By Alex Schlight and Leslie Veloz
Just a year after passing a comprehensive privacy law, Utah becomes the first state in the United States to pass a law that significantly regulates a minor’s access to, and use of, social media sites. On March 23, 2023, Governor Spencer Cox signed the S.B. 152 Social Media Regulation Amendments (Regulation Amendments) and the H.B. 311 Social Media Usage Amendments covering addictive design (Usage Amendments) (collectively, USMRA) into law.
The law is much broader than kids’ privacy laws like the federal Children’s Online Privacy Protection Act (COPPA), or California’s Age-Appropriate Design Code Act passed last year in that it significantly limits when and how minors under the age of 18 can use social media, gives parent’s broad rights to consent to and access accounts, and places extensive restrictions on social media company activities, including, prohibiting the display of ads to minors, targeting or suggesting groups, services, products, and posts and use of addictive design. The stated goal for this law is claimed to be an effort to curb the mental health crisis faced by American minors.
Among other requirements under the USMRA, starting March 1, 2024, minors in Utah will need parental consent to gain access to any social media platform. The USMRA will set default curfews for minors limiting evening and early morning access to social media. The law will also require age verification for anyone who wants to keep or open an account. Additionally, parents will have broad access to a minor’s account.
The law grants enforcement rights to the Division of Consumer Protection and includes a private right of action allowing parents and persons generally, to bring suit.
Who is in Scope?
The USMRA only applies to "social media companies.” A social media company is defined as a person or entity that provides a “social media platform” that has at least 5 million account holders worldwide and is an interactive computer service.
A social media platform, in turn, is defined broadly as an online forum that a social media company makes available for an account holder to create a profile, upload posts, and view the posts of other account holders.
USMRA does not apply to online services, websites or applications:
whose predominant function is: electronic mail, direct messaging, streaming, news, sports, entertainment, online shopping or e-commerce, gaming, photo editing, professional creative network, public safety, career development, business to business software, teleconferencing or videoconferencing, cloud storage, document collaboration, cloud computing services, data visualization platforms, technical support, and academic or genealogical research (subject to specific qualifications & criteria).¹
on which the majority of the content posted or created is posted or created by the online service, website, or application itself, subject to further restrictions and limitations.
Obligations of Social Media Companies
Starting March 1, 2024, businesses who meet the definition of a “social media company” under the USMRA must:
Require parental consent for all minors to have a social media account by:
Verifying the age of a Utah resident seeking to maintain or open an account
Obtaining express consent from a parent to maintain or create an account
Denying access to accounts if age cannot be verified or consent obtained
Protect a minor’s account by:
Allowing a parent access to the account
Blocking accounts from search results for any user the minor has not “friended”
Prohibit direct messaging by anyone the minor has not “friended”
Limit a minor’s use of their account by:
Creating a default curfew blocking account access from 10:30PM to 6:30AM
Enabling a parent to limit the number of hours per day of account usage
Introduce restrictions on advertising, recommendations, and addictive designs by prohibiting:
display of advertising
collection or use of personal information for non-necessary purposes
use of targeted or suggested groups, services, products, posts, accounts, or users
use of a practice, design, or feature which the company knows, or reasonably should know, causes addiction to the platform
Parental Rights
Under the USMRA, parents or guardians (parents) have the right to:
A parent’s access to a minor’s account is unlimited. Conversely, a minor’s access to their account is limited to what their parent approves. Parents will have discretion to modify default access times required to be set by social media companies.
Enforcement & Private Right of Action
USMRA grants the Division of Consumer Protection (Division) auditing authority to enforce and ensure compliance. The Division also has the power to investigate any complaint and seek enforcement through an injunction, civil penalties, or to seek other relief through the judicial process.
Failure to comply with the Regulation Amendments could introduce fines of up to $2,500 per violation, and any actual damages suffered by users. Failure to comply with the Usage Amendments could result in a $250,000 fine for social media companies that use additive features and a penalty of up to $2,500 per child exposed to an addictive element. Companies can avoid fines by performing quarterly audits and addressing violations within 30 days.
The law also introduces a privacy right of action allowing persons (and not just parents) to sue companies directly. Where a violation of USMRA is found, companies may be liable up to $2,500 for each incident of the violation or actual damages for harms incurred by the individual bringing the action (whichever is greater). Notably, where a private action is pursued for addiction to social media, harm to minors under the age of sixteen will be presumed. In such cases, companies will bear the burden of rebutting such presumptions.
Practical Considerations
Social media companies are sure to face new complexities and uncertainty as they work towards compliance with these obligations.
Uncertainty surrounding age-verification and consent requirements
For one, despite its stringent age-verification and consent requirements, the law does not address how these standards are to be implemented. This brings to light important questions like what level of age-verification will be sufficient? What forms of identification will be sufficient to prove the age of a user? What about proving identity as the parent of a minor? And how must companies develop age verification and consent tools such that they cannot be easily evaded by minors?
At the same time, USMRA does not seem to consider the impact on companies who do not target children, or even those who prohibit children from using their services. Presumably, these companies will still need to introduce age-verification and then deny minors from creating an account in the first place.
Relatedly, it remains unclear how these requirements will interplay with broader data minimization and security principles. This is particularly pertinent given that the age verification requirements of the law will require companies to collect identification information from all users (minors or otherwise). As a consequence, companies will be collecting massive amounts of relatively sensitive data in order to comply with the law.
Further, companies need to consider application of other laws in connection with these requirements, including age-gating requirements under COPPA and whether collection of full date of birth for age-gating may trigger application other laws such as state data breach laws.
Importantly, the USMRA does provide for a rulemaking process that will address many of these questions. In particular, the Division of Consumer Protection is tasked with creating an age verification process which must permit some form of verification other than requiring a valid identification card issued by the government.
However, it is not clear when these rules will surface. This places social media companies in a tough position as they look toward undefined requirements, a host of technical changes that need to be made to their platforms and a relatively tight deadline for compliance.
Ensuring the protection of at-risk minors
While the USMRA was founded on the idea of enhancing the protection of minors, opponents of the law have claimed the law violates First Amendment rights and constitute problematic and even dangerous invasion of a minors’ and families’ right to privacy and parental rights. Other critics have raised concerns that these laws will disproportionately impact at risk youth where social media may be functioning as a safe space or means of seeking help and support, especially for kids without adequate family support.
What Comes Next?
Given the new and sweeping nature of USMRA, the law is destined to face legal challenges and review by the courts, particularly on First Amendment grounds. These challenges are not only expected but considered inevitable by Governor Spencer Cox who told reporters that they have planned for such legal pushback since the law’s early stages. In parallel, Representative Jordan Teuscher, the sponsor for the Usage Amendments, has issued a call to action for social media companies – asking them to come to the table and work alongside lawmakers.
Companies should pay close attention to these developments as they may meaningfully limit or clarify the current requirements under USMRA.
Finally look to Texas, Ohio, Minnesota, Connecticut and Arkansas next as these five states have each introduced similar legislation that would require parental consent for minors to use social media.
For more detail, see S.B. 152 Social Media Regulation Amendments.
Alex Schlight is a Senior Associate at Hintze Law PLLC. Alex counsels US and international clients on data privacy compliance and risk management strategies.
Leslie Veloz is an Associate at Hintze Law PLLC focused on the intersection of privacy, security, and data ethics.
Hintze Law PLLC is a Chambers-ranked privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support global technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.