Key takeaway: Last week, Arkansas became the latest state to pass legislation requiring social media companies to obtain parental consent before allowing minor users to create accounts on their platforms. The new law, titled Social Media Safety Act (“SMSA”) – is effective on September 1, 2023.

Similar to Utah’s Social Media Regulation Act (“Utah SMRA”, discussed here), SAMSA defines “social media company” and “social media platform” broadly. Numerous exclusions, however, narrow the term to a definition consistent with a general understanding of those terms. Exclusions include:

  • a platform controlled by an entity with less than $100 million annual gross revenue,
  • a platform with a predominant function of email, direct messaging, streaming services, news, sports or other content not generated by users,
  • e-commerce, and
  • business to business software not accessible to the general public, research and shared document collaboration

The below chart is a quick reference guide that compares key topics under SMSA and Utah SMRA. As shown below, Utah SMRA does not provide details with respect to age verification and parental consent methods and instead relies on Utah’s Division of Consumer Protection to promulgate rules. Although shorter, SMSA provides more detail about age verification methods than Utah SMRA. Unfortunately, the SMSA does not outline what constitutes valid parental or guardian consent and does not authorize rules to be promulgated to address this gap like the Utah SMRA does.

Topic Utah SMRA AR SMSA
Effective May 3, 2023 September 1, 2023
In force March 1, 2024 September 1, 2023
Regulations forthcoming ×
Key Requirements
Verify the age of all account holders. × ×
“Minor” is under 18 years of age. × ×
Engage a third-party vendor age verification vendor that uses “reasonable” methods to verify age, which include government-issued identification or digitized identification card or ”any commercially reasonable age verification method”. ×
Prohibit retention of any “identifying information” after access is granted. ×
Confirm parental or legal guardian express consent before creating a minor’s social media account. × ×
Prevent creation of a minor’s social media account unless/until parental consent is verified. × ×
Prohibit minor account holders from accessing their accounts between the hours of 10:30pm and 6:30am (with the time zone based on IP address) unless the consenting parent/guardian changes the default setting. ×
Provide the consenting parent or guardian with a means to: access the minor’s account; view all posts the minor has made; view all responses and messages sent to, or by, the minor account holder; and change or eliminate the minor account holder’s permitted access time to use their account. ×
Enforcement
Civil Penalties × ×
Administrative Fines ×
Cure Period ×

Private Right of Action

 

 

×

On and after March 1, 2024, $2,500 per violation or actual damages “for financial, physical, and emotional harm incurred by the person bringing the action, if the court determines that the harm is a direct consequence of the violation”

×

$2,500 per violation or court ordered damages as well as court costs and reasonable attorney’s fees.

 

Criminal penalties Class A misdemeanor for knowing and willful violations
(Please note that this chart is a helpful tool, but it is not exhaustive. The authors’ contact information is linked above if you would like more detailed information.)

As both these laws come into effect, social media platform providers will need to work with counsel to harmonize the age verification and parental consent obligations. Meanwhile, Sen. Brian Schatz (D-HI) recently introduce the Protecting Kids on Social Media Act. Among other requirements, this federal law would require age-verification for social media users nation-wide with enforcements powers held by state attorneys general and the Federal Trade Commission.

The PW team will continue to monitor developments to keep you in the loop.

***

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Yesterday, Utah’s Social Media Regulation Act (“SMRA”) was signed into law by Gov. Spencer Cox.

The SMRA applies to businesses that provide a social media platform with at least five (5) million account holders worldwide. The definition of “social media platform” is broad but includes 24 exceptions that generally narrow the SMRA’s scope to a lay-person’s typical understanding of a social media platform.

It goes into effect on May 3, 2023 with numerous compliance requirements and prohibitions for social media platforms coming into force beginning March 1, 2024. Continue Reading Utah’s Social Media Regulation Act Signed by Governor

The Utah Consumer Privacy Act (“UCPA”) was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA’s progress throughout this legislative session.

Effective Date

December 31, 2023.

Applicability

In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the CCPA/CPRA, covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information).  The CDPA and CPA do not have revenue thresholds.

Enforcement

The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA.  Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA.  The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period.  After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing.  The AG may seek up to $7,500 for each violation.

Rulemaking

The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025 that evaluates liability and enforcement provisions and details summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

 

As CPW has previously covered, Utah is one of several states considering enacting a comprehensive privacy bill this year.  CPW’s Kristin Bryan and Kyle Fath were recently interviewed by Bloomberg Law concerning this development.  The full article is available here.

Kyle commented that “[d]espite the bill’s similarity to the Virginia law and its number of exemptions, it still complicates the national compliance picture.  Businesses may apply more stringent standards from jurisdictions like California to consumers in other states, such as Utah, because it can be complicated and costly to comply in a piecemeal manner.”

As Kristin explained, the failure of the federal government to enact comprehensive privacy legislation means that “many states are taking privacy regulations into their own hands,” and “[t]he inclusion of a private right of action for bills is a ‘worst case scenario’ for businesses that would be regulated under such laws.”  In this instance, she commented, “[i]t does appear [the Utah legislature is] trying to strike the right balance between providing privacy protections while also limiting the exposure to businesses, as seen by lack of private right of action.”

For more on this, stay tuned.  CPW will be there to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conduct business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

Prior Legislative History

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

Update as of March 3, 2022

On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker.  The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process

What’s Next

In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.”  Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.

If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action.  The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.

Utah is inching closer to passing the Utah Consumer Privacy Act.  CPW will be here to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

What’s Next

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

It remains to be seen how the 2022 version of the Utah Consumer Privacy Act will fare in the Utah House, but CPW will be here to keep you in the loop.

In 2023, we analyzed the laws in Arkansas, Texas and Utah that require age verification and parental consent before allowing minors to create accounts on social media and other interactive platforms.  A similar law – Secure Online Child Interaction And Age Limitation (SOCIAL) Act – was passed in Louisiana, which has an in-force date of July 1, 2024.  Ohio legislators also enacted the Parental Notification by Social Media Operators Act (Ohio Act).  All of these laws have requirements that are similar to the proposed federal law titled Kids Online Safety Act” (KOSA), which we explain in a companion post).

Continue Reading Protecting Kids Online – Part II

Protection for minors online continues to top the list of U.S. regulatory and legislative priorities in 2024. So far in 2024, legislators in California introduced several bills focused on minors; Congress held hearings and advanced federal legislation protecting minors online; and constitutional challenges to 2023 state laws focused on minors’ social networking accounts advanced in the Courts. Congress and the Federal Trade Commission (FTC) are looking to update the Children’s Online Privacy Protection Act and corresponding Rule, as detailed in another post. However, the proposals explained in this post extend far beyond online privacy concerns, and we believe more focus on minors’ online safety is on the way.

Continue Reading Protecting Kids Online: Changes in California, Connecticut and Congress – Part I

2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the year’s most interesting privacy compliance developments globally.

Continue Reading 2023 Privacy Compliance Year in Review