Florida Senate - 2025 SB 1438
By Senator Grall
29-00966A-25 20251438__
1 A bill to be entitled
2 An act relating to online access to materials harmful
3 to minors; creating s. 282.803, F.S.; defining terms;
4 requiring a developer to, beginning on a specified
5 date, make specific determinations about covered
6 applications, provide notice to application stores
7 about such applications, and provide certain features
8 for parents to protect a user that is a child;
9 requiring a covered manufacturer to, beginning on a
10 specified date, take certain steps to determine
11 specified information about the user, provide certain
12 notices, and provide developers of covered
13 applications with a specified means to verify the age
14 of a user; providing requirements for devices sold
15 before a specified date; providing construction;
16 requiring an application store to establish
17 nondiscriminatory practices; providing for enforcement
18 actions by the Attorney General; providing an
19 affirmative defense; providing a limitation on
20 liability for a covered manufacturer under certain
21 circumstances; amending s. 501.1737, F.S.; revising
22 definitions and defining terms; revising the age
23 verification method used by certain commercial
24 entities to verify the age of a person accessing
25 certain material; providing an exception; requiring a
26 covered manufacturer to ensure certain statutory
27 requirements are met; authorizing the Department of
28 Legal Affairs to bring an action against covered
29 manufacturers; authorizing the imposition of civil
30 penalties against covered manufacturers; removing
31 certain liability and damage provisions for certain
32 commercial entities; deleting provisions relating to
33 public records exemptions and the Open Government
34 Sunset Review Act; removing the definition of the term
35 “proprietary information”; conforming provisions to
36 changes made by the act; creating s. 501.1741, F.S.;
37 requiring covered manufacturers to take certain steps
38 upon activation of a device; requiring certain
39 websites, applications, or online services to take
40 certain actions based on the amount of material
41 harmful to minors found on such website, application,
42 or online service; requiring covered manufacturers to
43 comply with statutory requirements in a
44 nondiscriminatory manner; prohibiting covered
45 manufacturers from taking certain actions; authorizing
46 the Department of Legal Affairs to adopt rules and
47 regulations; providing preemption; providing an
48 effective date.
49
50 Be It Enacted by the Legislature of the State of Florida:
51
52 Section 1. Section 282.803, Florida Statutes, is created to
53 read:
54 282.803 Online application store.—
55 (1) As used in this section, the term:
56 (a) “Application store” means a publicly available website,
57 software application, or online service that distributes third
58 party platform software applications to a computer, a mobile
59 device, or any other general purpose computing device.
60 (b) “Child” means an individual consumer under 18 years of
61 age.
62 (c) “Covered application” means a software application,
63 website, or other online service that is likely to be accessed
64 by children and that is intended to be run or directed by a user
65 on a computer, mobile device, or any other general purpose
66 computing device. The term does not include a broadband Internet
67 access service as defined in 47 C.F.R. s. 8.1(b); a
68 telecommunications service as defined in 47 U.S.C. s. 153; or
69 the delivery or use of a physical product unconnected to the
70 Internet.
71 (d) “Covered entity” means a covered manufacturer or
72 developer of a covered application.
73 (e) “Covered manufacturer” means a manufacturer of a
74 device, an operating system for a device, or an application
75 store.
76 (f) “Developer” means any person, entity, or organization
77 that creates, owns, or controls an application and is
78 responsible for the design, development, maintenance, and
79 distribution of the application to users through an application
80 store.
81 (g) “Device” means a device or a portion of a device that
82 is designed for and capable of communicating across a computer
83 network with other computers or devices for the purpose of
84 transmitting, receiving, or storing data, including, but not
85 limited to, a desktop, a laptop, a cellular telephone, a tablet,
86 or any other device designed for and capable of communicating
87 with or across a computer network and that is used for such
88 purpose. The term does not include cable, fiber, or wireless
89 modems, and home routers whether standalone or combined with the
90 aforementioned modems; managed set-top boxes; and any physical
91 object that only supports communications within a closed user
92 group or private network available to a limited set of users.
93 (h) “Likely to be accessed by children” means it is
94 reasonable to expect that an application would be accessed by
95 children, based on satisfying any of the following criteria:
96 1. The application is determined, based on competent and
97 reliable evidence regarding audience composition, to be
98 routinely accessed by children; or
99 2. Internal research findings determine that the
100 application is routinely accessed by children.
101 (i) “Parent” means a biological, foster, or adoptive
102 parent; a stepparent; or a legal guardian.
103 (j) “User” means an individual consumer of covered
104 applications.
105 (2) Beginning January 1, 2026:
106 (a) A developer of a covered application shall:
107 1. Determine whether an application the developer provides
108 is likely to be accessed by children and, if the application is
109 provided for distribution via an application store, provide
110 notice to such application store that the application is likely
111 to be accessed by children.
112 2. To the extent applicable and technically feasible,
113 provide readily available features for parents to protect a user
114 that is a child as appropriate to the risks that arise from the
115 child’s use of the developer’s covered application. This
116 includes providing features to help manage which accounts are
117 affirmatively linked to the user under the age of 18, to help
118 manage the delivery of age appropriate content, and to limit the
119 amount of time that the user under the age of 18 spends daily on
120 the developer’s covered application.
121 (b) A covered manufacturer shall take commercially
122 reasonable and technically feasible steps to:
123 1. Upon initial activation of a device, determine or
124 estimate the age of the device’s primary user.
125 2. If the covered manufacturer is an application store:
126 a. Provide a mechanism for a developer to provide notice
127 that an application is likely to be accessed by children.
128 b. Obtain parental consent before permitting a known child
129 under 16 years of age to download a covered application from the
130 application store.
131 c. Provide developers of covered applications in the
132 application store a signal regarding whether a parent has
133 provided consent when required under this subsection.
134 d. Provide the parent with the option to connect the
135 developer of such a covered application with the approving
136 parent for the purpose of facilitating parental supervision
137 tools.
138 3. Provide developers of covered applications with a
139 digital signal via a real time application programming interface
140 regarding whether a user is:
141 a. Under 13 years of age.
142 b. At least 13 years of age and under 16 years of age.
143 c. At least 16 years of age and under 18 years of age.
144 d. At least 18 years of age.
145 4. Developers of covered applications may rely on age
146 signals and parental consent provided under subparagraph 2. for
147 purposes of complying with this paragraph.
148 (c) For devices sold before January 1, 2026, covered
149 manufacturers shall ensure that the requirements under paragraph
150 (b) are included in its operating system and app store versions
151 and updates by default after January 1, 2027.
152 (3)(a) Except for the requirements provided in subparagraph
153 (2)(b)2., this section does not:
154 (b) Require a covered entity to access, collect, retain,
155 reidentify, or link information, that in the ordinary course of
156 business, would not otherwise be accessed, collected, retained,
157 reidentified, or linked.
158 (c) Require a covered entity to implement new account
159 controls or safety settings if it is not necessary to comply
160 with this act.
161 (d) Modify, impair, or supersede the operation of any
162 antitrust law, including chapter 1331 of the Revised Code and 15
163 U.S.C. ss. 1 et seq.
164 (4) An application store shall comply with this section in
165 a nondiscriminatory manner, including:
166 (a) Imposing at least the same restrictions and obligations
167 on its own applications and application distribution as it does
168 on those from third-party applications or application
169 distributors;
170 (b) Not using data collected from third parties, or consent
171 mechanisms deployed for third parties, in the course of
172 compliance with this subsection, for any of the following:
173 1. To compete against those third parties.
174 2. To give the application store’s services preference
175 relative to those of third parties.
176 3. To otherwise use the data or consent mechanism in an
177 anticompetitive manner.
178 (5)(a) At least 45 days before the date on which the
179 Attorney General initiates an enforcement action against a
180 covered entity that is subject to the requirements of this
181 section, the Attorney General shall provide the covered entity
182 with a written notice that identifies each alleged violation and
183 an explanation of the basis for each allegation.
184 (b) The Attorney General may not initiate an action if the
185 covered entity cures the violation or violations described in
186 the notice within 45 days after the notice is sent and provides
187 the Attorney General with a written statement indicating that
188 the violation is cured and that no further violations will
189 occur.
190 (c) If a covered entity continues to violate this section
191 in breach of an express written notice provided under paragraph
192 (6)(a), the Attorney General may bring a civil action and seek
193 damages for up to $2,500 per violation of this section not to
194 exceed $50,000. Damages shall begin accruing after completion of
195 the 45-day cure period in paragraph (6)(b).
196 (d) This subsection does not provide a private right of
197 action. The Attorney General has the exclusive authority to
198 enforce this section.
199 (e) Paragraph (a) does not apply if the covered entity
200 fails to timely cure all of the violations described in the
201 notice or commits a subsequent violation of the same type after
202 curing the initial violation under that paragraph.
203 (6) It is an affirmative defense to a violation of this
204 section if the developer acted in reasonable reliance on the
205 application store’s determination or estimate that the user is
206 not a child.
207 (7) A covered manufacturer is not subject to liability for
208 failure to comply with this section if that covered manufacturer
209 has taken commercially reasonable and technically feasible steps
210 to determine or estimate the age of the user of the device as
211 provided in paragraph (2)(b).
212 Section 2. Section 501.1737, Florida Statutes, is amended
213 to read:
214 501.1737 Age verification for online access to materials
215 harmful to minors.—
216 (1) As used in this section and s. 501.1741, the term:
217 (a) “Anonymous age verification” has the same meaning as in
218 s. 501.1738.
219 (b) “Application store” means a publicly available website,
220 software application, or online service that distributes third
221 party platforms’ software applications to a computer, a mobile
222 device, or any other general-purpose computing device.
223 (c)(b) “Commercial entity” includes a corporation, a
224 limited liability company, a partnership, a limited partnership,
225 a sole proprietorship, and any other legally recognized entity.
226 (d) “Covered manufacturer” means a manufacturer of a
227 device, an operating system for a device, or an application
228 store.
229 (e)(c) “Department” means the Department of Legal Affairs.
230 (f) “Device” means equipment or a portion of equipment that
231 is designed for and capable of communicating across a computer
232 network with other computers or devices for the purpose of
233 transmitting, receiving, or storing data, including, but not
234 limited to, a desktop, a laptop, a cellular telephone, a tablet,
235 or any other device designed for and capable of communicating
236 with or across a computer network and that is used for such
237 purpose.
238 (g) “Digital age verification” means either anonymous age
239 verification, standard age verification, or device-based age
240 verification.
241 (h)(d) “Distribute” means to issue, sell, give, provide,
242 deliver, transfer, transmit, circulate, or disseminate by any
243 means.
244 (i)(e) “Material harmful to minors” means any material
245 that:
246 1. The average person applying contemporary community
247 standards would find, taken as a whole, appeals to the prurient
248 interest;
249 2. Depicts or describes, in a patently offensive way,
250 sexual conduct as specifically defined in s. 847.001(19); and
251 3. When taken as a whole, lacks serious literary, artistic,
252 political, or scientific value for minors.
253 (j)(f) “News-gathering organization” means any of the
254 following:
255 1. A newspaper, news publication, or news source, printed
256 or published online or on a mobile platform, engaged in
257 reporting current news and matters of public interest, and an
258 employee thereof who can provide documentation of such
259 employment.
260 2. A radio broadcast station, television broadcast station,
261 cable television operator, or wire service, and an employee
262 thereof who can provide documentation of such employment.
263 (k) “Operating system provider” means an entity that
264 develops, distributes, or maintains the operating system of, and
265 provides common services for, a device. The term includes the
266 design, programming, and supply of operating systems for various
267 devices such as smartphones, tablets, and other digital
268 equipment.
269 (l)(g) “Publish” means to communicate or make information
270 available to another person or entity on a publicly available
271 website or application.
272 (m)(h) “Resident” means a person who lives in this state
273 for more than 6 months of the year.
274 (n)(i) “Standard age verification” means any commercially
275 reasonable method of age verification approved by the commercial
276 entity.
277 (o)(j) “Substantial portion” means more than 33.3 percent
278 of total material on a website or application.
279 (2) A commercial entity that knowingly and intentionally
280 publishes or distributes material harmful to minors on a website
281 or application, if the website or application contains a
282 substantial portion of material harmful to minors, must use
283 digital either anonymous age verification or standard age
284 verification to verify that the age of a person attempting to
285 access the material is 18 years of age or older and prevent
286 access to the material by a person younger than 18 years of age.
287 The commercial entity must offer anonymous age verification and
288 standard age verification, and a person attempting to access the
289 material may select which method will be used to verify his or
290 her age unless the commercial entity is relying on device-based
291 age verification pursuant to s. 501.1741.
292 (3) A commercial entity must ensure that the requirements
293 of s. 501.1738 are met unless the commercial entity is relying
294 on device-based age verification pursuant to s. 501.1741. A
295 covered manufacturer must ensure that the requirements of s.
296 501.1741 are met.
297 (4)(a) This section does not apply to any bona fide news or
298 public interest broadcast, website video, report, or event and
299 does not affect the rights of a news-gathering organization.
300 (b) An Internet service provider or its affiliates or
301 subsidiaries, a search engine, or a cloud service provider does
302 not violate this section solely for providing access or
303 connection to or from a website or other information or content
304 on the Internet or a facility, system, or network not under the
305 provider’s control, including transmission, downloading,
306 intermediate storage, or access software, to the extent the
307 provider is not responsible for the creation of the content of
308 the communication which constitutes material harmful to minors.
309 (5)(a) Any violation of subsection (2) or subsection (3) is
310 deemed an unfair and deceptive trade practice actionable under
311 part II of this chapter solely by the department on behalf of a
312 resident minor against a commercial entity or a covered
313 manufacturer. If the department has reason to believe that a
314 commercial entity or a covered manufacturer is in violation of
315 subsection (2) or subsection (3), the department, as the
316 enforcing authority, may bring an action against the commercial
317 entity or a covered manufacturer for an unfair or deceptive act
318 or practice. For the purpose of bringing an action pursuant to
319 this section, ss. 501.211 and 501.212 do not apply. In addition
320 to any other remedy under part II of this chapter, the
321 department may collect a civil penalty of up to $50,000 per
322 violation and reasonable attorney fees and court costs. When the
323 commercial entity’s or a covered manufacturer’s failure to
324 comply with subsection (2) or subsection (3) is a consistent
325 pattern of conduct of the commercial entity or covered
326 manufacturer, punitive damages may be assessed against the
327 commercial entity or covered manufacturer.
328 (b) A third party that performs age verification for a
329 commercial entity or covered manufacturer in violation of s.
330 501.1738 is deemed to have committed an unfair and deceptive
331 trade practice actionable under part II of this chapter solely
332 by the department against such third party. If the department
333 has reason to believe that the third party is in violation of s.
334 501.1738, the department, as the enforcing authority, may bring
335 an action against such third party for an unfair or deceptive
336 act or practice. For the purpose of bringing an action pursuant
337 to this section, ss. 501.211 and 501.212 do not apply. In
338 addition to other remedies under part II of this chapter, the
339 department may collect a civil penalty of up to $50,000 per
340 violation and reasonable attorney fees and court costs.
341 (c) A commercial entity that violates subsection (2) for
342 failing to prohibit access or prohibit a minor from future
343 access to material harmful to minors after a report of
344 unauthorized or unlawful access is liable to the minor for such
345 access, including court costs and reasonable attorney fees as
346 ordered by the court. Claimants may be awarded up to $10,000 in
347 damages. A civil action for a claim under this paragraph must be
348 brought within 1 year from the date the complainant knew, or
349 reasonably should have known, of the alleged violation.
350 (c)(d) Any action under this subsection may only be brought
351 on behalf of or by a resident minor.
352 (6) For purposes of bringing an action under subsection
353 (5), a commercial entity or covered manufacturer that publishes
354 or distributes material harmful to minors on a website or
355 application, if the website or application contains a
356 substantial portion of material harmful to minors and such
357 website or application is available to be accessed in this
358 state, is considered to be both engaged in substantial and not
359 isolated activities within this state and operating, conducting,
360 engaging in, or carrying on a business and doing business in
361 this state, and is therefore subject to the jurisdiction of the
362 courts of this state.
363 (7) This section does not preclude any other available
364 remedy at law or equity.
365 (8)(a) If, by its own inquiry or as a result of complaints,
366 the department has reason to believe that an entity or person
367 has engaged in, or is engaging in, an act or practice that
368 violates this section, the department may administer oaths and
369 affirmations, subpoena witnesses or matter, and collect
370 evidence. Within 5 days, excluding weekends and legal holidays,
371 after the service of a subpoena or at any time before the return
372 date specified therein, whichever is longer, the party served
373 may file in the circuit court in the county in which it resides
374 or in which it transacts business and serve upon the enforcing
375 authority a petition for an order modifying or setting aside the
376 subpoena. The petitioner may raise any objection or privilege
377 which would be available upon service of such subpoena in a
378 civil action. The subpoena shall inform the party served of its
379 rights under this subsection.
380 (b) If the matter that the department seeks to obtain by
381 subpoena is located outside the state, the entity or person
382 subpoenaed may make it available to the department or its
383 representative to examine the matter at the place where it is
384 located. The department may designate representatives, including
385 officials of the state in which the matter is located, to
386 inspect the matter on its behalf and may respond to similar
387 requests from officials of other states.
388 (c) Upon failure of an entity or person without lawful
389 excuse to obey a subpoena and upon reasonable notice to all
390 persons affected, the department may apply to the circuit court
391 for an order compelling compliance.
392 (d) The department may request that an entity or person
393 that refuses to comply with a subpoena on the ground that
394 testimony or matter may incriminate the entity or person be
395 ordered by the court to provide the testimony or matter. Except
396 in a prosecution for perjury, an entity or individual that
397 complies with a court order to provide testimony or matter after
398 asserting a valid privilege against self-incrimination shall not
399 have the testimony or matter so provided, or evidence derived
400 therefrom, received against the entity or person in any criminal
401 investigation or proceeding.
402 (e) Any entity or person upon whom a subpoena is served
403 pursuant to this section shall comply with the terms thereof
404 unless otherwise provided by order of the court. Any entity or
405 person that fails to appear with the intent to avoid, evade, or
406 prevent compliance in whole or in part with any investigation
407 under this part or that removes from any place, conceals,
408 withholds, mutilates, alters, or destroys, or by any other means
409 falsifies any documentary material in the possession, custody,
410 or control of any entity or person subject to any such subpoena,
411 or knowingly conceals any relevant information with the intent
412 to avoid, evade, or prevent compliance, shall be liable for a
413 civil penalty of not more than $5,000 per week in violation,
414 reasonable attorney fees, and costs.
415 (9)(a) All information held by the department pursuant to a
416 notification of a violation of this section or an investigation
417 of a violation of this section is confidential and exempt from
418 s. 119.07(1) and s. 24(a), Art. I of the State Constitution,
419 until such time as the investigation is completed or ceases to
420 be active. This exemption shall be construed in conformity with
421 s. 119.071(2)(c).
422 (b) During an active investigation, information made
423 confidential and exempt pursuant to paragraph (a) may be
424 disclosed by the department:
425 1. In the furtherance of its official duties and
426 responsibilities;
427 2. For print, publication, or broadcast if the department
428 determines that such release would assist in notifying the
429 public or locating or identifying a person whom the department
430 believes to be a victim of an improper use or disposal of
431 customer records, except that information made confidential and
432 exempt by paragraph (c) may not be released pursuant to this
433 subparagraph; or
434 3. To another governmental entity in the furtherance of its
435 official duties and responsibilities.
436 (c) Upon completion of an investigation or once an
437 investigation ceases to be active, the following information
438 held by the department shall remain confidential and exempt from
439 s. 119.07(1) and s. 24(a), Art. I of the State Constitution:
440 1. Information that is otherwise confidential or exempt
441 from s. 119.07(1) or s. 24(a), Art. I of the State Constitution.
442 2. Personal identifying information.
443 3. A computer forensic report.
444 4. Information that would otherwise reveal weaknesses in
445 the data security of the commercial entity.
446 5. Information that would disclose the proprietary
447 information of the commercial entity.
448 (d) For purposes of this subsection, the term “proprietary
449 information” means information that:
450 1. Is owned or controlled by the commercial entity.
451 2. Is intended to be private and is treated by the
452 commercial entity as private because disclosure would harm the
453 commercial entity or its business operations.
454 3. Has not been disclosed except as required by law or a
455 private agreement that provides that the information will not be
456 released to the public.
457 4. Is not publicly available or otherwise readily
458 ascertainable through proper means from another source in the
459 same configuration as received by the department.
460 5. Reveals competitive interests, the disclosure of which
461 would impair the competitive advantage of the commercial entity
462 that is the subject of the information.
463 (e) This subsection is subject to the Open Government
464 Sunset Review Act in accordance with s. 119.15 and shall stand
465 repealed on October 2, 2029, unless reviewed and saved from
466 repeal through reenactment by the Legislature.
467 (9)(10) The department may adopt rules to implement this
468 section.
469 Section 3. Section 501.1741, Florida Statutes, is created
470 to read:
471 501.1741 Device-based age verification.—
472 (1) Upon activation of a device, a covered manufacturer
473 must take commercially reasonable and technically feasible steps
474 to do all of the following:
475 (a) Determine or estimate the age of the user of the
476 device.
477 (b) Provide websites, applications, application stores, and
478 online services with a digital signal and a real-time
479 application programming interface to verify that a person is:
480 1. Younger than 13 years of age.
481 2. At least 13 years of age but younger than 16 years of
482 age.
483 3. At least 16 years of age but younger than 18 years of
484 age.
485 4. Eighteen years of age or older.
486 (c) If the covered manufacturer is an application store,
487 obtain parental or guardian consent before permitting a person
488 younger than 16 years of age to download an application from the
489 application store and provide the parent or guardian with the
490 option to connect the developer of the application with the
491 approving parent or guardian for the purpose of facilitating
492 parental supervision tools.
493 (d) Beginning July 1, 2026, ensure that the requirements of
494 this section are included by default in all operating systems
495 and application store versions and updates for devices sold
496 after July 1, 2026.
497 (2) A website, an application, or an online service that
498 makes available material harmful to minors must recognize and
499 allow for the receipt of digital age signals pursuant to this
500 section.
501 (3) A website, an application, or an online service that
502 makes available a substantial portion of material harmful to
503 minors must do all of the following:
504 (a) Block access to the website, application, or online
505 service if an age signal is received indicating that the person
506 using such website, application, or online service is under 18
507 years of age.
508 (b) Provide a disclaimer to the user or visitors that the
509 website, application, or online service contains material
510 harmful to minors.
511 (c) Label itself as restricted to adults.
512 (4) A website, an application, or an online service that
513 knowingly makes available less than a substantial portion of
514 material harmful to minors must do all of the following:
515 (a) Block access to known material harmful to minors if an
516 age signal is received indicating that the person using such
517 website, application, or online service is under 18 years of
518 age.
519 (b) Provide a disclaimer to users or visitors before
520 displaying known material harmful to minors.
521 (5) A website, an application, or an online service with
522 actual knowledge, through receipt of a signal regarding a user’s
523 age or otherwise, that a user is under 18 years of age must, to
524 the extent commercially reasonable and technically feasible,
525 provide readily available features for parents or guardians to
526 support a minor with respect to the minor’s use of the service,
527 including features to help manage which persons or accounts are
528 affirmatively linked to the minor, to help manage the delivery
529 of age appropriate content, and to limit the amount of time that
530 the minor spends daily on the website, application, or online
531 service.
532 (6) A covered manufacturer must comply with this section in
533 a nondiscriminatory manner, specifically including, but not
534 limited to, imposing at least the same restrictions and
535 obligations on its own websites, applications, and online
536 services as it does on those from third parties.
537 (7) A covered manufacturer may not:
538 (a) Use data collected from third parties, or consent
539 mechanisms deployed for third parties, in the course of
540 compliance with this section to compete against such third
541 parties;
542 (b) Give the covered manufacturer’s services preference
543 relative to those of third parties; or
544 (c) Otherwise use data collected from third parties or
545 consent mechanisms deployed by third parties in an
546 anticompetitive manner.
547 (8) After requisite notice and public comment, the
548 department may adopt such rules and regulations necessary to
549 establish the processes by which entities are to comply with
550 this section.
551 (9) This section is intended to provide uniformity of the
552 law. Any state law, regulation, or policy or any ordinance,
553 regulation, or policy adopted by a county, a municipality, an
554 administrative agency, or other political subdivision of this
555 state which is in conflict with this section is hereby
556 superseded and is deemed null and void to the extent of the
557 conflict with this section.
558 Section 4. This act shall take effect July 1, 2025.