Senator Michael K. McKell proposes the following substitute bill:


1     
SOCIAL MEDIA REGULATION AMENDMENTS

2     
2024 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Michael K. McKell

5     
House Sponsor: Jordan D. Teuscher

6     

7     LONG TITLE
8     General Description:
9          This bill enacts provisions related to age assurance and protecting minors in the Utah
10     Minor Protection in Social Media Act (Act).
11     Highlighted Provisions:
12          This bill:
13          ▸     defines terms;
14          ▸     requires social media companies to verify a new account holder's age using an
15     approved system;
16          ▸     requires a social media service to:
17               •     enable maximum default privacy settings on a Utah minor account holder's
18     account;
19               •     provide supervisory tools and verifiable parental consent mechanisms on a Utah
20     minor account holder's account; and
21               •     provide confidentiality protections for minors' data;
22          ▸     establishes the Division of Consumer Protection's enforcement powers relating to
23     the Act;
24          ▸     provides compliance safe harbors when social media companies implement
25     approved systems for age assurance and verifiable parental consent; and

26          ▸     contains a severability clause.
27     Money Appropriated in this Bill:
28          None
29     Other Special Clauses:
30          This bill provides a special effective date.
31     Utah Code Sections Affected:
32     AMENDS:
33          13-2-1 (Effective 05/02/24), as last amended by Laws of Utah 2023, Chapters 31, 36,
34     377, 458, 477, 498, 509, and 536
35     ENACTS:
36          13-71-101, Utah Code Annotated 1953
37          13-71-102, Utah Code Annotated 1953
38          13-71-201, Utah Code Annotated 1953
39          13-71-202, Utah Code Annotated 1953
40          13-71-203, Utah Code Annotated 1953
41          13-71-204, Utah Code Annotated 1953
42          13-71-301, Utah Code Annotated 1953
43          13-71-302, Utah Code Annotated 1953
44          13-71-401, Utah Code Annotated 1953
45     

46     Be it enacted by the Legislature of the state of Utah:
47          Section 1. Section 13-2-1 (Effective 05/02/24) is amended to read:
48          13-2-1 (Effective 05/02/24). Consumer protection division established --
49     Functions.
50          (1) There is established within the Department of Commerce the Division of Consumer
51     Protection.
52          (2) The division shall administer and enforce the following:
53          (a) Chapter 10a, Music Licensing Practices Act;
54          (b) Chapter 11, Utah Consumer Sales Practices Act;
55          (c) Chapter 15, Business Opportunity Disclosure Act;
56          (d) Chapter 20, New Motor Vehicle Warranties Act;

57          (e) Chapter 21, Credit Services Organizations Act;
58          (f) Chapter 22, Charitable Solicitations Act;
59          (g) Chapter 23, Health Spa Services Protection Act;
60          (h) Chapter 25a, Telephone and Facsimile Solicitation Act;
61          (i) Chapter 26, Telephone Fraud Prevention Act;
62          (j) Chapter 28, Prize Notices Regulation Act;
63          (k) Chapter 32a, Pawnshop, Secondhand Merchandise, and Catalytic Converter
64     Transaction Information Act;
65          (l) Chapter 34, Utah Postsecondary School and State Authorization Act;
66          (m) Chapter 41, Price Controls During Emergencies Act;
67          (n) Chapter 42, Uniform Debt-Management Services Act;
68          (o) Chapter 49, Immigration Consultants Registration Act;
69          (p) Chapter 51, Transportation Network Company Registration Act;
70          (q) Chapter 52, Residential Solar Energy Disclosure Act;
71          (r) Chapter 53, Residential, Vocational and Life Skills Program Act;
72          (s) Chapter 54, Ticket Website Sales Act;
73          (t) Chapter 56, Ticket Transferability Act;
74          (u) Chapter 57, Maintenance Funding Practices Act;
75          (v) Chapter 61, Utah Consumer Privacy Act;
76          (w) Chapter 63, Utah Social Media Regulation Act;
77          (x) Chapter 64, Vehicle Value Protection Agreement Act;
78          (y) Chapter 65, Utah Commercial Email Act;
79          (z) Chapter 67, Online Dating Safety Act; [and]
80          (aa) Chapter 68, Lawyer Referral Consultants Registration Act[.]; and
81          (bb) Chapter 71, Utah Minor Protection in Social Media Act.
82          Section 2. Section 13-71-101 is enacted to read:
83     
CHAPTER 71. UTAH MINOR PROTECTION IN SOCIAL MEDIA ACT

84     
Part 1. General Provisions

85          13-71-101. Definitions.
86          (1) "Account holder" means a person who has, creates, or opens an account or profile
87     to use a social media service.

88          (2) "Age assurance system" means measures reasonably calculated to enable a social
89     media company to identify whether a current or prospective Utah account holder is a minor
90     with an accuracy rate of at least 95%.
91          (3) "Connected account" means an account on the social media service that is directly
92     connected to:
93          (a) the minor account holder's account; or
94          (b) an account that is directly connected to an account directly connected to the minor
95     account holder's account.
96          (4) "Content" means any information, visual depictions, tools, features, links, software,
97     or other materials that appear on or are available or enabled through a social media service.
98          (5) "Directly connected" means an account on the social media service that is
99     connected to another account by:
100          (a) sending a request to connect to another account holder and having the request to
101     connect accepted by the other account holder; or
102          (b) receiving a request to connect from another account holder and accepting the
103     request to connect.
104          (6) "Director" means the director of the division.
105          (7) "Division" means the Division of Consumer Protection created in Section 13-2-1.
106          (8) "Minor" means an individual under 18 years old that:
107          (a) has not been emancipated as that term is defined in Section 80-7-102; or
108          (b) has not been married.
109          (9) "Parent" includes a legal guardian.
110          (10) (a) "Personal information" means information that is linked or can be reasonably
111     linked to an identified individual or an identifiable individual.
112          (b) "Personal information" includes a person's:
113          (i) first and last name;
114          (ii) date of birth;
115          (iii) home or physical address, including street name and city;
116          (iv) screen or user name that reveals an individual's email address, first name, or last
117     name;
118          (v) telephone number;

119          (vi) Social Security number;
120          (vii) photograph, video, or audio file containing a person's image or voice;
121          (viii) geolocation information sufficient to identify street name and city; and
122          (ix) any other identifier that a person may use to contact a specific individual.
123          (11) "Resident" means the same as that term is defined in Section 53-3-102.
124          (12) "Social media company" means an entity that owns or operates a social media
125     service.
126          (13) (a) "Social media service" means a website or application that:
127          (i) is open to the public and consists primarily of content that is user-generated and not
128     produced by the social media company;
129          (ii) permits an individual to register as an account holder, establish an account, or
130     create a profile that is made visible to the general public or a set of other users defined by the
131     account holder for the primary purpose of allowing account holders to create, share, and view
132     user-generated content through such an account or profile;
133          (iii) primarily allows account holders to post content and interact with content
134     generated by other account holders; and
135          (iv) enables account holders to create online communities or groups and communicate
136     with account holders.
137          (b) "Social media service" does not include:
138          (i) email;
139          (ii) cloud storage; or
140          (iii) document viewing, sharing, or collaboration services.
141          (14) "User" means an individual who accesses or uses a social media service.
142          (15) (a) "Utah account holder" means a person who is a Utah resident and an account
143     holder.
144          (b) "Utah account holder" includes a Utah minor account holder.
145          (16) "Utah minor account holder" means a Utah account holder who is a minor.
146          (17) "Verifiable parental consent" means authorization from a parent for a social media
147     service to collect, use, and disclose personal information of a Utah minor account holder, that
148     complies with the following verifiability requirements:
149          (a) the social media service shall provide advance notice to the parent describing

150     information practices related to the minor account holder's personal information; and
151          (b) the social media service shall receive confirmation that the parent received the
152     notice described in Subsection (17)(a).
153          Section 3. Section 13-71-102 is enacted to read:
154          13-71-102. Legislative findings.
155          The Legislature finds that:
156          (1) the state has a compelling interest in safeguarding the well-being and privacy of
157     minors in the state;
158          (2) the proliferation of social media services has led to the widespread collection and
159     utilization of personal information, exposing minors to potential privacy and identity related
160     harms;
161          (3) the addictive design features of certain social media services contribute to excessive
162     use of a social media service by minors, impacting sleep patterns, academic performance, and
163     overall health;
164          (4) social media services are designed without sufficient tools to allow adequate
165     parental oversight, exposing minors to risks that could be mitigated with proper parental
166     involvement and control;
167          (5) the state has enacted safeguards around products and activities that pose risks to
168     minors, including regulations on motor vehicles, medications, and products and services
169     targeted to children;
170          (6) prolonged and unregulated social media use has been linked to adverse effects on
171     the mental health of minors, including increased rates of anxiety, depression, and social
172     isolation;
173          (7) existing measures employed by social media companies to protect minors have
174     proven insufficient; and
175          (8) the state should ensure that minors' personal data is given special protection, as
176     minors may have less awareness of the risks, consequences, and safeguards related to a social
177     media company's processing of minors' personal data.
178          Section 4. Section 13-71-201 is enacted to read:
179     
Part 2. General Requirements

180          13-71-201. Age assurance required.

181          (1) A social media company shall implement an age assurance system to determine
182     whether a current or prospective Utah account holder on the social media company's social
183     media service is a minor.
184          (2) A Utah account holder that the social media company identifies as a minor through
185     the use of an age assurance system is subject to the requirements in Sections 13-71-202 and
186     13-71-203.
187          (3) A social media company shall:
188          (a) implement a review process allowing account holders to appeal the account holder's
189     age designation by submitting documentary evidence to establish the account holder's age
190     range; and
191          (b) review evidence submitted by the account holder and make a determination within
192     30 days of submission of the evidence.
193          (4) A social media company shall segregate any personal information gathered
194     specifically within the age assurance system and shall not use the personal information for any
195     other purposes except for the purposes listed in Subsections 13-71-204(4)(a) through (g).
196          Section 5. Section 13-71-202 is enacted to read:
197          13-71-202. Requirements for Utah minor account holders.
198          A social media company shall, for Utah minor account holders on the social media
199     service:
200          (1) set default privacy settings to prioritize maximum privacy, including settings that:
201          (a) restrict the visibility of a Utah minor account holder's account to only connected
202     accounts;
203          (b) limit the Utah minor account holder's ability to share content to only connected
204     accounts;
205          (c) restrict any data collection and sale of data from a Utah minor account holder's
206     account that is not required for core functioning of the social media service;
207          (d) disable search engine indexing of Utah minor account holder profiles;
208          (e) restrict a Utah minor account holder's direct messaging capabilities to only allow
209     direct messaging to connected accounts; and
210          (f) allow a Utah minor account holder to download a file with all information
211     associated with the Utah minor account holder's account;

212          (2) implement and maintain reasonable security measures, including data encryption, to
213     protect the confidentiality, security, and integrity of personal information collected from a Utah
214     minor account holder;
215          (3) provide an easily accessible and understandable notice that:
216          (a) describes any information the social media company collects from a Utah minor
217     account holder; and
218          (b) explains how the information may be used or disclosed;
219          (4) upon request of a Utah minor account holder:
220          (a) delete the personal information of the Utah minor account holder, unless the
221     information is required to be retained under Section 13-61-203, or a different provision of state
222     or federal law; and
223          (b) remove any information or material the Utah minor account holder made publicly
224     available through the social media service; and
225          (5) disable the following features that prolong user engagement:
226          (a) autoplay functions that continuously play content without user interaction;
227          (b) scroll or pagination that loads additional content as long as the user continues
228     scrolling; and
229          (c) except for direct messages from connected accounts, push notifications prompting
230     repeated user engagement.
231          Section 6. Section 13-71-203 is enacted to read:
232          13-71-203. Supervisory tools.
233          (1) A social media company shall offer supervisory tools for a Utah minor account
234     holder that the Utah minor account holder may decide to activate.
235          (2) The supervisory tools described in Subsection (1) shall include capabilities for an
236     individual selected by the Utah minor account holder to:
237          (a) set time limits for the Utah minor account holder's daily social media service usage
238     across devices;
239          (b) schedule mandatory breaks for the Utah minor account holder during selected days
240     and times across devices;
241          (c) view:
242          (i) data detailing the Utah minor account holder's total and average daily time spent on

243     the social media service across devices;
244          (ii) a list of connected accounts;
245          (iii) a list of accounts blocked by the Utah minor account holder;
246          (iv) the Utah minor account holder's:
247          (A) privacy settings;
248          (B) content sensitivity settings; and
249          (C) direct messaging settings and permissions; and
250          (d) receive notifications when the Utah minor account holder changes an account
251     setting described in this Subsection (2).
252          Section 7. Section 13-71-204 is enacted to read:
253          13-71-204. Parental consent -- Data privacy for Utah minor accounts.
254          (1) A social media company may not allow a Utah minor account holder to change the
255     default data privacy setting described in Subsection 13-71-202(1) without first obtaining
256     verifiable parental consent.
257          (2) A social media company's terms of service related to a Utah minor account holder
258     shall be presumed to include an assurance of confidentiality for the Utah minor account
259     holder's personal information.
260          (3) The presumption of confidentiality in Subsection (2) may be overcome if the social
261     media company obtains verifiable parental consent.
262          (4) The presumption of confidentiality in Subsection (2) does not apply to a social
263     media company's internal use or external sharing of a Utah minor account holder's personal
264     information if the use or sharing is necessary to:
265          (a) maintain or analyze functioning of the social media service;
266          (b) enable network communications;
267          (c) personalize the user's experience based on the user's age and location;
268          (d) display a username chosen by the Utah minor account holder;
269          (e) obtain age assurance information as required under Section 13-71-201; or
270          (f) comply with the requirements of this chapter or other federal or state laws.
271          Section 8. Section 13-71-301 is enacted to read:
272     
Part 3. Division Enforcement Powers

273          13-71-301. Enforcement powers.

274          (1) The division shall administer and enforce the provisions of Part 2, General
275     Requirements, in accordance with Chapter 2, Division of Consumer Protection.
276          (2) The attorney general, upon request, shall give legal advice to, and act as counsel
277     for, the division in the exercise of the division's responsibilities under this part.
278          (3) (a) In addition to the division's enforcement powers under Chapter 2, Division of
279     Consumer Protection:
280          (i) the division director may impose an administrative fine of up to $2,500 for each
281     violation of this chapter; and
282          (ii) the division may bring an action in court to enforce a provision of this chapter.
283          (b) In a court action by the division to enforce a provision of this chapter, the court
284     may:
285          (i) declare that the act or practice violates a provision of this chapter;
286          (ii) enjoin actions that violate this chapter;
287          (iii) order disgorgement of any money received in violation of this chapter;
288          (iv) order payment of disgorged money to an injured purchaser or consumer;
289          (v) impose a civil penalty of up to $2,500 for each violation of this chapter;
290          (vi) award actual damages to an injured purchaser or consumer; and
291          (vii) award any other relief that the court deems reasonable and necessary.
292          (c) If a court grants judgment or injunctive relief to the division, the court shall award
293     the division:
294          (i) reasonable attorney fees;
295          (ii) court costs; and
296          (iii) investigative fees.
297          (4) (a) A person who violates an administrative or court order issued for a violation of
298     this chapter is subject to a civil penalty of no more than $5,000 for each violation.
299          (b) A civil penalty authorized under this section may be imposed in any civil action
300     brought by the division, or by the attorney general on behalf of the division.
301          (5) All money received for the payment of a fine or civil penalty imposed under this
302     section shall be deposited into the Consumer Protection Education and Training Fund
303     established in Section 13-2-8.
304          Section 9. Section 13-71-302 is enacted to read:

305          13-71-302. Age assurance and verifiable parental consent safe harbor.
306          (1) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the
307     division shall make rules:
308          (a) to establish processes and means by which a social media company may:
309          (i) assure whether an account holder is a minor in accordance with Section 13-71-201;
310     and
311          (ii) obtain verifiable parental consent in accordance with Section 13-71-203; and
312          (b) to establish criteria a social media company may use to determine whether the
313     social media company's age assurance system is 95% accurate.
314          (2) A social media company is not subject to an enforcement action for a violation of
315     Section 13-71-201 if the social media company implements and maintains an age assurance
316     system that complies with rules made by the division as described in Subsection (1)(a)(i).
317          (3) A social media company is considered to have obtained verifiable parental consent
318     if the social media company obtains parental consent through a mechanism that complies with
319     the rules made by the division as described in Subsection (1)(a)(ii).
320          Section 10. Section 13-71-401 is enacted to read:
321          13-71-401. Severability.
322          (1) If any provision of this chapter or the application of any provision to any person or
323     circumstance is held invalid by a final decision of a court of competent jurisdiction, the
324     remainder of this chapter shall be given effect without the invalid provision or application.
325          (2) The provisions of this chapter are severable.
326          (3) Nothing in this chapter shall displace any other available remedies or rights
327     authorized under the laws of this state or the United States.
328          Section 11. Effective date.
329          This bill takes effect on October 1, 2024.