Sammy’s Law
- Bill Number
- H.R. 2657
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Science, Technology, Communications
- Status
- Introduced
- Latest Action
- 2025-12-11: Forwarded by Subcommittee to Full Committee by Voice Vote.
- Last Updated
- 2026-07-01T08:09:12Z
AI-Generated Summary
Purpose
The legislation, titled "Sammy's Law" (H.R. 2657), aims to enhance child safety on large social media platforms by requiring these platforms to provide technical access (through application programming interfaces, or APIs) to approved third-party software tools. These tools allow parents, legal guardians, or children aged 13 and older to delegate control over a child's online interactions, content, and account settings to better protect against harms like cyberbullying, harassment, and exploitation.
Key Provisions
- Definitions:
- A "child" is anyone under 17 with an account on a qualifying platform.
- A "large social media platform" is an online service (website or app) allowing children to share content with others met through the platform, with over 100 million monthly global users or more than $1 billion in annual revenue (adjusted for inflation). Excludes e-commerce sites, news services without direct child messaging, or certain messaging apps.
- "Third-party safety software provider" is a U.S.-based company authorized to manage a child's account solely for protection purposes, not owned or controlled by foreign entities.
- "User data" includes profile info and content (images, text, video) created or sent to the child, limited to 30 days after creation and only while permissions are active.
- API Access Requirements (Section 4(a)):
- Platforms must create and maintain real-time APIs within 30 days of the law's effective date (or becoming "large"), allowing delegation of permissions to registered third-party providers.
- Permissions enable third-parties to manage interactions, content, and settings (e.g., optimizing privacy) on the same terms as the child, and transfer user data securely at least hourly in a machine-readable format.
- Delegations can be revoked by the child, parent/guardian, or provider; platforms must notify users of delegations and provide data transfer summaries.
- Management is limited to harm prevention, such as adjusting privacy or age settings.
- Third-Party Registration and Oversight (Section 4(b)):
- Providers must register with the Federal Trade Commission (FTC), affirming U.S. basing, data use only for child protection, secure U.S.-based storage, deletion within 14 days (with exceptions), and clear disclosures to users.
- Initial security review and annual audits by independent firms to verify compliance, data security, and risk management; audit reports submitted to FTC (summaries public).
- FTC can deny, suspend, or revoke registration for violations like negligence or non-compliance, with appeal rights except in severe cases.
- Guidance and Protections (Sections 4(c)-(f)):
- FTC to issue guidance within 180 days on authentication (verifying requests), safety standards, and consumer education.
- Platforms are indemnified (protected from lawsuits) for good-faith data transfers.
- User data disclosures by third-parties limited to legal requirements, parental notifications for harms (e.g., suicide risk, trafficking, harassment), or imminent threats; must report disclosures to users unless it risks harm.
- Enforcement (Section 5):
- Violations treated as unfair/deceptive practices under FTC Act; FTC enforces with existing powers (fines, investigations).
- Biannual compliance assessments; complaint procedures for users, platforms, and providers.
- FTC guidance on compliance within 180 days.
- Preemption (Section 6):
- Overrides state or local laws requiring similar API access, but preserves state consumer protection, trespass, contract, tort, fraud, and data breach laws.
- Effective Date (Section 7):
- Takes effect when FTC issues enforcement guidance.
Significant Changes to Existing Law
- Introduces a federal mandate for large platforms to open APIs specifically for child safety tools, which was not previously required under laws like the Children's Online Privacy Protection Act (COPPA) or Section 230 of the Communications Decency Act.
- Establishes FTC registration, auditing, and oversight for third-party providers, creating new regulatory hurdles for data handlers.
- Preempts fragmented state-level requirements on API access, aiming for a uniform national standard while carving out exceptions for broader state protections.
- Limits data retention and disclosure in ways that build on but expand existing privacy rules, emphasizing quick deletion and harm-specific reporting.
Potential Impacts
- Government Agencies: The FTC gains expanded enforcement duties, including registration reviews, audits, guidance issuance, and compliance monitoring, potentially increasing workload and resource needs.
- Citizens: Parents and guardians gain empowered tools for monitoring and protecting children from online harms, improving safety but raising privacy concerns if tools are misused. Children benefit from harm mitigation but may face restricted interactions.
- International Relations: Requires third-parties to be U.S.-based and store data domestically, which could limit foreign providers and affect global tech collaborations; platforms with international users must comply uniformly.
- Broader Economy: Encourages a market for U.S.-based safety software, but imposes compliance costs on platforms (e.g., API development) and providers (audits), possibly raising operational expenses passed to users.
Main Stakeholders Affected
- Large Social Media Platform Providers: Must build and maintain APIs, handle data transfers, and comply with FTC rules, facing potential fines for non-compliance.
- Third-Party Safety Software Providers: New opportunities to offer services but burdened by registration, audits, data security mandates, and deletion requirements.
- Children (Under 17) and Their Parents/Legal Guardians: Primary beneficiaries through delegated protections, with rights to delegate, revoke, and receive notifications/summaries.
- Federal Trade Commission (FTC): Oversees implementation, enforcement, and education.
- States and Local Governments: Lose ability to enact similar API mandates but retain other consumer protections.
Notable Legal, Constitutional, or Political Implications
- Legal: Treats violations as FTC Act infractions, enabling civil penalties without new criminal elements; indemnification shields platforms from liability, potentially reducing lawsuits but shifting risk to third-parties or users. Strict data rules align with privacy laws but introduce verifiable authentication requirements to prevent unauthorized access.
- Constitutional: Could raise First Amendment concerns if API mandates are seen as compelling speech or access to private platforms, though focused on child safety (a compelling interest). Preemption clause may limit state experimentation, invoking federalism debates under the Commerce Clause.
- Political: Reflects bipartisan push (introduced by Democrats and Republicans) for child online safety amid rising concerns over social media harms; sense of Congress highlights issues like trafficking and bullying, signaling potential for broader tech regulations without directly overriding platform immunities under Section 230.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Rep. Wasserman Schultz, Debbie [D-FL-25]
Cosponsors (22)
Rep. Carter, Earl L. "Buddy" [R-GA-1], Rep. Schrier, Kim [D-WA-8], Rep. Miller-Meeks, Mariannette [R-IA-1], Rep. Suozzi, Thomas R. [D-NY-3], Rep. Fitzpatrick, Brian K. [R-PA-1], Rep. Gottheimer, Josh [D-NJ-5], Rep. Wittman, Robert J. [R-VA-1], Rep. Moskowitz, Jared [D-FL-23], Rep. Houchin, Erin [R-IN-9], Rep. Ruiz, Raul [D-CA-25], Rep. Rouzer, David [R-NC-7], Rep. Moulton, Seth [D-MA-6], Rep. Stefanik, Elise M. [R-NY-21], Rep. Jackson, Jonathan L. [D-IL-1], Rep. Kean, Thomas H. [R-NJ-7], Rep. Fine, Randy [R-FL-6], Rep. Krishnamoorthi, Raja [D-IL-8], Rep. Deluzio, Christopher R. [D-PA-17], Rep. Harshbarger, Diana [R-TN-1], Rep. Vasquez, Gabe [D-NM-2], Rep. Calvert, Ken [R-CA-41], Rep. Neguse, Joe [D-CO-2]
Recent Actions
- 2025-12-11: Forwarded by Subcommittee to Full Committee by Voice Vote.
- 2025-12-11: Subcommittee Consideration and Mark-up Session Held
- 2025-04-03: Referred to the Subcommittee on Commerce, Manufacturing, and Trade.
- 2025-04-03: Referred to the House Committee on Energy and Commerce.
- 2025-04-03: Introduced in House
- 2025-04-03: Introduced in House
Bill Versions
- Sammy’s Law — issued 2025-04-03 — PDF (26 pages)