States Race After Utah on Minors’ Privacy Despite Legal Threats

The legislative and regulatory landscape concerning minors’ privacy is becoming increasingly protective, adding new complexity and uncertainty for companies as they navigate a patchwork of requirements.

The latest legislative trend aims to regulate use of social media by minors and provide parents with greater control over their children’s social media activities. This wave of legislation is building alongside concerns about the impact of social media on teens’ mental health and perceived gaps in protections for children’s privacy rights on social media.

On March 23, Utah was the first state to adopt such social media regulations with its Social Media Regulation Act. The law applies to social media companies with more than 5 million users worldwide, and it goes into effect on May 3, with numerous requirements coming into force beginning March 1, 2024.

Statute Overview

SB 152 requires social media companies to verify the age of any Utah resident account holder and obtain express consent of a parent or guardian prior to allowing users under 18 to open an account.

It also requires giving a parent or guardian access to the content and interactions of an account held by their children—a provision that already drew public criticism and legal threats over potential First Amendment violations.

Moreover, social media companies will be barred from displaying targeted content or ads to minors. HB 311 prohibits social media companies from using any practice, design, or feature that would cause users under the age of 18 to become addicted to the platform, and gives Utah’s minors the right to sue social media companies if they believe they’ve become addicted to or otherwise harmed by the platform.

Other State Proposals

Numerous states have proposed or are considering similar laws in the name of protecting minors from potential harms online, many of which would likely be destined to face legal challenges.

On April 10, Arkansas passed the Social Media Safety Act, with a Sept. 1 effective date pending the governor’s signature. The law is largely based on Utah’s Social Media Regulation Act, but it doesn’t include that state’s parental monitoring requirements. Arkansas’ law requires social media companies to obtain express consent of a parent or guardian prior to allowing users under the age of 18 to open an account. Social media companies are required to verify Arkansas users’ ages by engaging a third-party vendor to perform “reasonable age verification.”

The law includes exemptions for businesses with less than $100 million in annual gross revenue, companies that exclusively offer interactive or virtual gaming, and other listed services.

In January 2023, New Jersey introduced legislation that would prohibit social media companies from using any practice, design, or feature that would cause users under the age of 18 to become addicted to their platform. Social media companies would be required to hire an independent organization to perform an annual audit for compliance. The bill applies only to companies with more than $100 million in gross revenue and video game platforms.

Connecticut and Ohio recently introduced bills requiring social media companies to obtain parental consent prior to allowing users under the age of 16 to open an account.

In December 2022, Texas introduced a bill that prohibits Texas residents under the age of 18 from creating a social media account, and requires social media companies to verify user age through a variety of methods, including a photo identification mechanism, and to provide pathways for parents to request removal of their kids’ accounts.

Similar legislation has also been introduced in California (SB287 and SB845), FloridaIowaLouisianaMarylandMinnesota, and South Carolina.

Regulating Minors’ Personal Data

Several states have introduced laws that restrict how companies can use personal information collected from minors online, reflecting an emerging trend in online safety regulation.

The California Age-Appropriate Design Code, signed into law in September 2022 and is set to enter into force in July 2024, applies to online services “likely to be accessed by children” under the age of 18. The code requires companies to develop methods to estimate the age of child users, conduct detailed data protection impact assessments, enable settings that offer “a high level of privacy” by default, and includes restrictions on the profiling of children and use of dark patterns.

Similar laws have been introduced in ConnecticutOregonNevadaMarylandMinnesota and New Mexico.

Compliance Considerations

Businesses will face new complexities and uncertainty as they work towards compliance with these obligations. One of the biggest challenges will undoubtedly be age verification and, as of now, it is unclear how the age verification requirements contemplated by some of these laws should be implemented.

It is likely these requirements will go further than the age verification services social media platforms currently use to comply with COPPA, which can be easily evaded by minors. Companies should pay close attention to guidance and implementing regulations issued under such laws.

Moreover, age verification provisions will require companies to collect identification information from all users, minors or otherwise, to verify age and to prove the parent/guardian-child relationship.

Consequently, companies will be collecting large amounts of potentially sensitive personal information, such as driver’s license information and birth certificates, to comply with these requirements. Companies should strategize their approach to data minimization and security requirements.

With significant changes on the horizon, companies within the scope of these laws should start early to analyze the applicability of the new requirements to their services and develop appropriate compliance solutions.