On March 7, Utah repealed and replaced its Social Media Regulation Act, which had previously been challenged in a pair of lawsuits by NetChoice and the Foundation for Individual Rights and Expression.  The replacement legislation is spread across two enacted bills, SB 194 and HB 464.  SB 194 contains the bulk of the legislation’s general provisions, while HB 464 includes a private right of action for certain harms associated with a minor’s use of algorithmically curated social media. We summarize below some of the key features of the new legislation, which will go into effect on October 1, 2024.

  • Scope.  The laws apply to “social media companies,” entities that “own or operate[] a social media service.”  A “social media service” is any “public website or application” that (i) displays content “primarily generated” by account holders, (ii) permits individuals to register as account holders and create profiles visible to the public or to users specified by the account holder, (iii) “connects account holders to allow users to interact socially with each other” within the service, (iv) enables each account holder to view a list of other account holders “with whom the account holder shares a connection within the system,” and (v) allows account holders to post content viewable by others.  The definition of a social media service does not include email, cloud storage, or document viewing, sharing, or collaboration services.  The provisions described below generally apply to “Utah minor account holders,” Utah residents who are under the age of 18.
  • Age assurance and parental consent.  The Social Media Regulation Act required age verification of new and existing Utah account holders and prohibited allowing individuals under the age of 18 to hold an account without express parental consent.  Instead, SB 194 requires that social media companies implement an age assurance system to determine whether the individual is a minor.  This determination must be made using measures “reasonably calculated” to determine whether an account holder is a minor “with an accuracy rate of at least 95%,” and an account holder must be permitted to request review of the determination.  SB 194 does notrequire that individuals determined to be minors secure parental consent to create or access an account.  However, parental consent would be required before certain functionality could be used.  SB 194 also requires rulemaking to determine appropriate means of performing age assurance and securing verifiable parental consent, and social media companies that implement mechanisms that comply with such rules will benefit from safe harbor protections.
  • Default settings.  The Social Media Regulation Act established certain limitations on accounts held by minors with parental consent, some of which are also included under SB 194.  SB 194 requires default settings for minors, including restricting the visibility and searchability of a minor account holder’s account and posts, limiting collection and sale of data from a minor account holder, and restricting direct messaging by minor account holders.  A minor account holder may not modify these settings unless the social media company first obtains verifiable parental consent for them to do so.  SB 194 does not adopt some of the defaults and other requirements under the Social Media Regulation Act, including time-of-day usage restrictions and categorical prohibitions on advertising and targeted suggestions.
  • Other data handling requirements.  SB 194 requires social media companies to implement “reasonable security measures” to protect minors’ data, provide a notice describing how information from minor users is collected and used, and implement a system through which a minor user can request that their data be deleted and removed from the social media service.
  • Restrictions on user engagement.  SB 194 imposes a ban on certain features that “prolong user engagement” for minor accounts, including “autoplay functions that continuously play content without user interaction,” “scroll or pagination that loads additional content as long as the user continues scrolling,” and “push notifications prompting repeated user engagement.”
  • Supervisory tools.  The Social Media Regulation Act required social media companies to allow parents broad access to their minor children’s accounts and enable parents to set usage restrictions.  Under SB 194, social media companies are required to provide minor account holders with the option of designating an individual to supervise their account.  The designated supervisor must be able to set usage limits, schedule mandatory breaks, and view a range of information regarding usage, connected accounts, and settings.
  • Limited Disclosure.  SB 194 provides that “[a] social media company’s terms of service related to a Utah minor account holder shall be presumed to include an assurance of confidentiality for the Utah minor account holder’s personal information.”  This presumption can be overcome with “verifiable parental consent,” and does not apply to certain specified forms of internal use or external sharing, including maintaining and analyzing the service or personalizing content based on age and location.
  • Private right of action for harm to minors by algorithmically curated social media services.  The Social Media Regulation Act contained a broad private right of action for violations of the law’s requirements, as well as a special private right of action for harms suffered by minors as a consequence of using a social media platform.  There is no private right of action for violation of the general provisions of SB 194, but HB 464 provides a private right of action for certain harms related to algorithmically curated social media: “A Utah minor account holder or a Utah minor account holder’s parent may bring a cause of action against a social media company in court for an adverse mental health outcome arising, in whole or in part, from the minor’s excessive use of the social media company’s algorithmically curated social media service.”  HB 464 describes requirements, presumptions, and defenses for such a claim.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Jenna Zhang Jenna Zhang

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to…

Jenna Zhang is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity practice group. Jenna advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to regulatory inquiries. She also maintains an active pro bono practice with a focus on immigration.

John Bowers

John Bowers is an associate in the firm’s Washington, DC office. He is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

John advises clients on a wide range of privacy and communications issues…

John Bowers is an associate in the firm’s Washington, DC office. He is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

John advises clients on a wide range of privacy and communications issues, including compliance with telecommunications regulations and U.S. state and federal privacy laws.