Sammy’s Law
- Bill Number
- S. 4159
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 2
- Policy Area
- Science, Technology, Communications
- Status
- Introduced
- Latest Action
- 2026-03-20: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- Last Updated
- 2026-04-01T14:01:30Z
AI-Generated Summary
Purpose
This legislation, titled "Sammy's Law" (S. 4159), aims to enhance online safety for children by requiring large social media platforms to provide technical access (via application programming interfaces, or APIs) to approved third-party safety software. This allows children (or their parents for those under 13) to delegate control over the child's account settings, interactions, and content to protect against harm, such as emotional distress or exploitation, while maintaining user privacy and data security.
Key Provisions
- Definitions:
- A "child" is anyone under 17 with an account on a qualifying platform.
- A "large social media platform" includes services with over 100 million monthly global active users or more than $1 billion in annual revenue (adjusted for inflation) that allow children to share content (images, text, video) with users met through the platform. Excludes e-commerce sites, news services without direct messaging to children, or certain messaging apps without broad sharing features.
- "Third-party safety software provider" is a commercial entity authorized solely to protect children from harm (e.g., physical or emotional) via account management.
- "User data" is limited to profile information and content created by or sent to the child during an active delegation period, retained only for 30 days.
- Platform Obligations:
- Platforms must create and maintain real-time APIs within 180 days of enactment (or 30 days for newly qualifying platforms) for registered third-party providers.
- APIs enable delegation of permissions by a child (or parent for under 13) to manage interactions, content, and settings (e.g., privacy, marketing) in the same way the child could.
- Platforms must allow secure, hourly data transfers in a standard machine-readable format and provide summaries of transferred data to the child or parent.
- Access ends upon revocation, account closure, age 17, or provider deregistration; platforms must ensure data security with state-of-the-art safeguards.
- For end-to-end encrypted messaging (where platforms can't access content without overriding user controls), platforms provide interfaces for real-time transmission to the third-party without bypassing encryption.
- Third-Party Provider Requirements:
- Must register with the Federal Trade Commission (FTC), proving they are not controlled by "covered nations" (e.g., adversarial foreign governments as defined in U.S. law), will use data only for child safety, and won't sell or share it improperly.
- Providers must limit data use to protection purposes, delete data within 5-15 days of revocation (or sooner if unused), and disclose operations and changes clearly to users.
- Annual independent audits are required, with reports submitted to the FTC (full reports confidential; summaries public); FTC can deregister non-compliant providers.
- Data disclosures are restricted to legal requirements, harm prevention (e.g., suicide risk, abuse, trafficking), or sharing with parents about specific risks (e.g., violence, harassment, sharing of personal info like addresses).
- Enforcement and Oversight:
- Violations are treated as unfair or deceptive practices under FTC rules, with standard FTC penalties.
- FTC conducts biannual compliance assessments and sets up a complaint process for children, parents, platforms, and providers.
- Platforms are indemnified (protected from lawsuits) for good-faith data transfers.
- Preempts state or local laws on API requirements for child safety but preserves general consumer protection, fraud, or privacy laws.
Significant Changes to Existing Law
- Introduces a federal mandate for large platforms to open APIs specifically for child safety tools, which does not exist in current U.S. law (e.g., expands beyond the Children's Online Privacy Protection Act, or COPPA, which focuses on data collection from under-13s without requiring third-party access).
- Builds on FTC authority under the Federal Trade Commission Act by treating violations as deceptive practices, but adds new registration, audit, and data deletion rules for third parties.
- Explicitly addresses encrypted content without mandating decryption, preserving platform privacy features while enabling safety monitoring.
- Creates a national standard preempting similar state requirements, reducing patchwork regulations but carving out exceptions for broader state laws.
Potential Impacts
- On Government Agencies: The FTC gains significant enforcement responsibilities, including registrations, audits, and complaints, potentially increasing workload and requiring resources for biannual reviews. No direct impact on international relations, though exclusions for "covered nations" align with U.S. national security policies.
- On Citizens: Empowers parents and older children (13-16) with tools to monitor and adjust accounts for safety, potentially reducing risks like bullying, exploitation, or mental health issues. However, it relies on opt-in delegation, so benefits depend on awareness and adoption; data retention limits (30 days) minimize long-term privacy risks.
- On Platforms and Providers: Large platforms (e.g., Meta, TikTok if qualifying) face development costs for APIs and security, plus ongoing compliance. Third-party providers gain a regulated market for safety apps but must meet strict standards, fostering innovation in parental controls while prohibiting data monetization.
- Overall, could lead to safer online experiences for minors without broadly restricting platform operations.
Main Stakeholders Affected
- Large Social Media Platform Providers: Must implement and maintain APIs, handle data transfers, and comply with FTC oversight.
- Third-Party Safety Software Providers: Benefit from access but face registration, audits, and data-use restrictions.
- Children (Under 17) and Parents: Gain control options for account management; parents of younger children have added delegation rights.
- Federal Trade Commission: Primary enforcer, responsible for registration, audits, and compliance monitoring.
- States and Local Governments: Limited by preemption on API rules but retain authority on general protections.
Notable Legal, Constitutional, or Political Implications
- Legal: Strengthens child data protections by mandating secure, limited sharing while providing platform liability shields; reinforces mandatory reporting for child exploitation under existing federal law (18 U.S.C. § 2258A). Potential challenges could arise over data access scope, but opt-in nature and harm-focused limits reduce overreach risks.
- Constitutional: Balances First Amendment concerns (e.g., content moderation) by limiting third-party actions to safety and user-authorized settings, without compelling platforms to alter core services. Privacy rights (under Fourth Amendment analogies) are addressed via security requirements and deletion mandates.
- Political: Bipartisan sponsorship (e.g., Sens. Husted, Britt, Warner) signals broad support for child online safety amid growing concerns over social media harms; establishes a uniform federal framework, potentially easing industry compliance but sparking debates on innovation vs. regulation. No overt bias in the text, focusing on protection without favoring specific platforms.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (2)
Sen. Britt, Katie Boyd [R-AL], Sen. Warner, Mark R. [D-VA]
Recent Actions
- 2026-03-20: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- 2026-03-20: Introduced in Senate
Bill Versions
- Sammy’s Law — issued 2026-03-20 — PDF (29 pages)