No Child’s Play: States expand child protection online (Part II)
By on Posted in Cybersecurity, Data Privacy, Social media

Last week, we discussed action taken by three states, Texas, California, and Ohio, to enhance protection of children’s data online. In this second installment, we shift our attention to address the 2023 legislative efforts of three additional states: Utah, Arkansas, and Connecticut.

Utah Social Media Regulation Act

Utah became the first state to pass laws limiting how children can use social media. On March 23, Gov. Spencer Cox (R) signed into law Senate Bill 152 and House Bill 311, enacting the Utah Social Media Regulation Act.

The USMR Act applies to “social media companies.” A “social media company” is defined as an entity providing a social media platform with at least 5 million account holders worldwide that is an “interactive computer service.” ”Interactive computer service” includes web services, web systems, websites, web applications, and web portals.

Once the USMR Act takes effect on March 1, 2024, social media companies will be required to do the following:

  • Obtain consent from a parent or legal guardian for Utah users under the age of 18.
  • Allow parents or guardians full access to their children’s social media accounts.
  • Protect minors’ accounts from unapproved direct messaging.
  • Verify the age of a Utah individual seeking to maintain or open a social media account.
  • Block minors’ accounts from search results.
  • Create a default curfew setting that blocks access to minors’ accounts during the hours of 10:30 p.m. to 6:30 a.m., which parents or guardians can adjust.

Furthermore, social media companies are not permitted to (1) collect a minor’s data, (2) target a minor’s social media account for advertising, or (3) target a minor’s social media account with addictive designs or features.

Beginning on March 1, 2024, the Division of Consumer Protection will be authorized to enforce violations of the USMR Act.

Arkansas Social Media Safety Act

On April 7, shortly after enactment of the USMR Act, Gov. Sarah Huckabee Sanders (R), signed into law Senate Bill 396, now known as the Social Media Safety Act. The SMSA does not allow Arkansas minors to have social media platform accounts without the express consent of their parents or legal guardians. As a result, similar to Texas’ Securing Children Online through Parental Empowerment Act, the Arkansas law requires social media companies to verify account holder ages, and, if the account holder is a minor, obtain the express consent of the minor’s parent or legal guardian.

For age verification, social media companies must engage a third-party vendor to perform reasonable age verification methods, which include the following:

  • A digital identification card, including a digital copy of a driver’s license.
  • A government-issued identification.
  • Any commercially reasonable age verification method.

The SMSA applies to “social media companies.” A “social media company” is defined as “an online forum that a company [which has at least $100,000,000 in annual gross revenue] makes available for an account holder to: (i) Create a public profile, establish an account, or register as a user for the primary purpose of interacting socially with  other profiles and accounts; (ii) Upload or create posts or content; (iii) View posts or content of other account  holders; and (iv) Interact with other account holders or users, including without limitation establishing mutual connections through request and acceptance.”

Social media companies that violate the SMSA may be subject to penalties of $2,500 per violation. The SMSA grants the Arkansas Attorney General the authority to initiate enforcement actions for violations of this law.

The SMSA was supposed to become effective on September 1, but federal District Court Judge Timothy L. Brooks issued a preliminary injunction on August 31 blocking the law from taking effect. The preliminary injunction was granted in relation to the NetChoice LLC v. Tim Griffin case. NetChoice LLC is a technology industry trade group whose members include TikTok, Meta, and X (formerly known as Twitter). NetChoice asserted that (1) the SMSA violated individuals’ First Amendment rights, (2) the age-verification requirements did not provide a constitutional way to address the dangers to minors online, and (3) the SMSA did not adequately define which social media companies or platforms would be subject to its regulations.

We will keep you posted on the status of this litigation.

Connecticut Act Concerning Online Privacy, Data and Safety Protections

On June 26, = Gov. Ned Lamont (D) signed into law An Act Concerning Online Privacy, Data and Safety Protections. Among its objectives, the law – known as “the CT Act” -- establishes additional requirements regarding minors’ personal data and social media accounts. As of July 1, controllers under the CT Act cannot process sensitive data concerning a known child, without processing that data in compliance with the federal Children’s Online Privacy Protection Act. In addition, the CT Act codifies the existence and prescribed duties of the Connecticut Internet Crimes Against Children Task Force. This provision took effect July 1.

Beginning July 1, 2024, the CT Act will require social media platforms to do the following:

  • Within 15 business days of receiving a request from a minor or – if the minor is under the age of 16, that minor’s parent or legal guardian – the social media platform must unpublish the minor’s social media account.
  • If a social media platform receives a request to delete a minor’s social media account, the social media platform must delete the account and halt any processing of that minor’s personal data within 45 business days unless preservation is otherwise permitted or required by applicable laws.

 “Social media platform” is defined as an internet-based service or application that

  • Is used by a Connecticut consumer,
  • Is primarily intended to allow users to socially interact within the service, and
  • Enables users to (1) construct a public or semi-public profile for using the service, (2) populate a public list of other users with whom they share a social connection, and (3) create or post content in a manner that is viewable by other users.

Violations of the CT Act violate the Connecticut Unfair Trade Practices Act but are solely enforced by the Connecticut Attorney General. The CT Act explicitly states that the private right of action and class action provisions of the Unfair Trade Practices Act do not apply to violations of the CT Act.

The Constangy Cybersecurity & Data Privacy team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, contact us directly at cyber@constangy.com.

TAGS: Arkansas, Child Protection, Connecticut, Cyber Team, CyberMonday, Cybersecurity, Data Privacy, Data Security, Social Media, Utah
Facebook Twitter/X Linkedin Email
  • Julie Hess, smiling, wearing a blue blazer over a white top and a delicate necklace, against a plain background.
    Julie Hess
    Partner
    215.770.4164 |

    She advises clients on data privacy and cybersecurity, guiding them through GDPR, HIPAA, and state data protection laws. Julie represents companies in healthcare, financial services, and technology, helping them prepare for and ...

    More from Julie: Full Bio | Contact Author | Blog Posts

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek