Digital Privacy Protection Act
The Digital Privacy Protection Model Act protects residents’ personal information when the state requires online age verification. The Act mandates independent cybersecurity audits, tight limits on collection and retention, and bans any secondary use such as sale, sharing, profiling, or reuse. It protects minors while ensuring residents are not forced to risk identity theft or invasive data practices to comply with state law.
Key Provisions
Independent Cybersecurity Audits. Requires third-party audits of all state-mandated age verification systems before approval or use.
Data Minimization and Retention Limits. Restricts collection to what is strictly necessary and prohibits storage beyond verification.
Prohibition on Secondary Data Use. Bars sale, sharing, profiling, or reuse of personal identifying information.
State Accountability for Mandated Systems. Establishes liability when residents are harmed by breaches or misuse tied to state requirements.
Transparency and Public Reporting. Requires public disclosure of approved vendors, audits, and reported incidents.
Enforcement Authority. Empowers the Attorney General to enforce compliance and impose penalties.
Model Language
Section 1. Short Title. This Act shall be known and may be cited as the “Digital Privacy Protection Act.”
Section 2. Legislative Findings. The legislature finds that:
(a) Protecting minors from harmful online content is a compelling governmental interest.
(b) Residents should not be required to surrender sensitive personal information to access lawful online services.
(c) Government-mandated age verification systems present heightened cybersecurity and privacy risks when they collect or retain identifying data.
(d) Strong safeguards are necessary to ensure that any verification system required by the state protects residents from identity theft, data breaches, and misuse of personal information.
Section 3. Definitions. As used in this Act:
(a) “Age verification system” means any process, technology, or service required or approved by the state to verify an individual’s age for purposes of complying with a state-mandated online access requirement.
(b) “Personal identifying information” means information that identifies or could reasonably be linked to an individual, including name, address, date of birth, government-issued identification numbers, biometric data, or digital copies of identification.
(c) “Verification vendor” means any private entity that provides age verification services used to comply with a state requirement.
(d) “Administering agency” means the state agency designated to approve and oversee age verification systems.
Section 4. Cybersecurity Audit Requirement.
(a) Any age verification system required or approved by the state shall undergo an independent third-party cybersecurity audit prior to deployment.
(b) The audit shall evaluate data collection practices, encryption standards, retention policies, breach history, and ownership or control risks.
(c) Audit results shall be submitted to the administering agency and the Attorney General.
(d) No verification system may be approved unless the administering agency certifies in writing that it meets or exceeds recognized cybersecurity standards.
Section 5. Data Collection, Use, and Retention Restrictions.
(a) Verification vendors may collect only the minimum personal identifying information strictly necessary to confirm age.
(b) Personal identifying information shall not be retained beyond the time required to complete verification.
(c) Verification vendors are prohibited from selling, sharing, transferring, licensing, or otherwise using personal identifying information for any secondary purpose, including advertising, profiling, or algorithm training.
(d) Vendors shall certify compliance with this section as a condition of approval.
Section 6. Accountability for State-Mandated Systems.
(a) If a verification vendor used to comply with a state-mandated requirement experiences a data breach, misuses personal identifying information, or violates this Act, affected residents may seek recovery for actual damages.
(b) The state shall establish a claims or remediation process for residents harmed by breaches associated with mandated systems, without limiting additional remedies available under law.
(c) Nothing in this section limits liability or enforcement actions against verification vendors or other responsible parties.
Section 7. Transparency and Public Reporting.
(a) The administering agency shall publish an annual public report identifying:
(1) Approved verification vendors;
(2) Cybersecurity audit completion and certification status;
(3) Reported cybersecurity incidents and enforcement actions.
(b) Reports shall not include personal information of residents.
Section 8. Enforcement and Penalties.
(a) A verification vendor that violates this Act is subject to civil penalties established by rule, not to exceed a specified amount per violation.
(b) Each instance of improper data collection, retention, or disclosure constitutes a separate violation.
(c) The Attorney General may bring civil actions to enforce this Act and seek injunctive relief, penalties, and restitution.
Section 9. Severability. If any provision of this Act or its application is held invalid, the remainder shall remain in effect.
Section 10. Effective Date. This Act shall take effect on [insert date] and apply to age verification systems approved or required on or after that date.