On Monday, March 25, Florida Governor Ron DeSantis signed SB 3 into law. At a high level, the bill requires social media platforms to terminate the accounts of individuals under the age of 14, while seeking parental consent for accounts of those 14 or 15 years of age. The law will become effective January 1, 2025.

Key provisions are summarized below.

  • Defining Social Media Platforms. The bill applies to platforms that meet all of the following criteria: (1) they allow users to upload content or view the content or activity of other users; (2) 10% or more of their daily active users who are under 16 years of age have spent 2 hours per day or longer on the platform during the previous 12 months; (3) they employ algorithms that analyze user data or information on users to select content for display; and (4) they contain one or more addictive features.
  • Defining Addictive Features. The law explains that the following are considered addictive features: (1) infinite scroll (either content that loads continuously or that does not have an end or page break); (2) push notifications or alerts that inform a user about account activity or events; (3) interactive metrics that indicate the number of times other users have reacted to, shared, or reposted a user’s content; (4) video that begins to play without the user clicking on the video or play button; and (5) functionality that allows the user or an advertiser to broadcast live video content in real time. Note that only one feature needs to be present in order to satisfy the fourth element of the definition of “social media platform.”
  • Identifying Underage Accounts. Social media platforms are required to evaluate accounts to determine whether they belong to those who are 15 years of age and under, both by considering the age information associated with the account and the way the platform treats or categorizes the account for purposes of targeting content or advertising.
  • Accounts of Those Under the Age of 14. Accounts belonging to those determined to be under 14 years of age must be terminated, with the accountholder receiving 90 days to dispute the termination. The accountholder or their parent may also request that the account be terminated, in which case termination must occur within 5 business days, if requested by the accountholder, or 10 business days, if requested by the parent. The platform must also permanently delete all personal information relating to the terminated account, with exceptions for legal requirements.
  • Accounts of Those 14 and 15 Years of Age. Accounts belonging to those determined to be 14 or 15 years of age must also be terminated unless the accountholder’s parent provides consent. The accountholder has 90 days to dispute any termination. As above, the accountholder or parent can also request termination of the account. Notably, the law states that if a court enjoins the enforcement of this section of the law, then a different section, which calls for the termination of any accounts belonging to 14 or 15 year olds, regardless of parental consent, would come into effect.
  • Private Right of Action. Knowing or reckless violations are subject to a private right of action by the minor accountholder. Claimants may be awarded up to $10,000 in damages, plus reasonably attorneys fees and court costs.
  • Regulatory Enforcement. Knowing or reckless violation of the law is an unfair and deceptive trade practice enforceable by the state. The state may collect a civil penalty of up to $50,000 per violation and reasonable attorneys fees and court costs. Punitive damages may also be assessed for a pattern of violative conduct.
  • Age Verification. A commercial entity that knowingly and intentionally publishes or distributes material that is harmful to minors, on a website or application on which more than 33.3% of the material is harmful to minors, must perform age verification to confirm the user is over 18 years of age. News organizations are exempt from this requirement. Entities must provide options for both standard or anonymous age verification. Anonymous age verification is defined as a process that does not retain personal identifying information after it is used to verify age and keeps such information anonymous and protected from unauthorized or illegal use, access, destruction, modification, or disclosure. This provision is enforceable by the state and through a private right of action.
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Priya Leeds Priya Leeds

Priya Sundaresan Leeds is an associate in the firm’s San Francisco office. She is a member of the Privacy and Cybersecurity Practice Group. She also maintains an active pro bono practice with a focus on gun control and criminal justice.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.