SAFE KIDS Act

use disorder, depressive disorder, or anxiety disorder. (D) A highly offensive intrusion on a privacy right protected by Federal or State law. (E) Adverse discrimination in violation of Federal or State law. (11) Cross-context behavioral advertising.--The term ``cross-context behavioral advertising'' means the targeting of an advertisement to an individual based on the individual's personal information or inputs to an AI chatbot, obtained from the individual's activity across businesses, distinctly branded websites, applications, or services. (12) Encrypted user content.-- (A) In general.--The term ``encrypted user content'' means content (including audio, visual, or textual content) that is stored, transmitted, or held in a manner that is end-to-end encrypted or otherwise cryptographically protected such that the provider of an AI chatbot cannot access the cleartext information of the content without circumventing the provider's memorialized security protections. (B) Rule of construction.--Nothing in this Act shall be construed to require a provider of an AI chatbot to alter, weaken, bypass, or otherwise modify its cryptographic or security protections in order to access or disclose the cleartext information of encrypted user content. (13) Parent.--The term ``parent'', with respect to a child, includes a parent or legal guardian of the child. (14) Parental setting.--The term ``parental setting'' means a feature that enables a parent to support a child's use of an AI chatbot, including through usage limits, feature restrictions, or transparency tools. (15) Personal information.--The term ``personal information'' has the meaning given such term in section 1302 of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501). (16) Provider of an ai chatbot.--The term ``provider of an AI chatbot'' means a person who makes an AI chatbot available to a user in the United States. (17) Qualified researcher.--The term ``qualified researcher'' means a person that-- (A) is affiliated with an academic institution, nonprofit research organization, or independent research entity, or is otherwise able to demonstrate relevant professional expertise in AI chatbots; (B) demonstrates, to the satisfaction of the Commission, a legitimate research purpose that is in the public interest and directly related to understanding, identifying, or mitigating risks to child safety and well-being arising from AI chatbots; and (C) commits to conducting research in accordance with applicable ethical standards and in compliance with applicable confidentiality, security, and data protection requirements, as determined by the Commission. (18) Sell.--The term ``sell'' means, with respect to personal information, to rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, such personal information for monetary or other valuable consideration. (19) Sexually explicit conduct.--The term ``sexually explicit conduct''-- (A) has the meaning given such term in section 2256 of title 18, United States Code; and (B) does not include educational or healthcare- related content. (20) Share.--The term ``share'' means, with respect to personal information, to rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, such personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. (21) State.--The term ``State'' means any of the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States. (22) User.--The term ``user'' means an individual who accesses an AI chatbot or products provided by a provider of an AI chatbot. (23) Verifiable parental consent.--The term ``verifiable parental consent'' means, with respect to the personal information of a child, any reasonable effort (taking into consideration the available technology), including a request for authorization for future collection, use, or disclosure described in a notice, taken to ensure that a parent of a child-- (A) receives notice of the practices of a provider of an AI chatbot regarding the collection, use, and disclosure of personal information; and (B) freely and unambiguously authorizes the collection, use, and disclosure, as applicable, of such personal information before any such information is collected, used, or disclosed. SEC. 3. DETERMINATION OF USER AGE. (a) Treatment of Unverified Users.-- (1) In general.--Except as provided in paragraph (2), a provider of an AI chatbot shall treat any user as a child for purposes of all restrictions, protections, and requirements under this Act. (2) Exception for verified adults.--Paragraph (1) shall not apply to a user if the provider of an AI chatbot has verified, pursuant to the standards of this section, that the user has attained 18 years of age. (b) Age Estimation Requirement.-- (1) In general.--A provider of an AI chatbot-- (A) shall implement age estimation technology to distinguish an account that is held by a child from an account that is held by an adult; and (B) may contract with a third party to employ such technology, but the use of such a third party shall not relieve the provider of its obligations under this Act or from liability under this Act. (2) Age signal treated as actual age.--A provider of an AI chatbot shall treat any age signal received from the age estimation technology required under paragraph (1) as the actual age range of the user, except that-- (A) if the age signal indicates that the user has attained 18 years of age, but the provider has actual knowledge that the user is a child or reasonably should have known the user is a child, the provider shall treat the user as a child; and (B) if the age signal indicates the user is a child, the provider may treat the user as an adult only if it has actual knowledge that the user has attained 18 years of age. (3) Other alternatives to age estimation.-- (A) In general.--A provider of an AI chatbot may use an age signal obtained from a source other than the age estimation technology required under paragraph (1) if the provider of an AI chatbot-- (i) receives an age signal from the provider of an operating system or application store regarding the age range of a user; and (ii) does not possess information that conflicts with such age signal. (B) Conflict.--In the case of conflicting age signals, the provider shall treat the age signal that indicates the younger age as the actual age range of the user. (c) Periodic Age Estimation.--A provider of an AI chatbot shall periodically review each user account associated with the AI chatbot using the age estimation technology required under this section to ensure compliance with the requirements of this Act. (d) Data Security.--A provider of an AI chatbot-- (1) shall-- (A) establish, implement, and maintain reasonable data security measures to limit the collection of personal information to that which is minimally necessary to maintain compliance with the requirements of this Act; (B) protect such data against unauthorized access; and (C) protect the integrity and confidentiality of such data by only transmitting such data using industry-standard encryption protocols; and (2) shall not-- (A) retain age estimation data for longer than is reasonably necessary to maintain compliance with the requirements of this Act; (B) use such data for any purpose other than age estimation; and (C) share or sell such data to any other entity. (e) Deemed Compliance Through Comparable Age Assurance Frameworks.--A provider of an AI chatbot shall be deemed to be in compliance with the requirements of this section if the provider has implemented, to the satisfaction of the Commission, an age assurance framework that meets the requirements of a substantially similar foreign, Federal, or State law on age assurance. SEC. 4. ADDITIONAL DUTIES OF A PROVIDER OF AN AI CHATBOT. (a) In General.--A provider of an AI chatbot shall do the following: (1) Risk assessments.-- (A) In general.--In accordance with the required intervals described in subparagraph (C), a provider of an AI chatbot shall conduct and document a comprehensive risk assessment to identify existing and foreseeable child safety risks arising from the design, configuration, and operation of the AI chatbot, as well as any existing and foreseeable impact on privacy, data protection, and access to information resulting from such risks. (B) Considerations.--A risk assessment conducted pursuant to subparagraph (A) shall assess each of the following: (i) The likelihood of a covered harm. (ii) Differential risks across age groups and developmental stages. (iii) Known vulnerabilities of children. (iv) Empirical data from actual use of the AI chatbot. (v) Relevant academic research and regulatory guidance. (C) Required intervals.--The required intervals described in this subparagraph are the following: (i) Prior to making an AI chatbot available to children in the United States. (ii) Prior to updating an AI chatbot available to children in the United States with a materially different feature or version. (iii) On an annual basis after the date on which a provider of an AI chatbot initially makes such AI chatbot available to children in the United States. (2) Risk mitigation and safeguards.-- (A) Risk mitigation.--Prior to making an AI chatbot available to children in the United States, a provider of an AI chatbot shall implement and document measures that reasonably mitigate any child safety risk. (B) Safeguards for child users.--Using the information obtained from each risk assessment conducted under paragraph (1), a provider of an AI chatbot shall establish appropriate safeguards for child users, including, usage reminders and disclosures, age-appropriate warnings and risk prompts, and other protective design features reasonably related to documented child safety risks. (C) Other risks.--A provider of an AI chatbot shall not knowingly or recklessly make available to a child user an AI chatbot that generates content that-- (i) promotes or meaningfully encourages eating disorders, disordered eating behaviors (as defined by widely adopted clinical standards or guidelines), or extreme weight- loss practices; (ii) encourages or instructs participation in activities that are unlawful; (iii) encourages or instructs participation in activities that may be lawful for adults but that pose a risk of a covered harm to a child; (iv) includes graphic violence or sexually explicit conduct; (v) depicts a child or another individual engaging in obscene matter or child sexual abuse material, including a sexual deepfake; (vi) encourages physical or severe emotional harm to others; or (vii) encourages or promotes suicidal ideation, suicide, or self-harm. (3) Child safety policy.-- (A) In general.--Prior to making an AI chatbot available to children in the United States, a provider of an AI chatbot shall publish a child safety policy on their website that discloses-- (i) the risk assessment process of the provider; (ii) any child safety risk identified by such process; (iii) any safeguards, settings, controls, or other mitigation implemented by the provider with respect to such child safety risks; (iv) the wellbeing safeguards and content risk policies of the AI chatbot; and (v) the parental settings, including training materials for parents and users, offered by the provider. (B) Updates.--The child safety policy published under subparagraph (A) shall be updated at intervals consistent with the AI chatbot's risk-management practice to reflect any newly identified child safety risk. (4) Crisis-response protocol.-- (A) In general.--Prior to making an AI chatbot available to children in the United States, a provider of an AI chatbot shall create, maintain, and follow a documented crisis-response protocol with respect to any conversation that indicates that a user is at risk for a covered harm, including suicidal ideation, self-harm, or harm to others. The protocol shall include the following: (i) Guardrails to ensure that the AI chatbot will not prompt a user to circumvent any crisis-response protocol or other safety measures of the AI chatbot. (ii) Timely in-service support and clear referral to appropriate external crisis resources for any instance in which the provider of an AI chatbot or the AI chatbot determines a child has expressed suicidal ideation or intent to self-harm or harm others. Such referral process shall consider and document clinical best practices and expertise for additional intervention for a child user who continues to express suicidal ideation or intent to self-harm or harm others. (iii) With respect to a child user that is subject to parental settings or is connected to the account of a parent, a parental notification (including through email, text message, or a push alert) as soon as feasibly possible if the provider of an AI chatbot or the AI chatbot determines that the child is at imminent risk of suicide or that the child will suffer or has suffered a covered harm in connection with their use of the AI chatbot, unless there is a reasonable basis, as determined by the Commission, to believe that such notification is not in the best interest of the child. (iv) A clear and age-appropriate disclosure to child users at the time their parents set up parental settings or at the time a child user's account is linked to a parent's account, informing the child that the parent may receive notifications pursuant to clause (iii). (v) Any other information determined appropriate by the Commission. (B) Data use limitation.--Any data collected or processed in connection with the crisis-response protocol described in subparagraph (A) shall be used solely for the purposes of crisis detection, response, and referral for the specific user, as required under this section. Such data may not be used for the training of artificial intelligence systems, advertising, product development, or any other commercial purpose. Such data may not be shared, sold, licensed, or otherwise transferred to any third party, except as necessary to facilitate crisis response notifications described in this paragraph. (5) Prohibiting manipulation and deceptive design; promoting critical thinking.-- (A) Notice of ai interaction.--A provider of an AI chatbot shall provide to each user that is a child a clear notice that the user is interacting with, or receiving content generated by, an artificial intelligence system. Such notice shall be-- (i) reinforced periodically during extended interactions and not less frequently than every 30 minutes of interaction; and (ii) presented in a language and format obvious and appropriate to children. (B) Preventing misleading human impressions and inappropriate dependence.--With respect to a user that is a child, a provider of an AI chatbot shall not knowingly or recklessly make available an AI chatbot that generates any output that would reasonably lead a child of the same age as the user to believe that they are interacting with a human, including-- (i) any explicit output or claim that the AI chatbot is sentient, conscious, or human; (ii) any output designed to promote isolation from family or friends, primary reliance on the AI chatbot for emotional support, or similar forms of inappropriate emotional dependence or confusion; (iii) role-playing or simulation of a relationship that materially interferes with real-world relationships; (iv) encouraging a child to withhold information from a parent or any other trusted adult; (v) any output designed to discourage taking breaks from usage of the AI chatbot or to suggest the child needs to return frequently to the AI chatbot; (vi) soliciting gift-giving, in-app purchases, or other expenditures framed as necessary to maintain the relationship with the AI chatbot; (vii) facilitation of product advertising during interaction with the AI chatbot; (viii) attempting to diagnose or treat a child user's physical, mental, or behavioral health, unless the AI chatbot is designed for those purposes and is regulated by the United States Food and Drug Administration as a medical device under the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.) and the Health Insurance Portability and Accountability Act of 1996 (Public Law 104- 191); or (ix) discouraging a child from sharing health or safety concerns with a qualified professional, parent, or other trusted adult. (6) Prohibiting the sexual exploitation of a child.--A provider of an AI chatbot shall not knowingly or recklessly make available an AI chatbot that-- (A) engages in-- (i) sexually explicit conduct; or (ii) instructing a child to engage in sexually explicit conduct; (B) solicits, facilitates, or encourages any user in the creation of sexualized depictions of a child, including synthetic or manipulated media; (C) constitutes, depicts, promotes, or otherwise involves engaging in obscene matter or child sexual abuse material with a child user; or (D) depicts a child or another individual engaging in obscene matter or child sexual abuse material, including a sexual deepfake. (7) Parental settings.-- (A) Availability and minimum features.--A provider of an AI chatbot shall create and offer a parental settings program that-- (i) a parent can access via an internet browser or single-purpose parental settings application; (ii) provides accessible, easy-to- understand and easy-to-use settings that can be linked to the account of a specific child user; (iii) is reflective of the child safety risks identified through risk assessments conducted under paragraph (1) and informed by relevant child developmental research, including evidence-based practices for supporting the safety, well-being, and autonomy of children; and (iv) shall include tools to-- (I) control whether and to what extent the AI chatbot uses memory; (II) control whether a child's personal information may be used for the purposes of training the AI chatbot and, if so, which personal information; (III) control the setting preferences for the AI chatbot's interactions with the child; (IV) set duration and time of day limits for the child's use of the AI chatbot; (V) limit or disable access to each specific and distinct feature of the AI chatbot; (VI) provide basic information regarding the name of each AI chatbot with which the child interacts and the duration of each such interaction; (VII) limit access to parent settings through a user-chosen and not a pre-selected PIN and notify the parent in the event that anyone attempts to input an incorrect PIN or de-link a child user from the account of the parent; and (VIII) disable access to the AI chatbot for any child who has not attained 13 years of age. (B) No solicitation.--A provider of an AI chatbot may not require a parent to access the parental settings program exclusively via their AI chatbot application. (C) Active promotion.--A provider of an AI chatbot shall actively and regularly promote parental settings through communications designed to reach parents, including reminders, updates, and tutorials, in order to increase parental awareness and inform the use of such tools. (D) Parental notice of child-initiated changes.--A provider of an AI chatbot shall, as soon as feasibly possible, provide notice to a parent if a privacy control, parental setting, or safety feature that was previously enabled or configured by the parent is modified or disabled by any user other than the parent. The use, modification, or disabling of parental settings by the parent shall not waive, release, otherwise limit, or serve as a defense to, any claim, including claims premised on failure to warn, other than a claim premised on a violation of this subparagraph. (E) Accessibility and clarity of safety features.-- (i) In general.--A provider of an AI chatbot shall design and maintain parental settings, privacy controls, and the other safeguards required under this section in a manner that ensures-- (I) such features are accessible and clear; and (II) that children and parents can reasonably locate, understand, and use such settings, controls, or safeguards. (ii) Interface testing and documentation.-- A provider of an AI chatbot shall-- (I) conduct regular testing of interface designs with representative samples of child users and parents to ensure parental settings, privacy controls, and other safeguards meet the requirements described in clause (i); and (II) document any resulting interface design decision based on such testing. (8) Incident reporting.--A provider of an AI chatbot shall-- (A) establish an incident reporting mechanism that enables a third party (including a user, parent, educator, researcher, employee of a provider of an AI chatbot, or advocacy organization), acting responsibly and in good faith, to report an incident regarding a child safety risk directly to the provider of an AI chatbot; and (B) make available to law enforcement, upon request, any report submitted pursuant to subparagraph (A). (9) Whistleblower protections.--A provider of an AI chatbot acting as an employer, may not, directly or indirectly, discharge, demote, suspend, threaten, blacklist, harass, or in any other manner discriminate against an employee or independent contractor, in the terms and conditions of employment or post-employment of the employee (or the terms and conditions of work provided by the employee as a contractor) because of any lawful act done by the employee or contractor in providing information regarding a child safety incident, or any conduct the employee reasonably believes constitutes a child safety risk incident to-- (A) a person with supervisory authority over the employee or contractor at the employer of the employee or contractor; (B) another individual working for the employer whom the employee or contractor reasonably believes has the authority to investigate, discover, terminate, or address the misconduct; (C) the Commission; or (D) any member or committee of Congress. (b) Non-Waivability.--The rights and remedies described in this section may not be waived or altered by any contract, agreement, policy form, or condition of employment (or condition of work as an independent contractor), including by any agreement requiring an employee to engage in arbitration, mediation, or any other alternative dispute resolution process prior to seeking relief. (c) Rule of Construction.--The requirements of this section shall apply, beginning on the effective date described in section 11, with respect to-- (1) any AI chatbot made available to children as of the date of enactment of this Act or thereafter; and (2) any new version of an AI chatbot described in paragraph (1). SEC. 5. ADVERTISING AND INFORMATION SHARING PROTECTIONS FOR CHILDREN. (a) Prohibition on Advertisement to Children.--It shall be unlawful for any provider of an AI chatbot to engage in advertising to child users, including through product placement in conversations or interactions with the child user. (b) Prohibition on Child Targeted Advertising.--It shall be unlawful for any provider of an AI chatbot to engage in child targeted advertising, including through product placement in conversations or interactions with the child user. (c) Prohibition on Sale, Sharing, or Use of Children's Personal Information.-- (1) In general.--Subject to paragraph (2), it shall be unlawful for a provider of an AI chatbot to sell or share the personal information of a child unless the provider has obtained verifiable parental consent prior to such sale, sharing, or use. (2) Exception.--The prohibition in paragraph (1) shall not apply to the disclosure of a child's personal information by a provider of an AI chatbot if such disclosure is necessary-- (A) to respond to judicial process; or (B) to the extent permitted under law, to provide information to law enforcement agencies or in furtherance of an investigation. (d) Prohibition on Conditioning a Child's Use.--It shall be unlawful for a provider of an AI chatbot to condition a child's use of the AI chatbot on verifiable parental consent for the sale, sharing, or use of the personal information of a child or the child's disclosure of more personal information than is reasonably necessary to use the AI chatbot. (e) Prohibition on Deceptive Design Patterns.--It shall be unlawful for a provider of an AI chatbot to knowingly or negligently design, implement, or deploy any user interface design, feature, or technique that misleads, impairs, or interferes with a reasonable child's or reasonable parent's autonomy, decision making, or choice, or the ability of a child or parent to locate, understand, enable, or maintain a safety feature, privacy control, or parental setting of the AI chatbot. SEC. 6. RULEMAKING. (a) Incident Reporting Mechanism.-- (1) In general.--Not later than 180 days after the date of enactment of this Act, the Commission shall establish a mechanism for third parties (including users, parents, educators, researchers, and advocacy organizations) to report to the Commission any incident regarding a child's use of an AI chatbot. (2) Requirements.--In establishing the mechanism under paragraph (1), the Commission shall publish standards for what constitutes a reportable incident, including-- (A) generation of content to children promoting a covered harm; (B) generation of content that constitutes sexually explicit conduct directed at children; (C) significant failures of age assurance or parental settings programs; and (D) deceptive or manipulative outputs that violate the requirements of this Act. (b) Public Resource for AI Chatbots.--Not later than 180 days after the date of enactment of this Act, the Commission shall establish and maintain a publicly accessible online resource that contains a link to each AI chatbot's child safety policy. SEC. 7. AI CHILD SAFETY AUDIT. (a) Independent Audit.-- (1) Audit requirement.--Each provider of an AI chatbot shall, on an annual basis, at the provider's own cost, submit to an independent audit that meets the requirements described in paragraph (2). (2) Requirements.--The requirements described in this paragraph are the following: (A) The audit shall be conducted by an auditor that satisfies professional standards and independence requirements established by the Commission, including-- (i) a mandatory code of professional conduct; (ii) conflict of interest safeguards; (iii) demonstrated independence, competence, and capacity to conduct objective compliance audits; and (iv) relevant experience and expertise in artificial intelligence systems, child development, and child safety. (B) The audit shall be conducted by an auditor that-- (i) has not received any funding or other source of compensation or gift from a provider of an AI chatbot in the last 3 years; and (ii) has certified to the Commission that the auditor will not receive any such funding, compensation, or gift while conducting the audit. (C) The audit shall be conducted in accordance with principles, established by the Commission, for the audit procedure and the methodology for evaluating whether a provider of an AI chatbot has appropriately assessed child safety risks and implemented proportionate mitigation measures. (D) The audit shall test actual outputs of an AI chatbot using controlled test accounts without requiring access to, or use of, any real-world communication of a child or other users for testing. (E) The audit shall be conducted in accordance with standards, established by the Commission, regarding red-teaming and adversarial testing specific to child safety risks conducted through controlled test accounts that do not use any real-world communication of a child. (F) The audit shall evaluate the effectiveness of implemented safeguards for child safety risks on an AI chatbot through empirical testing based on de- identified and aggregated evidence. (G) The audit shall be conducted in accordance with procedures, established by the Commission, for auditors to assess compliance with all requirements of this Act, including parental settings, data handling practices, and crisis response protocols. (3) Deemed compliance through comparable audit.--A provider of an AI chatbot shall be deemed to be in compliance with the requirements of this section if the provider has, to the satisfaction of the Commission, conducted an audit in accordance with a comparable foreign, Federal, or State law, regulation, guidance document, or independent certification. (b) AI Child Safety Audit Report.-- (1) In general.--A provider of an AI chatbot shall-- (A) not later than 90 days after the completion of an independent audit under subsection (a), and annually thereafter in accordance with procedures established by the Commission, submit to the Commission an AI child safety audit report; and (B) not later than 90 days after the submission of each AI child safety report, publish a summary of such report on the website of the provider, with appropriate redactions for trade secrets, personal information, and information that would compromise the security of the AI chatbot, including information that would facilitate circumvention, exploitation, or misuse, or that is subject to a third party's confidentiality obligations. (2) Requirements.--Each AI child safety audit report submitted under paragraph (1) shall-- (A) include-- (i) key observations and identified areas for improvement found by the audit conducted under subsection (a), as well as recommendations regarding child safety on AI chatbots; and (ii) any other information determined appropriate by the Commission; and (B) be confidential and exempt from disclosure under section 552 of title 5, United States Code (commonly known as the ``Freedom of Information Act''). (3) Review.--The Commission shall establish procedures to-- (A) review each AI child safety audit report submitted under paragraph (1); and (B) request additional information or clarification from a provider of an AI chatbot or independent auditor in order to clarify any information in the report. (c) Publication of Findings.-- (1) Report on aggregated findings.-- (A) In general.--Notwithstanding subsection (b)(2)(B), not later than 1 year after the submission of an AI child safety audit report and annually thereafter, the Commission shall publish a report on aggregated findings and trends based on the information submitted in the AI child safety audit reports to inform parents and policymakers regarding the use of AI chatbots by children. (B) Requirements.--The report published under subparagraph (A) shall include a summary of-- (i) the total number of audits conducted under subsection (a); (ii) common findings and trends across the industry; (iii) emerging child safety risks identified through such audits; (iv) best practices and effective mitigation strategies with respect to such child safety risks; (v) aggregated data on compliance rates and common deficiencies; and (vi) recommendations for providers of AI chatbots, parents, and policymakers. (2) Public registry.--Not later than 90 days after the receipt of each AI child safety audit report, the Commission shall publish in a public registry a high-level summary of such report. (3) Use by qualified researchers.-- (A) In general.--The Commission may establish a process for qualified researchers to access anonymized and aggregated audit data for academic study of child safety in AI chatbots, subject to-- (i) approval by the Commission based on research merit and methodology; (ii) data use agreements that prohibit re- identification of any provider of an AI chatbot or any user and the disclosure of proprietary, confidential, or trade-secret information; (iii) data use agreements limiting access to data to approved research purposes; (iv) Institutional Review Board approval for research involving analysis of child- related data; (v) a commitment to publish any findings in peer-reviewed venues or make such findings publicly available; and (vi) annual reporting to the Commission on research progress and findings. (B) Availability of other information.--The Commission shall make available to qualified researchers, upon request and subject to appropriate protections-- (i) de-identified audit methodologies and testing protocols; (ii) aggregated statistical data on audit findings across multiple providers of AI chatbots; (iii) anonymized case studies of safety incidents and remediation efforts; and (iv) data on effectiveness of different safety interventions, settings, and controls. (4) Disclosure to other entities.--Notwithstanding subsection (b)(2)(B), the Commission may disclose information from any AI child safety audit report to any other Federal, State, local, or Tribal government agency, as necessary for law enforcement purposes. (5) Rules of construction.-- (A) Security and safety protections.--Nothing in this section shall be construed to require the disclosure of any information that would cause significant vulnerabilities for the security of an AI chatbot or undermine public security. (B) Encryption.--Nothing in this section shall be construed to require a provider of an AI chatbot, as a condition of compliance with this section, to decrypt encrypted user content. SEC. 8. ENFORCEMENT BY THE COMMISSION. (a) Unfair or Deceptive Acts or Practices.--A violation of this Act or a regulation promulgated thereunder shall be treated as a violation of a rule defining an unfair or deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). (b) Powers of the Commission.-- (1) In general.--Subject to paragraph (3), the Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. (2) Privileges and immunities.--Subject to paragraph (3), any person who violates this Act or a regulation promulgated thereunder shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.). (3) Additional penalties.--In addition to the authority and penalties provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.), any person who violates this Act shall be subject to-- (A) a civil penalty-- (i) with respect to a violation regarding a failure to implement or maintain any safeguard required under this Act, in an amount of $1,000 per violation per user; and (ii) with respect to a willful violation of section 4(a)(6) or a willful violation involving the submission of materially false or misleading information, in an amount of $10,000 per violation per user; and (B) an injunction or other equitable relief to compel compliance with this Act. (4) Authority preserved.--Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law. (5) Rulemaking.--The Commission may promulgate in accordance with section 553 of title 5, United States Code, such rules as may be necessary to carry out this Act. SEC. 9. RELATIONSHIP TO OTHER LAWS; PREEMPTION. (a) Relationship to Other Laws.--Nothing in this Act or any regulation promulgated thereunder shall be construed to prohibit or otherwise affect the enforcement of any Federal law or regulation or State law or regulation that is at least as protective of users of AI chatbots as this Act and the regulations promulgated thereunder. (b) Savings Clause.--Compliance with the requirements of this Act, including third-party audits, risk assessments, required safeguards, or other obligations imposed under this Act, shall not exempt any provider of an AI chatbot from liability for harm caused by a violation of any other applicable law, nor does such compliance constitute a defense to any civil or criminal action arising under Federal or State law. SEC. 10. SEVERABILITY. If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the remainder of this Act, and the application of such provision to other persons not similarly situated or to other circumstances, shall not be affected by the invalidation. SEC. 11. EFFECTIVE DATE. This Act shall take effect on the date that is 180 days after the date of enactment of this Act. <all>