Communications Litigation Today was a Warren News publication.
'Not Your Job to Be Parents'

Utah Social Media Proposed Rules Elicit Privacy, Constitutional Concerns

The Utah Commerce Department received backlash from the communications industry and other groups about age-verification methods proposed in rules for implementing the 2023 Utah Social Media Regulation Act. The department’s Consumer Protection Division last week sent us written comments received by its Feb. 5 deadline on October's proposed rules.

The vast majority of comments by Utah residents opposed the proposed rules. Many of them listed privacy concerns related to sharing sensitive information with social media companies. They noted excessive government intervention, saying parents should monitor their children. Some residents worry the proposed rules would lead social media companies to block services in Utah.

The division is hammering out implementation of rules while the underlying statute faces a lawsuit from NetChoice and the Foundation for Individual Rights and Expression (see 2401230001). The groups seek a preliminary injunction halting the law, although on Jan. 19, Gov. Spencer Cox (R) signed a bill delaying the SMRA’s effective date by seven months to Oct. 1 this year. The division held a hearing on its proposed rules in November (see 2311010046).

CTIA urged the division to delete "validating and verifying mobile telephone subscriber information" from a list of acceptable methods to confirm ages. No such mechanism exists in the U.S., the wireless industry association said. “Including this language will set inaccurate expectations that would lead to confusion. Mobile telephone subscriber information will not be able to validate and verify the identification contemplated by the Proposed Rule. Mobile carriers are not situated to reliably validate or verify identity, age, or familial relationship.” The FCC regulates wireless carriers, and they are "subject to federal law and regulations that dictate the ways in which certain mobile subscriber information can and cannot be used and shared,” CTIA added. “We are concerned about conflicts” with “this established federal regulatory framework, leading to confusion and regulatory uncertainty."

The division's suggested age-verification methods “undermine the safety and privacy of their users, and conflict with data minimization principles,” the Computer and Communications Industry Association commented. "CCIA is concerned with the mandate for businesses to proactively scan and collect age verification data, which would paradoxically force companies to collect a higher volume of data on users." In addition, it would be difficult to confirm someone is a minor’s parent or legal guardian, CCIA said. Meanwhile, requiring companies to delete collected data “would leave businesses without a means to document their compliance.”

The Utah division should clarify when it's OK to use age estimation rather than verification to comply, said Future of Privacy Forum, a nonprofit that includes Amazon, Apple, CTIA, Google and other tech companies as corporate members. Whereas verification uses government IDs and other documentation, estimation can include scanning a face to approximate age. The group agreed that verifying ages with mobile phone information isn’t available in the U.S. Also, there’s a conflict between a rule requiring social media companies to accurately identify whether an account holder isn't a minor and another rule requiring companies to identify accounts held by minors who were incorrectly identified as not a minor during age verification, said FPF: A company could be considered noncompliant with one rule if it complies with the other.

So-called acceptable age-verification methods "are extremely invasive to user privacy and concerning from a security perspective,” said the R Street Institute. "Scanning one’s face and sharing a government identification card or inputting even part of a Social Security number are not only invasions of privacy but would also expose users to extreme cybersecurity risks, especially given the increasing pervasiveness of cybercrimes in the last few years." Cox has called TikTok a cybersecurity threat, yet the proposed rule would force TikTok "to acquire the most sensitive information from users like government identifications, face scans” and partial SSNs, noted R Street.

The underlying law is bad policy and probably violates the First Amendment, many of the groups said. “Courts have consistently found these sorts of policies to be unconstitutional" due to "age-verification technologies' demonstrated impingement on user privacy and anonymity,” said the Taxpayers Protection Alliance. “Asserting that a policy may yield some societal benefits is not a 'get-out-of-the-Constitution-free' card.” The Utah law "misses the mark in several important ways that will do more to put minors’ privacy at risk than it will to shield them from potential harm,” said American Consumer Institute. “Studies have found inconclusive results on the question of whether social media is good or bad for mental health.”

An age-verification tech company mostly supported Utah’s proposed rules. However, VerifyMy suggested allowing verifiers to consider the age of the email address associated with a social media account. The proposed rule contemplates looking at only the account’s creation date. Also, VerifyMy said Utah should let companies examine credit reports when verifying the last four digits of someone’s SSN. And the division should specify the maximum rate of false positives allowed for a verification method, said VerifyMy. "Without defining the level of accuracy required, there may be a race to the bottom with platforms seeking to set the lowest level of accuracy they think they will be allowed to apply without penalty.” In addition, the U.K.-based company raised concerns about a rule requiring companies to keep data used for verification within U.S. borders.

A few Utah residents wrote in support of the proposal, saying social media is extremely harmful and age-verification rules should be common practice, as they are for other activities and substances, such as smoking, drinking and gun ownership.

Utah resident Lorena Miller said she supports the regulations as long as user data isn’t stored and is erased securely. She said the proposal is a good way to protect children with special needs who require more supervision. Tihomir Asparouhov urged the department to approve the rules as soon as possible because “our kids are dying.” Sean Betts said it would be a “great law” because he doesn’t want his children to “consume potentially harmful products without my knowledge and permission.” He likened it to age restrictions for tobacco and firearms.

Many others disagreed. Children need the “bare minimum” amount of freedom to become “independent members” of society, said Jacob Hawley. Utah isn’t large enough to enforce these rules, and it will result in platforms blocking state residents, he said. Said Benjamin Boberg, verification through phone numbers, social security numbers, government ID and face-scanning puts residents at “tremendous” risk of hacking and identity theft. He urged regulators not to trade “freedom” for a “little security.” Karissa Stantion called the proposal an “infringement on minors' rights to express themselves on social media.”

It is not your job to be parents for the children of Utah,” said David Whipple. “Every phone has the capability to include social monitoring software should the parents choose to do so.”