Keypoint: The Utah Division of Consumer Protection published proposed rules regulating social media companies under Utah’s Social Media Regulation Act.
On October 15, 2023, the Utah Division of Consumer Protection (the “Agency”) published proposed rules for Utah’s Social Media Regulation Act (“SMRA”). As required by the SMRA, the draft rules outline requirements for age verification and consent methods. These draft rules come just a month following federal district courts in California, Texas, and Arkansas enjoining children’s online laws from going into effect in those states.
In the below post, we first provide background on the SMRA. We then provide a summary of the substantive sections of the proposed rules and lastly outline key takeaways.
Background on the SMRA
The SMRA went into effect on May 3, 2023, but its requirements go into effect on March 1, 2024. The SMRA applies to “social media companies” that provide a social media platform that has at least 5,000,000 account holders worldwide and is an interactive computer service. Under the Act, an “interactive computer service” includes any web service, web system, website, web application, or web portal. The Act defines a “social media platform” as an online forum that a social media company makes available for an account holder to create a profile, upload posts, view the posts of other account holders, and interact with other account holders or users. The Act provides an extensive list of online services, websites, and applications that are not considered social media platforms.
The below summary outlines the key requirements of the proposed rules:
Social media companies must use an age verification process that accurately identifies whether a current or prospective Utah account holder is a minor (under the age of 18). The Act outlines the following as acceptable forms or methods of identification: (I) validating and verifying mobile telephone subscriber information; (II) using dynamic knowledge-based authentication consistent with the method approved by the Federal Trade Commission (“FTC”) under the Children’s Online Privacy Protection Act (“COPPA”); (III) estimating a current account holder’s age based on the date a Utah account holder created the account; (IV) checking an account holder’s social security number’s last four digits against a third-party database; (V) using a digital credential; (VI) estimating an account holder’s age using facial characterization or analysis; or (VII) matching an account holder’s verified government-issued identification with a live webcam photo or video or to the person who is physically present. If a social media company identifies a Utah account holder as a minor, then the company must suspend the minor’s account until it obtains the minor’s parent or legal guardian’s consent.
Confirming Receipt of Age Verification
Social media companies must within seventy-two (72) hours of receiving age verification information from a person who seeks to verify age, provide written confirmation to the person using electronic communication in accordance with the Utah Consumer Privacy Act (“UCPA”). The written confirmation must include a description of the age verification information the social media company collected, the method the company used to verify the person’s age, the date the company received the age verification information, whether the company verified the age by using the information, and the date the company will delete the age verification information.
Social media companies must take into consideration available technology that is reasonably calculated to ensure the person providing consent is the minor’s parent or guardian by: (a) using a method that complies with COPPA or has been approved by the FTC in accordance with COPPA; and (b) obtaining a written attestation from the parent or guardian. Based on this rule, companies must use a double-opt in method for consent. Social media companies must also provide a reasonable method for parents and guardians to revoke their consent and to report if a Utah minor account holder’s account was obtained without a parent or guardian’s consent. If a company receives a request to revoke consent or a report as described above, then the company must promptly provide written confirmation to the parent or guardian that the company received the request and describes the action taken by the company in response to the request.
Age and Identity Verification Data
Social media companies may not collect more than the least amount of data reasonably necessary to verify age and collect consent, and to comply with its obligations under the UCPA. Social media companies must meet the following requirements with regards to such age verification and consent data:
- Maintain the data in accordance with the security practices described in the UCPA;
- Not transfer the data to a third party;
- Segregate the data from all data the social media company maintains in its normal course of business;
- Delete the data by permanently and completely erasing the data as quickly as possible but no more than forty-five (45) days after: (A) completing the age verification process; (B) using the data to verify consent; (C) determining a current or prospective Utah account holder failed to meet the verification requirements; or (D) determining parental consent was denied;
- Use the data only to comply with the UCPA and the proposed rules; and
- Maintain a record describing: (A) the date the company completes the age verification process and verifies parental consent for the account (as required); (B) the type of data the company collects to verify the account holder’s age and to verify consent; and (C) the date the company deleted data it collected to comply with the proposed rules.
Social media companies may extend the forty-five (45) day deadline by up to an additional forty-five (45) days only if it is one (1) time per verification, if the extension is reasonably necessary in accordance with the UCPA, and the company complies with the requirements under the UCPA for responding to requests.
Individuals who seek to verify their account may request that their data be deleted before the verification process is completed and social media companies must comply with the request in accordance with the UCPA.
Lastly, social media companies may not store, maintain, transfer, or process data collected by the social media company to comply with the SMRA and the proposed rules, outside the United States. Any third-party agent that processes verification requirements must also maintain its principal place of business in the United States.
Next Steps and Takeaways
The Agency has set a public hearing for November 1, 2023. The public may submit written or oral comments to the Agency until February 5, 2024. Once the comment period ends, the public is no longer able to offer comments on the proposed rules unless the Agency alters the rules in a manner that requires the notice and comment process to begin again. The Agency must take at least seven (7) days following the public comment period to consider the comments it received. If the Agency does not have any changes to the draft rules, then the Agency notifies the Division of Administrative Rules of the effective date and the Division of Administrative Rules codifies and publishes the rules. For more information on Utah’s rulemaking process, please see here.
The SMRA’s requirements are set to go into effect on March 1, 2024, meaning the Agency will have less than a month to review comments to the proposed rules. As noted above, if the Agency makes substantive changes, then the process will need to commence again and companies should not anticipate the requirements under the rules being enforceable at the same time as the SMRA. Regardless, the requirements for age verification and consent methods are prescriptive under these proposed rules, and social media companies will need to take steps to comply. In addition to age verification and consent requirements, it is also important to note the strict transfer restrictions and the requirement to maintain data in the United States.