On October 15, the Utah Department of Commerce’s Consumer Protection Division published a Proposed Rule implementing elements of the Utah Social Media Regulation Act (SMRA), which was signed into law in March 2023.
The SMRA imposes a range of requirements on social media companies related to minors’ use of social media platforms. The law, for example, requires that social media companies verify users’ ages, obtain parental consent authorizing minors to use the companies’ services, limit the functionality of minors’ accounts (e.g., messaging, advertising), and restrict the hours at which minors can access their accounts. The law also includes broad restrictions on these companies’ use of practices, designs, or features that contribute to minors’ addiction to social media. Importantly, the law is enforceable both by the Consumer Protection Division and through a private right of action. The Proposed Rule, in turn, offers additional specifics regarding how social media companies can satisfy the SMRA’s age verification and parental consent requirements. Public comments on the Proposed Rule will be accepted until February 5, 2024.
As we have previously noted on this blog, the issues of children’s privacy and social media use have been the focus of growing legislative attention at both the state and federal levels. Children’s data has also been at the center of several FTC enforcement actions over the past year. And most recently, in conjunction with the release of his “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (which we have written about here), President Biden has called on Congress to enact data privacy legislation to protect children. Thus, companies that collect children’s data should ensure that their data processing activities are aligned with this ever-evolving legal landscape.
In this post, we summarize key provisions in both the SMRA and Proposed Rule. We are happy to answer any questions you have about these provisions’ implications for your company’s privacy compliance efforts. To keep updated on all of the latest developments in the area of children’s privacy, be sure to follow the WilmerHale Privacy and Cybersecurity Law blog.
KEY PROVISIONS – UTAH SOCIAL MEDIA REGULATION ACT
Key provisions of the SMRA include:
- Applicability: Applies primarily to “social media compan[ies],” which the law defines to include a company that (1) “provides a social media platform that has at least 5,000,000 account holders worldwide” and (2) “is an interactive computer service.” The SMRA details extensive exceptions to the definition of “social media platform,” which out-scope from the reach of the law such services as email platforms, streaming services, and e-commerce sites, among others.
- Age Verification: Requires that social media companies verify the ages of accountholders to determine whether they are minors.
- Parental Consent: Prohibits social media companies from allowing a minor to hold an account on the company’s social media platform without the express consent of the minor’s parent or guardian.
- Restrictions on Minor Accounts: Imposes a range of restrictions on minors’ accounts, such as (1) prohibiting direct messaging between these accounts and users “not linked to the account through friending”; (2) prohibiting the display of advertising in the account; (3) limiting the collection and use of personal information from the account’s content and activity; (4) requiring that parents be allowed to access their children’s accounts; and (5) limiting the hours at which minors can use their accounts.
- Combatting Social Media Addiction: Prohibits the use of “practice[s], design[s], or feature[s]” that cause minors to develop social media addictions. Companies are subject to civil penalties of $250,000 for each violating practice, design, or feature, as well as $2,500 for each minor exposed to such practice, design, or feature. Notably, the Act includes an affirmative defense for companies that conduct and act upon (as appropriate) quarterly audits of practices, designs, and features that have the potential to cause the social media addiction of minors.
- Enforcement Via Government and Private Right of Action: Act is enforceable both by the Division of Consumer Protection and a private right of action, with the latter providing for the greater of $2,500 for each violation or actual damages.
- Effective Date: Though the Act generally took effect in May 2023, the bulk of its substantive requirements will not take effect until March 1, 2024.
KEY PROVISIONS – UTAH SOCIAL MEDIA REGULATION ACT PROPOSED RULE
Key provisions of the SMRA Proposed Rule include:
- Age Verification: Identifies a list of “acceptable forms or methods of identification” that may be used to verify an accountholder’s age, including, among other things, “validating and verifying mobile telephone subscriber information”; “dynamic knowledge-based authentication consistent with [COPPA regulations]”; comparing social security number digits against third-party databases; estimating the accountholder’s age based on the account’s date of creation; estimating the accountholder’s age based on “facial characterization or analysis”; and comparing a government ID photo against a live photo or video of the accountholder.
- Parental Consent: Requires that social media companies “make reasonable efforts to confirm a parent’s or guardian’s consent for a minor to open or use a social media account” by (1) using a method that is COPPA-compliant; and (2) “obtaining a written attestation from the parent or guardian that they are the minor’s legal guardian.”
- Use of Age and Identity Verification Data: Restricts social media companies’ collection and use of data in the age and identity verification contexts. For example, social media companies “may not collect more than the least amount of data reasonably necessary to comply with [these requirements],” and must provide for the security and timely deletion of this data. Notably, the Proposed Rule prohibits social media companies from storing or processing age and identity verification data outside the United States.
- Next Steps: The Proposed Rule is open for public comment until February 5, 2024. A public hearing on the Proposed Rule will be held on November 1, 2023.