Over the past few years, states have launched various legislative expansion efforts to enhance the protection of children on social media and generally online. For example, this summer, Texas Gov. Greg Abbott (R) signed into law the Securing Children Online through Parental Empowerment Act (SCOPE Act), which goes into effect September 2024. By doing so, Texas joins a multitude of other states that have passed similar legislation, including Arkansas, California, Connecticut, Minnesota, Ohio, and Utah. In part one of this two-part series, we discuss the child data protection laws in Texas, California, and Ohio.
Texas House Bill 1181
On June 12, almost immediately after the passage of the SCOPE Act, Gov. Abbott signed into law House Bill 1181. H.B. 1181 requires a commercial entity that “knowingly and intentionally publishes or distributes material on an Internet website, including a social media platform, more than one-third of which is sexual material harmful to minors, shall use reasonable age verification methods…to verify that an individual attempting to access the material is 18 years of age or older.” HB 1181 took effect on September 1.
H.B. 1181 prescribes two methods by which a commercial entity can verify an individual’s age:
- Using a commercial age verification system that verifies ages based on
- An individual’s government-issued ID, or
- A commercially reasonable method relying on public or private transactional data.
- Providing digital identification, which is defined as “information stored on a digital network that may be accessed by a commercial entity and that serves as proof of the identity of an individual.”
Covered commercial entities may not retain any identifying information from the age verification process for individuals 18 years of age or older.
Civil penalties may be imposed by the Texas Attorney General against entities in violation of this law. These penalties include (1) a $10,000 fine for each day that an entity operates its website in violation of the age verification requirements; (2) a $10,000 fine per instance where the entity retains identifying information used to verify an individual’s age; and (3) an additional fine of not more than $250,000 if one or more minors access harmful sexual material as a result of an entity’s violation of this law.
California Age-Appropriate Design Code Act
Last year, California passed its own legislation relating to children’s privacy. On September 15, 2022, Gov. Gavin Newsom (D) signed the California Age-Appropriate Design Code Act into law. The Act places new obligations on covered businesses associated with their provision of online products or services that are likely to be accessed by children under 18 years of age. The Act, which was modeled after the United Kingdom’s Age-Appropriate Design Code, broadens the definition of a “child” from 13 years of age to 18, and expands the standard for determining whether a website is “likely to be accessed by children.” Relevant factors to consider are whether the service or product
- Is directed toward children, as that is defined under the Children’s Online Privacy Protection Act.
- Is determined to routinely be accessed by a substantial number of children.
- Includes advertisements marketed to children.
- Has design elements known to interest children (such as cartoons, games, or music).
- Is substantially similar to an online service or product that is routinely accessed by a large number of children.
Once the Act takes effect on July 1, 2024, the California Attorney General will be authorized to enforce its requirements. Under the Act, any covered business that violates the Act may be subject to a fine of up to $2,500 per child affected for each negligent violation, and up to $7,500 per child affected for intentional violations. Covered businesses can be permitted a 90-day cure period if they otherwise substantially comply with the Act.
Ohio Social Media Parental Notification Act
On July 5, 2023, Ohio Gov. Mike DeWine (R) signed into law House Bill 33, which contains the Social Media Parental Notification Act. The SMPN Act applies to “operators,” which are defined as any business, entity, or person operating an online website, service, or product with users in Ohio that allows its users to do all of the following:
- Socially interact with other users within the service, product, or website.
- Populate lists of other users that an individual shares or can share a social connection within the service, website, or product.
- Create or post content that is viewable by others, whether on message boards, video channels, or in chat rooms, or private messages or chats, or a feed presenting users with user- generated content.
- Construct public or semipublic profiles for signing into and using the website, services, or products.
The SMPN Act goes into effect on January 15, 2024 and imposes numerous requirements on operators whose target market is children under the age of 16 or whose service is reasonably anticipated to be accessed by children. For instance, one requirement includes presenting a child’s parent or legal guardian with a list of features offered by an operator related to censoring or moderating content. Another, similar to the California and Texas statutes, requires obtaining verifiable consent. To identify whether the SMPN Act applies to a particular operator, Section C of the SMPN Act contains a number of factors that will be taken into consideration by the Attorney General.
The Constangy Cybersecurity & Data Privacy team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, contact us directly at firstname.lastname@example.org.
Rebecca is a member of the Constangy Cyber Team, focusing her practice on advising clients regarding data privacy and cybersecurity matters. She leverages her business background and education in technology and privacy law to aid ...
Julie Hess is a partner in the Philadelphia office of the Constangy Cyber Team. She assists clients in responding to all types of data security incidents by conducting initial assessments of the issues and helping to facilitate the ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
- Suzie Allen
- John Babione
- Dafina Buçaj
- Jason Cherry
- Maria Efaplomatidis
- Jordan L. Fischer
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Amir Goodarzi
- Taren N. Greenidge
- Julie Hess
- Carolyn C. Ho
- Sean Hoar
- Julie A. Keersmaekers
- Donna Maddux
- David McMillan
- Amanda Novak
- Ashley L. Orler
- Alyssa Pearce
- Rebecca Pollack
- Allison Prout
- Todd Rowe
- Sarah Rugnetta
- Allen Sattler
- Alyssa Watzman
- Aubrey Weaver