This document includes Senate 2nd Reading Floor Amendments incorporated into the bill on Tue, Feb 20, 2024 at 5:22 PM by lpoole.
1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill enacts provisions related to age assurance and protecting minors in the Utah
10 Minor Protection in Social Media Act (Act).
11 Highlighted Provisions:
12 This bill:
13 ▸ defines terms;
14 ▸ requires social media companies to verify a new account holder's age using an
15 approved system;
16 ▸ requires a social media service to:
17 • enable maximum default privacy settings on a Utah minor account holder's
18 account;
19 • provide supervisory tools and verifiable parental consent mechanisms on a Utah
20 minor account holder's account; and
21 • provide confidentiality protections for minors' data;
22 ▸ establishes the Division of Consumer Protection's enforcement powers relating to
23 the Act;
24 ▸ provides compliance safe harbors when social media companies implement
25 approved systems for age assurance and verifiable parental consent; and
26 ▸ contains a severability clause.
27 Money Appropriated in this Bill:
28 None
29 Other Special Clauses:
30 This bill provides a special effective date.
31 Utah Code Sections Affected:
32 AMENDS:
33 13-2-1 (Effective 05/02/24), as last amended by Laws of Utah 2023, Chapters 31, 36,
34 377, 458, 477, 498, 509, and 536
35 ENACTS:
36 13-71-101, Utah Code Annotated 1953
37 13-71-102, Utah Code Annotated 1953
38 13-71-201, Utah Code Annotated 1953
39 13-71-202, Utah Code Annotated 1953
40 13-71-203, Utah Code Annotated 1953
41 13-71-204, Utah Code Annotated 1953
42 13-71-301, Utah Code Annotated 1953
43 13-71-302, Utah Code Annotated 1953
44 13-71-401, Utah Code Annotated 1953
45
46 Be it enacted by the Legislature of the state of Utah:
47 Section 1. Section 13-2-1 (Effective 05/02/24) is amended to read:
48 13-2-1 (Effective 05/02/24). Consumer protection division established --
49 Functions.
50 (1) There is established within the Department of Commerce the Division of Consumer
51 Protection.
52 (2) The division shall administer and enforce the following:
53 (a) Chapter 10a, Music Licensing Practices Act;
54 (b) Chapter 11, Utah Consumer Sales Practices Act;
55 (c) Chapter 15, Business Opportunity Disclosure Act;
56 (d) Chapter 20, New Motor Vehicle Warranties Act;
57 (e) Chapter 21, Credit Services Organizations Act;
58 (f) Chapter 22, Charitable Solicitations Act;
59 (g) Chapter 23, Health Spa Services Protection Act;
60 (h) Chapter 25a, Telephone and Facsimile Solicitation Act;
61 (i) Chapter 26, Telephone Fraud Prevention Act;
62 (j) Chapter 28, Prize Notices Regulation Act;
63 (k) Chapter 32a, Pawnshop, Secondhand Merchandise, and Catalytic Converter
64 Transaction Information Act;
65 (l) Chapter 34, Utah Postsecondary School and State Authorization Act;
66 (m) Chapter 41, Price Controls During Emergencies Act;
67 (n) Chapter 42, Uniform Debt-Management Services Act;
68 (o) Chapter 49, Immigration Consultants Registration Act;
69 (p) Chapter 51, Transportation Network Company Registration Act;
70 (q) Chapter 52, Residential Solar Energy Disclosure Act;
71 (r) Chapter 53, Residential, Vocational and Life Skills Program Act;
72 (s) Chapter 54, Ticket Website Sales Act;
73 (t) Chapter 56, Ticket Transferability Act;
74 (u) Chapter 57, Maintenance Funding Practices Act;
75 (v) Chapter 61, Utah Consumer Privacy Act;
76 (w) Chapter 63, Utah Social Media Regulation Act;
77 (x) Chapter 64, Vehicle Value Protection Agreement Act;
78 (y) Chapter 65, Utah Commercial Email Act;
79 (z) Chapter 67, Online Dating Safety Act; [
80 (aa) Chapter 68, Lawyer Referral Consultants Registration Act[
81 (bb) Chapter 71, Utah Minor Protection in Social Media Act.
82 Section 2. Section 13-71-101 is enacted to read:
83
84
85 13-71-101. Definitions.
86 (1) "Account holder" means a person who has, creates, or opens an account or profile
87 to use a social media service.
88 (2) "Age assurance system" means measures reasonably calculated to enable a social
89 media company to identify whether a current or prospective Utah account holder is a minor
90 with an accuracy rate of at least 95%.
91 (3) "Connected account" means an account on the social media service that is directly
92 connected to:
93 (a) the minor account holder's account; or
94 (b) an account that is directly connected to an account directly connected to the minor
95 account holder's account.
96 (4) "Content" means any information, visual depictions, tools, features, links, software,
97 or other materials that appear on or are available or enabled through a social media service.
98 (5) "Directly connected" means an account on the social media service that is
99 connected to another account by:
100 (a) sending a request to connect to another account holder and having the request to
101 connect accepted by the other account holder; or
102 (b) receiving a request to connect from another account holder and accepting the
103 request to connect.
104 (6) "Director" means the director of the division.
105 (7) "Division" means the Division of Consumer Protection created in Section 13-2-1.
106 (8) "Minor" means an individual under 18 years old that:
107 (a) has not been emancipated as that term is defined in Section 80-7-102; or
108 (b) has not been married.
109 (9) "Parent" includes a legal guardian.
110 (10) (a) "Personal information" means information that is linked or can be reasonably
111 linked to an identified individual or an identifiable individual.
112 (b) "Personal information" includes a person's:
113 (i) first and last name;
114 (ii) date of birth;
115 (iii) home or physical address, including street name and city;
116 (iv) screen or user name that reveals an individual's email address, first name, or last
117 name;
118 (v) telephone number;
119 (vi) Social Security number;
120 (vii) photograph, video, or audio file containing a person's image or voice;
121 (viii) geolocation information sufficient to identify street name and city; and
122 (ix) any other identifier that a person may use to contact a specific individual.
123 (11) "Resident" means the same as that term is defined in Section 53-3-102.
124 (12) "Social media company" means an entity that owns or operates a social media
125 service.
126 (13) (a) "Social media service" means a Ŝ→ public ←Ŝ website or application that Ŝ→
126a includes as substantial functions ←Ŝ :
127 (i) Ŝ→ [
127a primarily ←Ŝ user-generated and not
128 produced by the social media company;
129 (ii) Ŝ→ [
129a account, or
130 create a profile that is made visible to the general public or a set of other users defined by the
131 account holder Ŝ→ [
132 user-generated content through such an account or profile
133 (iii) Ŝ→ [
134 generated by other account holders
134a the website or application ←Ŝ ; and
135 (iv) Ŝ→ [
136 with account holders
137 (b) "Social media service" does not include:
138 (i) email;
139 (ii) cloud storage; or
140 (iii) document viewing, sharing, or collaboration services.
141 (14) "User" means an individual who accesses or uses a social media service.
142 (15) (a) "Utah account holder" means a person who is a Utah resident and an account
143 holder.
144 (b) "Utah account holder" includes a Utah minor account holder.
145 (16) "Utah minor account holder" means a Utah account holder who is a minor.
146 (17) "Verifiable parental consent" means authorization from a parent for a social media
147 service to collect, use, and disclose personal information of a Utah minor account holder, that
148 complies with the following verifiability requirements:
149 (a) the social media service shall provide advance notice to the parent describing
150 information practices related to the minor account holder's personal information; and
151 (b) the social media service shall receive confirmation that the parent received the
152 notice described in Subsection (17)(a).
153 Section 3. Section 13-71-102 is enacted to read:
154 13-71-102. Legislative findings.
155 The Legislature finds that:
156 (1) the state has a compelling interest in safeguarding the well-being and privacy of
157 minors in the state;
158 (2) the proliferation of social media services has led to the widespread collection and
159 utilization of personal information, exposing minors to potential privacy and identity related
160 harms;
161 (3) the addictive design features of certain social media services contribute to excessive
162 use of a social media service by minors, impacting sleep patterns, academic performance, and
163 overall health;
164 (4) social media services are designed without sufficient tools to allow adequate
165 parental oversight, exposing minors to risks that could be mitigated with proper parental
166 involvement and control;
167 (5) the state has enacted safeguards around products and activities that pose risks to
168 minors, including regulations on motor vehicles, medications, and products and services
169 targeted to children;
170 (6) prolonged and unregulated social media use has been linked to adverse effects on
171 the mental health of minors, including increased rates of anxiety, depression, and social
172 isolation;
173 (7) existing measures employed by social media companies to protect minors have
174 proven insufficient; and
175 (8) the state should ensure that minors' personal data is given special protection, as
176 minors may have less awareness of the risks, consequences, and safeguards related to a social
177 media company's processing of minors' personal data.
178 Section 4. Section 13-71-201 is enacted to read:
179
180 13-71-201. Age assurance required.
181 (1) A social media company shall implement an age assurance system to determine
182 whether a current or prospective Utah account holder on the social media company's social
183 media service is a minor.
184 (2) A Utah account holder that the social media company identifies as a minor through
185 the use of an age assurance system is subject to the requirements in Sections 13-71-202 and
186 13-71-203.
187 (3) A social media company shall:
188 (a) implement a review process allowing account holders to appeal the account holder's
189 age designation by submitting documentary evidence to establish the account holder's age
190 range; and
191 (b) review evidence submitted by the account holder and make a determination within
192 30 days of submission of the evidence.
193 (4) A social media company shall segregate any personal information gathered
194 specifically within the age assurance system and shall not use the personal information for any
195 other purposes except for the purposes listed in Subsections 13-71-204(4)(a) through (g).
196 Section 5. Section 13-71-202 is enacted to read:
197 13-71-202. Requirements for Utah minor account holders.
198 A social media company shall, for Utah minor account holders on the social media
199 service:
200 (1) set default privacy settings to prioritize maximum privacy, including settings that:
201 (a) restrict the visibility of a Utah minor account holder's account to only connected
202 accounts;
203 (b) limit the Utah minor account holder's ability to share content to only connected
204 accounts;
205 (c) restrict any data collection and sale of data from a Utah minor account holder's
206 account that is not required for core functioning of the social media service;
207 (d) disable search engine indexing of Utah minor account holder profiles;
208 (e) restrict a Utah minor account holder's direct messaging capabilities to only allow
209 direct messaging to connected accounts; and
210 (f) allow a Utah minor account holder to download a file with all information
211 associated with the Utah minor account holder's account;
212 (2) implement and maintain reasonable security measures, including data encryption, to
213 protect the confidentiality, security, and integrity of personal information collected from a Utah
214 minor account holder;
215 (3) provide an easily accessible and understandable notice that:
216 (a) describes any information the social media company collects from a Utah minor
217 account holder; and
218 (b) explains how the information may be used or disclosed;
219 (4) upon request of a Utah minor account holder:
220 (a) delete the personal information of the Utah minor account holder, unless the
221 information is required to be retained under Section 13-61-203, or a different provision of state
222 or federal law; and
223 (b) remove any information or material the Utah minor account holder made publicly
224 available through the social media service; and
225 (5) disable the following features that prolong user engagement:
226 (a) autoplay functions that continuously play content without user interaction;
227 (b) scroll or pagination that loads additional content as long as the user continues
228 scrolling; and
229 (c) except for direct messages from connected accounts, push notifications prompting
230 repeated user engagement.
231 Section 6. Section 13-71-203 is enacted to read:
232 13-71-203. Supervisory tools.
233 (1) A social media company shall offer supervisory tools for a Utah minor account
234 holder that the Utah minor account holder may decide to activate.
235 (2) The supervisory tools described in Subsection (1) shall include capabilities for an
236 individual selected by the Utah minor account holder to:
237 (a) set time limits for the Utah minor account holder's daily social media service usage
238 across devices;
239 (b) schedule mandatory breaks for the Utah minor account holder during selected days
240 and times across devices;
241 (c) view:
242 (i) data detailing the Utah minor account holder's total and average daily time spent on
243 the social media service across devices;
244 (ii) a list of connected accounts;
245 (iii) a list of accounts blocked by the Utah minor account holder;
246 (iv) the Utah minor account holder's:
247 (A) privacy settings;
248 (B) content sensitivity settings; and
249 (C) direct messaging settings and permissions; and
250 (d) receive notifications when the Utah minor account holder changes an account
251 setting described in this Subsection (2).
252 Section 7. Section 13-71-204 is enacted to read:
253 13-71-204. Parental consent -- Data privacy for Utah minor accounts.
254 (1) A social media company may not allow a Utah minor account holder to change the
255 default data privacy setting described in Subsection 13-71-202(1) without first obtaining
256 verifiable parental consent.
257 (2) A social media company's terms of service related to a Utah minor account holder
258 shall be presumed to include an assurance of confidentiality for the Utah minor account
259 holder's personal information.
260 (3) The presumption of confidentiality in Subsection (2) may be overcome if the social
261 media company obtains verifiable parental consent.
262 (4) The presumption of confidentiality in Subsection (2) does not apply to a social
263 media company's internal use or external sharing of a Utah minor account holder's personal
264 information if the use or sharing is necessary to:
265 (a) maintain or analyze functioning of the social media service;
266 (b) enable network communications;
267 (c) personalize the user's experience based on the user's age and location;
268 (d) display a username chosen by the Utah minor account holder;
269 (e) obtain age assurance information as required under Section 13-71-201; or
270 (f) comply with the requirements of this chapter or other federal or state laws.
271 Section 8. Section 13-71-301 is enacted to read:
272
273 13-71-301. Enforcement powers.
274 (1) The division shall administer and enforce the provisions of Part 2, General
275 Requirements, in accordance with Chapter 2, Division of Consumer Protection.
276 (2) The attorney general, upon request, shall give legal advice to, and act as counsel
277 for, the division in the exercise of the division's responsibilities under this part.
278 (3) (a) In addition to the division's enforcement powers under Chapter 2, Division of
279 Consumer Protection:
280 (i) the division director may impose an administrative fine of up to $2,500 for each
281 violation of this chapter; and
282 (ii) the division may bring an action in court to enforce a provision of this chapter.
283 (b) In a court action by the division to enforce a provision of this chapter, the court
284 may:
285 (i) declare that the act or practice violates a provision of this chapter;
286 (ii) enjoin actions that violate this chapter;
287 (iii) order disgorgement of any money received in violation of this chapter;
288 (iv) order payment of disgorged money to an injured purchaser or consumer;
289 (v) impose a civil penalty of up to $2,500 for each violation of this chapter;
290 (vi) award actual damages to an injured purchaser or consumer; and
291 (vii) award any other relief that the court deems reasonable and necessary.
292 (c) If a court grants judgment or injunctive relief to the division, the court shall award
293 the division:
294 (i) reasonable attorney fees;
295 (ii) court costs; and
296 (iii) investigative fees.
297 (4) (a) A person who violates an administrative or court order issued for a violation of
298 this chapter is subject to a civil penalty of no more than $5,000 for each violation.
299 (b) A civil penalty authorized under this section may be imposed in any civil action
300 brought by the division, or by the attorney general on behalf of the division.
301 (5) All money received for the payment of a fine or civil penalty imposed under this
302 section shall be deposited into the Consumer Protection Education and Training Fund
303 established in Section 13-2-8.
304 Section 9. Section 13-71-302 is enacted to read:
305 13-71-302. Age assurance and verifiable parental consent safe harbor.
306 (1) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
307 division shall make rules:
308 (a) to establish processes and means by which a social media company may:
309 (i) assure whether an account holder is a minor in accordance with Section 13-71-201;
310 and
311 (ii) obtain verifiable parental consent in accordance with Section 13-71-203; and
312 (b) to establish criteria a social media company may use to determine whether the
313 social media company's age assurance system is 95% accurate.
314 (2) A social media company is not subject to an enforcement action for a violation of
315 Section 13-71-201 if the social media company implements and maintains an age assurance
316 system that complies with rules made by the division as described in Subsection (1)(a)(i).
317 (3) A social media company is considered to have obtained verifiable parental consent
318 if the social media company obtains parental consent through a mechanism that complies with
319 the rules made by the division as described in Subsection (1)(a)(ii).
320 Section 10. Section 13-71-401 is enacted to read:
321 13-71-401. Severability.
322 (1) If any provision of this chapter or the application of any provision to any person or
323 circumstance is held invalid by a final decision of a court of competent jurisdiction, the
324 remainder of this chapter shall be given effect without the invalid provision or application.
325 (2) The provisions of this chapter are severable.
326 (3) Nothing in this chapter shall displace any other available remedies or rights
327 authorized under the laws of this state or the United States.
328 Section 11. Effective date.
329 This bill takes effect on October 1, 2024.