This document includes House Floor Amendments incorporated into the bill on Wed, Feb 28, 2024 at 5:36 PM by housengrossing.
Representative Jordan D. Teuscher proposes the following substitute bill:


1     
SOCIAL MEDIA REGULATION AMENDMENTS

2     
2024 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Michael K. McKell

5     
House Sponsor: Jordan D. Teuscher

6     

7     LONG TITLE
8     General Description:
9          This bill enacts provisions related to age assurance and protecting minors in the Utah
10     Minor Protection in Social Media Act (Act).
11     Highlighted Provisions:
12          This bill:
13          ▸     defines terms;
14          ▸     requires social media companies to verify a new account holder's age using an
15     approved system;
16          ▸     requires a social media service to:
17               •     enable maximum default privacy settings on a Utah minor account holder's
18     account;
19               •     provide supervisory tools and verifiable parental consent mechanisms on a Utah
20     minor account holder's account; and
21               •     provide confidentiality protections for minors' data;
22          ▸     establishes the Division of Consumer Protection's enforcement powers relating to
23     the Act;
24          ▸     provides compliance safe harbors when social media companies implement
25     approved systems for age assurance and verifiable parental consent; and

26          ▸     contains a severability clause.
27     Money Appropriated in this Bill:
28          None
29     Other Special Clauses:
30          This bill provides a special effective date.
31          This bill provides a coordination clause.
32     Utah Code Sections Affected:
33     AMENDS:
34          13-2-1 (Effective 05/02/24), as last amended by Laws of Utah 2023, Chapters 31, 36,
35     377, 458, 477, 498, 509, and 536
36     ENACTS:
37          13-71-101, Utah Code Annotated 1953
38          13-71-102, Utah Code Annotated 1953
39          13-71-201, Utah Code Annotated 1953
40          13-71-202, Utah Code Annotated 1953
41          13-71-203, Utah Code Annotated 1953
42          13-71-204, Utah Code Annotated 1953
43          13-71-301, Utah Code Annotated 1953
44          13-71-302, Utah Code Annotated 1953
45          13-71-401, Utah Code Annotated 1953
46     Utah Code Sections Affected By Coordination Clause:
47          78B-3-1101, Utah Code Annotated 1953
48     

49     Be it enacted by the Legislature of the state of Utah:
50          Section 1. Section 13-2-1 (Effective 05/02/24) is amended to read:
51          13-2-1 (Effective 05/02/24). Consumer protection division established --
52     Functions.
53          (1) There is established within the Department of Commerce the Division of Consumer
54     Protection.
55          (2) The division shall administer and enforce the following:
56          (a) Chapter 10a, Music Licensing Practices Act;

57          (b) Chapter 11, Utah Consumer Sales Practices Act;
58          (c) Chapter 15, Business Opportunity Disclosure Act;
59          (d) Chapter 20, New Motor Vehicle Warranties Act;
60          (e) Chapter 21, Credit Services Organizations Act;
61          (f) Chapter 22, Charitable Solicitations Act;
62          (g) Chapter 23, Health Spa Services Protection Act;
63          (h) Chapter 25a, Telephone and Facsimile Solicitation Act;
64          (i) Chapter 26, Telephone Fraud Prevention Act;
65          (j) Chapter 28, Prize Notices Regulation Act;
66          (k) Chapter 32a, Pawnshop, Secondhand Merchandise, and Catalytic Converter
67     Transaction Information Act;
68          (l) Chapter 34, Utah Postsecondary School and State Authorization Act;
69          (m) Chapter 41, Price Controls During Emergencies Act;
70          (n) Chapter 42, Uniform Debt-Management Services Act;
71          (o) Chapter 49, Immigration Consultants Registration Act;
72          (p) Chapter 51, Transportation Network Company Registration Act;
73          (q) Chapter 52, Residential Solar Energy Disclosure Act;
74          (r) Chapter 53, Residential, Vocational and Life Skills Program Act;
75          (s) Chapter 54, Ticket Website Sales Act;
76          (t) Chapter 56, Ticket Transferability Act;
77          (u) Chapter 57, Maintenance Funding Practices Act;
78          (v) Chapter 61, Utah Consumer Privacy Act;
79          (w) Chapter 63, Utah Social Media Regulation Act;
80          (x) Chapter 64, Vehicle Value Protection Agreement Act;
81          (y) Chapter 65, Utah Commercial Email Act;
82          (z) Chapter 67, Online Dating Safety Act; [and]
83          (aa) Chapter 68, Lawyer Referral Consultants Registration Act[.]; and
84          (bb) Chapter 71, Utah Minor Protection in Social Media Act.
85          Section 2. Section 13-71-101 is enacted to read:
86     
CHAPTER 71. UTAH MINOR PROTECTION IN SOCIAL MEDIA ACT

87     
Part 1. General Provisions


88          13-71-101. Definitions.
89          (1) "Account holder" means a person who has, creates, or opens an account or profile
90     to use a social media service.
91          (2) "Age assurance system" means measures reasonably calculated to enable a social
92     media company to identify whether a current or prospective Utah account holder is a minor
93     with an accuracy rate of at least 95%.
94          (3) "Connected account" means an account on the social media service that is directly
95     connected to:
96          (a) the minor account holder's account; or
97          (b) an account that is directly connected to an account directly connected to the minor
98     account holder's account.
99          (4) "Content" means any information, visual depictions, tools, features, links, software,
100     or other materials that appear on or are available or enabled through a social media service.
101          (5) "Directly connected" means an account on the social media service that is
102     connected to another account by:
103          (a) sending a request to connect to another account holder and having the request to
104     connect accepted by the other account holder; or
105          (b) receiving a request to connect from another account holder and accepting the
106     request to connect.
107          (6) "Director" means the director of the division.
108          (7) "Division" means the Division of Consumer Protection created in Section 13-2-1.
109          (8) "Minor" means an individual under 18 years old that:
110          (a) has not been emancipated as that term is defined in Section 80-7-102; or
111          (b) has not been married.
112          (9) "Parent" includes a legal guardian.
113          (10) (a) "Personal information" means information that is linked or can be reasonably
114     linked to an identified individual or an identifiable individual.
115          (b) "Personal information" includes a person's:
116          (i) first and last name;
117          (ii) date of birth;
118          (iii) home or physical address, including street name and city;

119          (iv) screen or user name that reveals an individual's email address, first name, or last
120     name;
121          (v) telephone number;
122          (vi) Social Security number;
123          (vii) photograph, video, or audio file containing a person's image or voice;
124          (viii) geolocation information sufficient to identify street name and city; and
125          (ix) any other identifier that a person may use to contact a specific individual.
125a     Ĥ→ (11) "Push notification" means an automatic electronic message displayed on an account
125b     holder's device, when the user interface for the social media service is not actively open or
125c     visible on the device, that prompts the account holder to repeatedly check and engage with the
125d     social media service. ←Ĥ
126          Ĥ→ [
(11)] (12) ←Ĥ "Resident" means the same as that term is defined in Section 53-3-102.
127      Ĥ→ [
(12)] (13) ←Ĥ "Social media company" means an entity that owns or operates a social media
128     service.
129          Ĥ→ [
(13)] (14) ←Ĥ (a) "Social media service" means a public website or application that:
130          (i) displays content that is primarily generated by account holders and not by the social
131     media company;
132          (ii) permits an individual to register as an account holder and create a profile that is
133     made visible to the general public or a set of other users defined by the account holder;
134          (iii) connects account holders to allow users to interact socially with each other within
135     the website or application;
136          (iv) makes available to each account holder a list or lists of other account holders with
137     whom the account holder shares a connection within the system; and
138          (v) allows account holders to post content viewable by other users.
139          (b) "Social media service" does not include:
140          (i) email;
141          (ii) cloud storage; or
142          (iii) document viewing, sharing, or collaboration services.
143          Ĥ→ [
(14)] (15) ←Ĥ "User" means an individual who accesses or uses a social media service.
144          Ĥ→ [
(15)] (16) ←Ĥ (a) "Utah account holder" means a person who is a Utah resident and an
144a     account
145     holder.
146          (b) "Utah account holder" includes a Utah minor account holder.
147      Ĥ→ [
(16)] (17) ←Ĥ "Utah minor account holder" means a Utah account holder who is a minor.
148          Ĥ→ [
(17)] (18) ←Ĥ "Verifiable parental consent" means authorization from a parent for a
148a     social media
149     service to collect, use, and disclose personal information of a Utah minor account holder, that
150     complies with the following verifiability requirements:
151          (a) the social media service shall provide advance notice to the parent describing
152     information practices related to the minor account holder's personal information; and
153          (b) the social media service shall receive confirmation that the parent received the
154     notice described in Subsection (17)(a).
155          Section 3. Section 13-71-102 is enacted to read:
156          13-71-102. Legislative findings.
157          The Legislature finds that:
158          (1) the state has a compelling interest in safeguarding the well-being and privacy of
159     minors in the state;
160          (2) the proliferation of social media services has led to the widespread collection and
161     utilization of personal information, exposing minors to potential privacy and identity related
162     harms;
163          (3) the addictive design features of certain social media services contribute to excessive
164     use of a social media service by minors, impacting sleep patterns, academic performance, and
165     overall health;
166          (4) social media services are designed without sufficient tools to allow adequate
167     parental oversight, exposing minors to risks that could be mitigated with proper parental
168     involvement and control;
169          (5) the state has enacted safeguards around products and activities that pose risks to
170     minors, including regulations on motor vehicles, medications, and products and services
171     targeted to children;
172          (6) prolonged and unregulated social media use has been linked to adverse effects on
173     the mental health of minors, including increased rates of anxiety, depression, and social
174     isolation;
175          (7) existing measures employed by social media companies to protect minors have
176     proven insufficient; and
177          (8) the state should ensure that minors' personal data is given special protection, as
178     minors may have less awareness of the risks, consequences, and safeguards related to a social
179     media company's processing of minors' personal data.
180          Section 4. Section 13-71-201 is enacted to read:

181     
Part 2. General Requirements

182          13-71-201. Age assurance required.
183          (1) A social media company shall implement an age assurance system to determine
184     whether a current or prospective Utah account holder on the social media company's social
185     media service is a minor.
186          (2) A Utah account holder that the social media company identifies as a minor through
187     the use of an age assurance system is subject to the requirements in Sections 13-71-202 and
188     13-71-203.
189          (3) A social media company shall:
190          (a) implement a review process allowing account holders to appeal the account holder's
191     age designation by submitting documentary evidence to establish the account holder's age
192     range; and
193          (b) review evidence submitted by the account holder and make a determination within
194     30 days of submission of the evidence.
195          (4) A social media company shall segregate any personal information gathered
196     specifically within the age assurance system and shall not use the personal information for any
197     other purposes except for the purposes listed in Subsections 13-71-204(4)(a) through (g).
198          Section 5. Section 13-71-202 is enacted to read:
199          13-71-202. Requirements for Utah minor account holders.
200          A social media company shall, for Utah minor account holders on the social media
201     service:
202          (1) set default privacy settings to prioritize maximum privacy, including settings that:
203          (a) restrict the visibility of a Utah minor account holder's account to only connected
204     accounts;
205          (b) limit the Utah minor account holder's ability to share content to only connected
206     accounts;
207          (c) restrict any data collection and sale of data from a Utah minor account holder's
208     account that is not required for core functioning of the social media service;
209          (d) disable search engine indexing of Utah minor account holder profiles;
210          (e) restrict a Utah minor account holder's direct messaging capabilities to only allow
211     direct messaging to connected accounts; and

212          (f) allow a Utah minor account holder to download a file with all information
213     associated with the Utah minor account holder's account;
214          (2) implement and maintain reasonable security measures, including data encryption, to
215     protect the confidentiality, security, and integrity of personal information collected from a Utah
216     minor account holder;
217          (3) provide an easily accessible and understandable notice that:
218          (a) describes any information the social media company collects from a Utah minor
219     account holder; and
220          (b) explains how the information may be used or disclosed;
221          (4) upon request of a Utah minor account holder:
222          (a) delete the personal information of the Utah minor account holder, unless the
223     information is required to be retained under Section 13-61-203, or a different provision of state
224     or federal law; and
225          (b) remove any information or material the Utah minor account holder made publicly
226     available through the social media service; and
227          (5) disable the following features that prolong user engagement:
228          (a) autoplay functions that continuously play content without user interaction;
229          (b) scroll or pagination that loads additional content as long as the user continues
230     scrolling; and
231          (c) Ĥ→ [
except for direct messages from connected accounts,] ←Ĥ push notifications
231a     prompting
232     repeated user engagement.
233          Section 6. Section 13-71-203 is enacted to read:
234          13-71-203. Supervisory tools.
235          (1) A social media company shall offer supervisory tools for a Utah minor account
236     holder that the Utah minor account holder may decide to activate.
237          (2) The supervisory tools described in Subsection (1) shall include capabilities for an
238     individual selected by the Utah minor account holder to:
239          (a) set time limits for the Utah minor account holder's daily social media service usage
240     across devices;
241          (b) schedule mandatory breaks for the Utah minor account holder during selected days
242     and times across devices;

243          (c) view:
244          (i) data detailing the Utah minor account holder's total and average daily time spent on
245     the social media service across devices;
246          (ii) a list of connected accounts;
247          (iii) a list of accounts blocked by the Utah minor account holder;
248          (iv) the Utah minor account holder's:
249          (A) privacy settings;
250          (B) content sensitivity settings; and
251          (C) direct messaging settings and permissions; and
252          (d) receive notifications when the Utah minor account holder changes an account
253     setting described in this Subsection (2).
254          Section 7. Section 13-71-204 is enacted to read:
255          13-71-204. Parental consent -- Data privacy for Utah minor accounts.
256          (1) A social media company may not allow a Utah minor account holder to change the
257     default data privacy setting described in Subsection 13-71-202(1) without first obtaining
258     verifiable parental consent.
259          (2) A social media company's terms of service related to a Utah minor account holder
260     shall be presumed to include an assurance of confidentiality for the Utah minor account
261     holder's personal information.
262          (3) The presumption of confidentiality in Subsection (2) may be overcome if the social
263     media company obtains verifiable parental consent.
264          (4) The presumption of confidentiality in Subsection (2) does not apply to a social
265     media company's internal use or external sharing of a Utah minor account holder's personal
266     information if the use or sharing is necessary to:
267          (a) maintain or analyze functioning of the social media service;
268          (b) enable network communications;
269          (c) personalize the user's experience based on the user's age and location;
270          (d) display a username chosen by the Utah minor account holder;
271          (e) obtain age assurance information as required under Section 13-71-201; or
272          (f) comply with the requirements of this chapter or other federal or state laws.
273          Section 8. Section 13-71-301 is enacted to read:

274     
Part 3. Division Enforcement Powers

275          13-71-301. Enforcement powers.
276          (1) The division shall administer and enforce the provisions of Part 2, General
277     Requirements, in accordance with Chapter 2, Division of Consumer Protection.
278          (2) The attorney general, upon request, shall give legal advice to, and act as counsel
279     for, the division in the exercise of the division's responsibilities under this part.
280          (3) (a) In addition to the division's enforcement powers under Chapter 2, Division of
281     Consumer Protection:
282          (i) the division director may impose an administrative fine of up to $2,500 for each
283     violation of this chapter; and
284          (ii) the division may bring an action in court to enforce a provision of this chapter.
285          (b) In a court action by the division to enforce a provision of this chapter, the court
286     may:
287          (i) declare that the act or practice violates a provision of this chapter;
288          (ii) enjoin actions that violate this chapter;
289          (iii) order disgorgement of any money received in violation of this chapter;
290          (iv) order payment of disgorged money to an injured purchaser or consumer;
291          (v) impose a civil penalty of up to $2,500 for each violation of this chapter;
292          (vi) award actual damages to an injured purchaser or consumer; and
293          (vii) award any other relief that the court deems reasonable and necessary.
294          (c) If a court grants judgment or injunctive relief to the division, the court shall award
295     the division:
296          (i) reasonable attorney fees;
297          (ii) court costs; and
298          (iii) investigative fees.
299          (4) (a) A person who violates an administrative or court order issued for a violation of
300     this chapter is subject to a civil penalty of no more than $5,000 for each violation.
301          (b) A civil penalty authorized under this section may be imposed in any civil action
302     brought by the division, or by the attorney general on behalf of the division.
303          (5) All money received for the payment of a fine or civil penalty imposed under this
304     section shall be deposited into the Consumer Protection Education and Training Fund

305     established in Section 13-2-8.
306          Section 9. Section 13-71-302 is enacted to read:
307          13-71-302. Age assurance and verifiable parental consent safe harbor.
308          (1) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
309     division shall make rules:
310          (a) to establish processes and means by which a social media company may:
311          (i) assure whether an account holder is a minor in accordance with Section 13-71-201;
312     and
313          (ii) obtain verifiable parental consent in accordance with Section 13-71-203; and
314          (b) to establish criteria a social media company may use to determine whether the
315     social media company's age assurance system is 95% accurate.
316          (2) A social media company is not subject to an enforcement action for a violation of
317     Section 13-71-201 if the social media company implements and maintains an age assurance
318     system that complies with rules made by the division as described in Subsection (1)(a)(i).
319          (3) A social media company is considered to have obtained verifiable parental consent
320     if the social media company obtains parental consent through a mechanism that complies with
321     the rules made by the division as described in Subsection (1)(a)(ii).
322          Section 10. Section 13-71-401 is enacted to read:
323          13-71-401. Severability.
324          (1) If any provision of this chapter or the application of any provision to any person or
325     circumstance is held invalid by a final decision of a court of competent jurisdiction, the
326     remainder of this chapter shall be given effect without the invalid provision or application.
327          (2) The provisions of this chapter are severable.
328          (3) Nothing in this chapter shall displace any other available remedies or rights
329     authorized under the laws of this state or the United States.
330          Section 11. Effective date.
331          This bill takes effect on October 1, 2024.
332          Section 12. Coordinating S.B. 194 with H.B. 464.
333          If S.B. 194, Social Media Regulation Amendments, and H.B. 464, Social Media
334     Amendments, both pass and become law, the Legislature intends that, on October 1, 2024:
335          (1) Subsection 78B-3-1101(1) enacted in H.B. 464 be amended to read:

336          "(1) "Account holder" means the same as that term is defined in Section 13-71-101.";
337          (2) Subsection 78B-3-1101(4) enacted in H.B. 464 be amended to read:
338          "(4) "Content" means the same as that term is defined in Section 13-71-101.";
339          (3) Subsection 78B-3-1101(8) enacted in H.B. 464 be amended to read:
340          "(8) "Minor" means the same as that term is defined in Section 13-71-101."; and
341          (4) Subsections 78B-3-1101(12) through (16) enacted in H.B. 464 be amended to read:
342          "(12) "Social media company" means the same as that term is defined in Section
343     13-71-101.
344          (13) "Social media service" means the same as that term is defined in Section
345     13-71-101.
346          (14) "User" means the same as that term is defined in Section 13-71-101.
347          (15) "Utah account holder" means the same as that term is defined in Section
348     13-71-101.
349          (16) "Utah minor account holder" means the same as that term is defined in Section
350     13-71-101.".