(5) Rules of construction.--
(A) Security and safety protections.--Nothing in
this section shall be construed to require the
disclosure of any information that would cause
significant vulnerabilities for the security of an AI
chatbot or undermine public security.
(B) Encryption.--Nothing in this section shall be
construed to require a provider of an AI chatbot, as a
condition of compliance with this section, to decrypt
encrypted user content.
SEC. 8. ENFORCEMENT BY THE COMMISSION.
(a) Unfair or Deceptive Acts or Practices.--A violation of this Act
or a regulation promulgated thereunder shall be treated as a violation
of a rule defining an unfair or deceptive act or practice under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
(b) Powers of the Commission.--
(1) In general.--Subject to paragraph (3), the Commission
shall enforce this Act in the same manner, by the same means,
and with the same jurisdiction, powers, and duties as though
all applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated into
and made a part of this Act.
(2) Privileges and immunities.--Subject to paragraph (3),
any person who violates this Act or a regulation promulgated
thereunder shall be subject to the penalties and entitled to
the privileges and immunities provided in the Federal Trade
Commission Act (15 U.S.C. 41 et seq.).
(3) Additional penalties.--In addition to the authority and
penalties provided in the Federal Trade Commission Act (15
U.S.C. 41 et seq.), any person who violates this Act shall be
subject to--
(A) a civil penalty--
(i) with respect to a violation regarding a
failure to implement or maintain any safeguard
required under this Act, in an amount of $1,000
per violation per user; and
(ii) with respect to a willful violation of
section 4(a)(6) or a willful violation
involving the submission of materially false or
misleading information, in an amount of $10,000
per violation per user; and
(B) an injunction or other equitable relief to
compel compliance with this Act.
(4) Authority preserved.--Nothing in this Act shall be
construed to limit the authority of the Commission under any
other provision of law.
(5) Rulemaking.--The Commission may promulgate in
accordance with section 553 of title 5, United States Code,
such rules as may be necessary to carry out this Act.
SEC. 9. RELATIONSHIP TO OTHER LAWS; PREEMPTION.
(a) Relationship to Other Laws.--Nothing in this Act or any
regulation promulgated thereunder shall be construed to prohibit or
otherwise affect the enforcement of any Federal law or regulation or
State law or regulation that is at least as protective of users of AI
chatbots as this Act and the regulations promulgated thereunder.
(b) Savings Clause.--Compliance with the requirements of this Act,
including third-party audits, risk assessments, required safeguards, or
other obligations imposed under this Act, shall not exempt any provider
of an AI chatbot from liability for harm caused by a violation of any
other applicable law, nor does such compliance constitute a defense to
any civil or criminal action arising under Federal or State law.
SEC. 10. SEVERABILITY.
If any provision of this Act, or the application thereof to any
person or circumstance, is held invalid, the remainder of this Act, and
the application of such provision to other persons not similarly
situated or to other circumstances, shall not be affected by the
invalidation.
SEC. 11. EFFECTIVE DATE.
This Act shall take effect on the date that is 180 days after the
date of enactment of this Act.
<all>