With Gov. Abbot’s recent signing of the Securing Children Online through Parental Empowerment Act (SCOPE Act), Texas joins Arkansas and Utah (see our blogs here and here) in requiring age verification and parental consent before allowing minors to create accounts on social media platforms. Two key differences among these laws are (i) the SCOPE Act’s scope, which is broader than the other two state laws; and (ii) the duty imposed by the SCOPE Act to prevent harm to minors by preventing their exposure to “harmful material.” To define “harmful material,” the SCOPE Act borrows from a different Texas law which defines it as material that “taken as a whole” (i) appeals to the prurient interest of a minor in sex, nudity, or excretion, (ii) is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable for minors, and (iii) is utterly without redeeming social value for minors.
Scope: Digital Service Provider
The SCOPE Act applies to a “digital service provider.” A digital service provider (or DSP) is defined as a business that owns or operates a website, application, or other Internet connected service (“digital service”) for which it determines the purpose and means of processing of “personally identifiable information.” A digital service is in scope if the “primary function” is to enable users to “socially interact” and create a public or semi-public profile and create or post content that other users can view. This broad definition clearly implicates social media platforms, similar to Arkansas’ Social Media Safety Act (SMSA) and Utah’s Social Media Regulation Act (SMRA). But the SCOPE Act also implicates virtual words, games, metaverses and certain educational platforms that allow users to interact, create profiles and create content.
The SCOPE Act does not, however, include a revenue threshold or number of accounts threshold, which SMSA and SMRA do include. The SCOPE Act also does not include as many exceptions as SMRA or SMSA, but carveouts are available for digital service providers that provide access to news, sports, commerce, or content primarily generated or selected by the digital service provider and interactive functionality is incidental to the service (§ 509.002(b)(10)). Other exceptions are available for small businesses (as defined by the federal Small Business Administration), covered entities and business associates under Health Insurance Portability and Accountability Act of 1996 (HIPAA), colleges and universities, employment-related digital service providers and education platforms that are necessary for administration of certain types of assessments (e.g., college, career or military readiness), and email and direct messages services, among others (§ 509.002(b)(2)-(9)).
DSP Duty: Verify User Age
The SCOPE Act requires age verification but allows a digital service provider to rely on the age provided at account registration (§ 509.051(d)(1)). The digital service provider must, however, include age gating technology to ensure that the account registrant cannot alter the initial age provided, such as by back-buttoning to re-enter an old-enough age (§ 509.051(c)). A registrant is considered a “known minor” to the digital service provider if the age provided by the registrant is too young or if a “verified parent” notifies the digital service provider of a too-young registrant or disputes the age used to register (§ 509.051(d)(2)).
DSP Duty: Limit Information Use
For accounts held by known minors, a digital service provider must limit collection and use of the minor’s personal information only to what is reasonably necessary to provide the digital service. These limitations in the SCOPE Act about handling minors’ personal information are less strict than in SMSA and SMRA:
- In Arkansas’ SMSA, neither the “social media company” nor its vendor is permitted to retain “any identifying information” of the minor “after access to the social media platform has been granted” (§4-88-1103). Failure to comply results in liability for damages resulting from the retention of the identifying information, including court costs and reasonable attorney’s fees as ordered by the court.
- Utah’s SMRA disallows collection or use of any personal information from the minor’s posts, content, messages, text, or usage activities other than as “necessary to comply with and to verify compliance with, state or federal law, which information includes a parent or guardian’s name, a birth date, and any other information required to be submitted.”
A digital service provider also must not share, disclose, or sell a known minor’s personally identifiable information or collect a known minor’s precise geolocation or display targeted advertising to a known minor (§ 509.052) unless enabled by a “verified parent” using the parental controls described below.
DSP Duty: Conduct Content Filtering
Section 509.053 of the SCOPE Act also requires a digital service provider to create a “strategy” that is designed to prevent harmful content which promotes, glorifies or facilitates: suicide, self-harm, or eating disorders, substance abuse, stalking, bullying, harassment, human trafficking, child pornography or other sexual exploitation or abuse from reaching known minors. The SCOPE Act outlines explicit requirements for the content management strategy which includes use of filtering, human reviews and keywords used for filter evasion. The digital service provider also is required to “make available” the “algorithm code” used for these filtering and other automated controls to independent security researchers (§ 509.053(b)(1)(G)) but only to the extent the code is not a trade secret (§ 509.058).
DSP Duty: Offer Parental Controls
The SCOPE Act requires the digital service to allow a verified parent to access and control a minor’s account. Specifically, the SCOPE Act requires controls that allow a parent to “supervise” the minor’s account (§509.054(a)) through tools that enable the verified parent to control “privacy and account settings”, limit access time and restrict the known minor’s purchases or other financial transactions through the digital service (§509.054(b)).
Whether “supervise” in §509.054(a) and the “settings” in §509.054(b) are meant to grant parental access to the minor’s content and messages is unclear; accordingly, the SCOPE Act is arguably narrower than Utah’s SMRA, which expressly allows for parental access to content and messages. (Arkansas’ SMSA does not specifically allow for parental access to content and messages.)
Algorithms
The SCOPE Act also requires disclosures about the digital service’s use of algorithms (§509.056). Specifically, the digital service provider must provide publicly accessible information (e.g., in the terms of service or privacy policy) that describes:
- how the digital service uses algorithms to automate the information or content displayed to known minors;
- the manner in which algorithms “promote, rank, or filter” that information or content; and
- whether and how personal information is used as “inputs” to determine that information or content.
These public disclosures are not required to include any trade secret (§ 509.058).
Following is a chart comparing key provisions of Utah’s SMRA, Arkansas’ SMSA, and Texas’ SCOPE Act:
Topic | UT SMRA | AR SMSA | TX SCOPE Act |
Effective | May 3, 2023 | September 1, 2023 | September 1, 2024 |
In force | March 1, 2024 | September 1, 2023 | September 1, 2024 |
Regulations forthcoming | Yes | n/a | Yes by the Texas Education Agency* and only for school districts and open enrollment charter schools. Requires a joint legislative committee to conduct a study about the “effects of media on minors”. |
Key Requirements
Verify the age of all account holders. | Yes | Yes Verification by a third-party vendor required | Yes Heightened verification requirements for digital services that knowingly distribute harmful material |
“Minor” means age 18 or younger | Yes | Yes | Yes |
Parental controls for minors’ account including privacy, access times and security settings. | Yes Parental controls that allow for viewing all of the minor’s posts and responses and messages sent to/by the minor account holder; change or eliminate the minor’s permitted access time | n/a | Yes Parental controls for “privacy and account settings”, allowing certain otherwise restricted activities and limiting the minor’s access times |
Heightened default privacy settings for minors’ accounts. | Yes | n/a | Yes |
Handling personal information | No collection or use of any personal information from the minor’s posts, content, messages, text, or usage activities other than as necessary to comply with law | No retention of any identifying information of the minor after access to the platform is granted | Collection and use of the minor’s personal information restricted to what is reasonably necessary to provide the digital service. |
Prevent minor’s from engaging in financial transactions through the digital service unless parent changes such setting. | n/a | n/a | Yes |
Content filtering for minors | Yes No “suggestions” of groups, services, posts, etc. | n/a | Yes Prevent minor’s exposure to “harmful material” or certain other content |
No advertising to minors’ accounts | Yes | n/a | Yes (Digital service provider cannot display targeted ads to known minors and must use “commercially reasonable” efforts to prevent advertisers from targeted known minors with advertising for illegal products/services/activities) |
Enforcement
Civil Penalties | Yes | Yes** | Yes |
Cure Period | Yes | n/a | n/a |
Private Right of Action | Yes On and after March 1, 2024, $2,500 per violation or actual damages “for financial, physical, and emotional harm incurred by the person bringing the action, if the court determines that the harm is a direct consequence of the violation” | Yes $2,500 per violation or court ordered damages as well as court costs and reasonable attorney’s fees. | Yes The parent or guardian of a minor may seek a declaratory judgement or injunction |
This chart is not inclusive. Please contact the authors for additional details.
* Article 3 of the SCOPE Act also requires the Texas Education Agency to develop standards for privacy and hardware and software management, including parental consent. Article 3 applies beginning with the 2023-2024 school year.
**A knowing and willful violation also is a Class A misdemeanor.
SMSA and SMRA already are mired in controversy. On June 29th, industry group NetChoice filed a lawsuit challenging the constitutionality of Arkansas’ SMSA as “the latest attempt in a long line of government efforts to restrict new forms of expression based on concerns that they harm minors” and also arguing that SMSA (i) is pre-empted by the federal Children’s Online Privacy Protection Act (Count Three) and (i) “contravenes the Commerce Clause” by regulating “commercial and speech-related activities that occur wholly outside Arkansas” (Count Four). On July 9th, Utah’s Governor Spencer Cox acknowledged on national TV that Utah’s SMRA will likely face constitutional challenges for depriving minors of their First Amendment free speech rights while at the same time announcing his plans to file lawsuits against social media companies “to hold them accountable” for knowingly harming children.
Whether the SCOPE Act will face a direct legal challenge is unclear since Texas already is involved in a lawsuit filed by two industry groups challenging the constitutionality (on First Amendment grounds) of Texas’ social media content regulation law known as HB20.