13-71 - Utah Minor Protection in Social Media Act
Title 13 > 13-71
Sections (9)
General Provisions
13-71-101 - Definitions.
(1) “Account holder” means a person who has, creates, or opens an account or profile to use a social media service.
(2) “Age assurance system” means measures reasonably calculated to enable a social media company to identify whether a current or prospective Utah account holder is a minor with an accuracy rate of at least 95%.
(3) “Connected account” means an account on the social media service that is directly connected to:the minor account holder’s account; oran account that is directly connected to an account directly connected to the minor account holder’s account.
(4) “Content” means any information, visual depictions, tools, features, links, software, or other materials that appear on or are available or enabled through a social media service.
(5) “Directly connected” means an account on the social media service that is connected to another account by:sending a request to connect to another account holder and having the request to connect accepted by the other account holder; orreceiving a request to connect from another account holder and accepting the request to connect.
(6) “Director” means the director of the division.
(7) “Division” means the Division of Consumer Protection created in Section 13-2-1.
(8) “Minor” means an individual under 18 years old that:has not been emancipated as that term is defined in Section 80-7-102; orhas not been married.
(9) “Parent” includes a legal guardian.
(10) “Personal information” means information that is linked or can be reasonably linked to an identified individual or an identifiable individual.”Personal information” includes a person’s:first and last name;date of birth;home or physical address, including street name and city;screen or user name that reveals an individual’s email address, first name, or last name;telephone number;Social Security number;photograph, video, or audio file containing a person’s image or voice;geolocation information sufficient to identify street name and city; andany other identifier that a person may use to contact a specific individual.
(11) “Push notification” means an automatic electronic message displayed on an account holder’s device, when the user interface for the social media service is not actively open or visible on the device, that prompts the account holder to repeatedly check and engage with the social media service.
(12) “Resident” means the same as that term is defined in Section 53-3-102.
(13) “Social media company” means an entity that owns or operates a social media service.
(14) “Social media service” means a public website or application that:displays content that is primarily generated by account holders and not by the social media company;permits an individual to register as an account holder and create a profile that is made visible to the general public or a set of other users defined by the account holder;connects account holders to allow users to interact socially with each other within the website or application;makes available to each account holder a list or lists of other account holders with whom the account holder shares a connection within the system; andallows account holders to post content viewable by other users.”Social media service” does not include:email;cloud storage; ordocument viewing, sharing, or collaboration services.
(15) “User” means an individual who accesses or uses a social media service.
(16) “Utah account holder” means a person who is a Utah resident and an account holder.”Utah account holder” includes a Utah minor account holder.
(17) “Utah minor account holder” means a Utah account holder who is a minor.
(18) “Verifiable parental consent” means authorization from a parent for a social media service to collect, use, and disclose personal information of a Utah minor account holder, that complies with the following verifiability requirements:the social media service shall provide advance notice to the parent describing information practices related to the minor account holder’s personal information; andthe social media service shall receive confirmation that the parent received the notice described in Subsection (18)(a).
Enacted by Chapter 206, 2024 General Session
13-71-102 - Legislative findings.
The Legislature finds that:
(1) the state has a compelling interest in safeguarding the well-being and privacy of minors in the state;
(2) the proliferation of social media services has led to the widespread collection and utilization of personal information, exposing minors to potential privacy and identity related harms;
(3) the addictive design features of certain social media services contribute to excessive use of a social media service by minors, impacting sleep patterns, academic performance, and overall health;
(4) social media services are designed without sufficient tools to allow adequate parental oversight, exposing minors to risks that could be mitigated with proper parental involvement and control;
(5) the state has enacted safeguards around products and activities that pose risks to minors, including regulations on motor vehicles, medications, and products and services targeted to children;
(6) prolonged and unregulated social media use has been linked to adverse effects on the mental health of minors, including increased rates of anxiety, depression, and social isolation;
(7) existing measures employed by social media companies to protect minors have proven insufficient; and
(8) the state should ensure that minors’ personal data is given special protection, as minors may have less awareness of the risks, consequences, and safeguards related to a social media company’s processing of minors’ personal data.
Enacted by Chapter 206, 2024 General Session
General Requirements
13-71-201 - Age assurance required.
(1) A social media company shall implement an age assurance system to determine whether a current or prospective Utah account holder on the social media company’s social media service is a minor.
(2) A Utah account holder that the social media company identifies as a minor through the use of an age assurance system is subject to the requirements in Sections 13-71-202 and 13-71-203.
(3) A social media company shall:implement a review process allowing account holders to appeal the account holder’s age designation by submitting documentary evidence to establish the account holder’s age range; andreview evidence submitted by the account holder and make a determination within 30 days of submission of the evidence.
(4) A social media company shall segregate any personal information gathered specifically within the age assurance system and shall not use the personal information for any other purposes except for the purposes listed in Subsections 13-Ch13_71|13-71-204](a) through (f).
Enacted by Chapter 206, 2024 General Session
13-71-202 - Requirements for Utah minor account holders.
A social media company shall, for Utah minor account holders on the social media service:
(1) set default privacy settings to prioritize maximum privacy, including settings that:restrict the visibility of a Utah minor account holder’s account to only connected accounts;limit the Utah minor account holder’s ability to share content to only connected accounts;restrict any data collection and sale of data from a Utah minor account holder’s account that is not required for core functioning of the social media service;disable search engine indexing of Utah minor account holder profiles;restrict a Utah minor account holder’s direct messaging capabilities to only allow direct messaging to connected accounts; andallow a Utah minor account holder to download a file with all information associated with the Utah minor account holder’s account;
(2) implement and maintain reasonable security measures, including data encryption, to protect the confidentiality, security, and integrity of personal information collected from a Utah minor account holder;
(3) provide an easily accessible and understandable notice that:describes any information the social media company collects from a Utah minor account holder; andexplains how the information may be used or disclosed;
(4) upon request of a Utah minor account holder:delete the personal information of the Utah minor account holder, unless the information is required to be retained under Section 13-61-203, or a different provision of state or federal law; andremove any information or material the Utah minor account holder made publicly available through the social media service; and
(5) disable the following features that prolong user engagement:autoplay functions that continuously play content without user interaction;scroll or pagination that loads additional content as long as the user continues scrolling; andpush notifications prompting repeated user engagement.
Enacted by Chapter 206, 2024 General Session
13-71-203 - Supervisory tools.
(1) A social media company shall offer supervisory tools for a Utah minor account holder that the Utah minor account holder may decide to activate.
(2) The supervisory tools described in Subsection (1) shall include capabilities for an individual selected by the Utah minor account holder to:set time limits for the Utah minor account holder’s daily social media service usage across devices;schedule mandatory breaks for the Utah minor account holder during selected days and times across devices;view:data detailing the Utah minor account holder’s total and average daily time spent on the social media service across devices;a list of connected accounts;a list of accounts blocked by the Utah minor account holder;the Utah minor account holder’s:privacy settings;content sensitivity settings; anddirect messaging settings and permissions; andreceive notifications when the Utah minor account holder changes an account setting described in this Subsection (2).
Enacted by Chapter 206, 2024 General Session
13-71-204 - Parental consent — Data privacy for Utah minor accounts.
(1) A social media company may not allow a Utah minor account holder to change the default data privacy setting described in Subsection 13-Ch13_71|13-71-202] without first obtaining verifiable parental consent.
(2) A social media company’s terms of service related to a Utah minor account holder shall be presumed to include an assurance of confidentiality for the Utah minor account holder’s personal information.
(3) The presumption of confidentiality in Subsection (2) may be overcome if the social media company obtains verifiable parental consent.
(4) The presumption of confidentiality in Subsection (2) does not apply to a social media company’s internal use or external sharing of a Utah minor account holder’s personal information if the use or sharing is necessary to:maintain or analyze functioning of the social media service;enable network communications;personalize the user’s experience based on the user’s age and location;display a username chosen by the Utah minor account holder;obtain age assurance information as required under Section 13-71-201; orcomply with the requirements of this chapter or other federal or state laws.
Enacted by Chapter 206, 2024 General Session
Division Enforcement Powers
13-71-301 - Enforcement powers.
(1) The division shall administer and enforce the provisions of Part 2, General Requirements, in accordance with Chapter 2, Division of Consumer Protection.
(2) The attorney general, upon request, shall give legal advice to, and act as counsel for, the division in the exercise of the division’s responsibilities under this part.
(3) In addition to the division’s enforcement powers under Chapter 2, Division of Consumer Protection:the division director may impose an administrative fine of up to 2,500 for each violation of this chapter;award actual damages to an injured purchaser or consumer; andaward any other relief that the court deems reasonable and necessary.If a court grants judgment or injunctive relief to the division, the court shall award the division:reasonable attorney fees;court costs; andinvestigative fees.
(4) A person who violates an administrative or court order issued for a violation of this chapter is subject to a civil penalty of no more than $5,000 for each violation.A civil penalty authorized under this section may be imposed in any civil action brought by the division, or by the attorney general on behalf of the division.
(5) All money received for the payment of a fine or civil penalty imposed under this section shall be deposited into the Consumer Protection Education and Training Fund established in Section 13-2-8.
Enacted by Chapter 206, 2024 General Session
13-71-302 - Age assurance and verifiable parental consent safe harbor.
(1) In accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, the division shall make rules:to establish processes and means by which a social media company may:assure whether an account holder is a minor in accordance with Section 13-71-201; andobtain verifiable parental consent in accordance with Section 13-71-203; andto establish criteria a social media company may use to determine whether the social media company’s age assurance system is 95% accurate.
(2) A social media company is not subject to an enforcement action for a violation of Section 13-71-201 if the social media company implements and maintains an age assurance system that complies with rules made by the division as described in Subsection (1)(a)(i).
(3) A social media company is considered to have obtained verifiable parental consent if the social media company obtains parental consent through a mechanism that complies with the rules made by the division as described in Subsection (1)(a)(ii).
Enacted by Chapter 206, 2024 General Session
Severability
13-71-401 - Severability.
(1) If any provision of this chapter or the application of any provision to any person or circumstance is held invalid by a final decision of a court of competent jurisdiction, the remainder of this chapter shall be given effect without the invalid provision or application.
(2) The provisions of this chapter are severable.
(3) Nothing in this chapter shall displace any other available remedies or rights authorized under the laws of this state or the United States.
Enacted by Chapter 206, 2024 General Session