Sharing Our Recent Comments on Utah’s Minor Protection in Social Media Act Rule
Balancing Parental Consent and Free Speech in Social Media
I wanted to share our formal comments to the Utah Department of Commerce’s Division of Consumer Protection regarding the ongoing development of the Utah Minor Protection in Social Media Act Rule. Although the underlying legislation is currently enjoined by a federal district court, we believe it’s crucial to share our expertise on this important issue.
In particular, we focused on concerns related to parental consent requirements, offering recommendations to ensure that these rules do not unduly burden social media platforms or infringe upon users’ free speech rights. Our hope is that these insights will help the Division strike the right balance in the event the injunction is lifted and the rule proceeds.
Thank you for your ongoing support, and we’ll keep you updated on further developments.
Taylor
Dear Director Hass,
We respectfully submit these comments to the Division of Consumer Protection regarding the Division’s pending Utah Minor Protection In Social Media Act Rule. We recognize that the underlying legislation has been preliminarily enjoined by a federal district court, but in the interest of sharing information and expertise, we hope these comments will be useful to inform the Division in the event the preliminary injunction is lifted on the underlying legislation.
There are many problems with age assurance and the Division of Consumer Protection has the extremely difficult task of writing rules that match the goals of the legislation and protecting the free speech of users in Utah. When creating rules for social media companies to comply with Utah’s age assurance and parental consent requirements, we encourage the Division of Consumer Protection to balance these rules with users' free speech rights. However, our comment is primarily focused on the parental consent piece of SB 194.
Recommendations
To sharpen the Division’s analysis and work on this topic, we offer the following recommendations, which we discuss in greater detail throughout this comment:
The Division should better account for the costs of implementing their proposed parental consent rules.
The Division should clarify the “reasonable efforts” standard to minimize privacy risks and ensure practical steps are taken toward compliance.
The Division should provide more clarity around “written attestation” in R152-71-5(1)(b).
The Division should better account for the costs of implementing the proposed parental consent rules.
The proposed parental consent rules are overly complicated, particularly when considering the age assurance requirements and how these impact platform usability for minors. In effect, these overly restrictive requirements will force platforms to create two separate experiences, depending on the user. This dual-platform experience will open social media platforms up to legal liability, and heightened compliance and verification costs as they are flooded with parental consent requests that may or may not be fraudulent.
Proposed rules would necessitate a redesign of platform experiences
Under SB 194, Subsection 5, platforms would have to disable autoplay, scrolling, and push notifications for users under 18, effectively making the experience so disjointed that it becomes nearly unusable. What that means for platforms hoping to maintain their user base of adult users, in practice, is that they’ll need to overhaul their platform to separate minors and adults into radically different experiences – an expensive and time-consuming process that smaller platforms likely cannot afford.
This dual experience requirement will likely lead to a flood of legitimate and fraudulent parental consent requests to restore features minors have come to expect, complicating compliance further.
In practice, these settings outlined in Subsection 5 of SB 194 would mean a user must manually click to play each piece of content, load more information after reaching the end of a feed, and will effectively eliminate useful notifications. Although it is generally the intent of the legislature to make platforms less interesting for teens, even if a platform is created just for teen users that disables autoplay, scrolling, and push notifications, all of these requirements actually have the effect of driving up the time minors spend on platforms. Some research has even shown that something as simple as silencing push notifications could encourage minors to check their apps more often than they would otherwise, so as to not miss anything – effectively failing to achieve the underlying purpose of SB 194.
Beyond presenting a technical problem or a cost problem, what’s at stake are the social media experiences of users under the age of 18 in Utah. Provided all the legal and technical hurdles are overcome in regards to the age assurance requirements, users under the age of 18 will wake up one morning to a very different kind of social media product than adults in the state. In fact, the experience will be so different as to be nearly unusable.
Having already experienced the cutting edge of platform technologies, users under 18 likely won’t accept a significant downgrade in experience without protest. Instead, it is likely that platforms will see a flood of parental consent requests to reactivate the features minor users have come to expect and in many ways benefit from. These requests will be a mix of legitimate parental requests and illegitimate requests i.e. minors posing as their parents. The consequences of inadequately separating the two, however, falls squarely on platforms – a major legal risk.
The scale and economics of compliance in a dual-platform environment is underestimated.
As noted above, the Utah minor social media experience will be radically different should this law come into effect and the Division is successful in promulgating rules. Therefore, the rules should be written in a way that anticipates a high volume of legitimate and illegitimate requests to platforms on day one. An estimate of that volume based can be based on US Census data: of Utah’s 3.2 million people, roughly 15% to 20% are minors under 18; then, assuming most teens in Utah use social media, this means that platforms will need to manage requests and attestations for up to 640,000 platform users. Of course the exact number could be smaller or greater. Yet this gives an idea of the scale at which platforms of all sizes will need to accurately manage requests.
Because SB 194 has no limitations based on platform size, smaller apps and sites that meet the definition of “social media platform” will also have to comply. Naturally, the bigger platforms will have more users than the smaller platforms so volume will differ accordingly. Engine, a non-profit that works with tech startups across the country, recently reported the sizable costs of age assurance requirements. These costs are in the range of $10,000 to license a service or up to $50,000 to create one internally. Parental consent requirements would present an additional cost to either license services that offer a safe harbor program or conduct verification themselves. These costs should be considered by the Division as they craft rules for parental consent. As the Engine report states, “Many startups, especially early-stage startups, operate at a loss until they reach scale, so every additional cost eats into their runway, reducing the life of the company.”
The Division’s formal assessment seems to overlook the broader economic impact on smaller platforms that must create an entirely new user experience for Utah minors. The marginal costs associated with this requirement will likely be most burdensome for startups and small businesses, whose limited resources mean any additional expense could affect their survival. Experience with federal parental consent requirements under COPPA has already shown that such rules increase the cost of doing business with minors. While the Division estimates age assurance costs could range from $0.05 to $0.45 per verification attempt and at least $2,000 annually for geolocation services, these figures remain largely "inestimable" due to variations in vendors and compliance methods. The lack of a concrete cost estimate, especially for small businesses, underscores the need for the Division to more thoroughly consider these financial burdens when finalizing the rules.
The costs of COPPA can inform Utah’s compliance cost estimate.
The Division’s proposed parental consent rules, which follow the initial step of verifying parental relationships, rely on methods outlined under the federal Children’s Online Privacy Protection Act (COPPA). Specifically, the Utah rule references 16 CFR 312.5(b)(2) and (3) for parental verification methods, and it allows for any other verification method approved under COPPA as per 16 CFR 312.12(a).
The reliance on COPPA-approved methods introduces significant compliance costs for both firms and parents. Since its implementation in 1998, these methods have proven costly and burdensome, leading to unintended consequences such as fewer safe online options for minors and a reduction in parental empowerment.
Scholars Ben Sperry and Kristian Stout from the International Center for Law and Economics have highlighted the economic impact of these requirements in their formal comment to the FTC’s Notice of Proposed Rulemaking (NPRM) on COPPA. Their findings, especially in Section III, detail how the requirements for verifiable parental consent have led to a 13% reduction in content creation and a 22% decline in viewership. This reduction illustrates how high compliance costs force content creators to move away from producing children’s content, thus decreasing both the quantity and diversity of safe online options for minors. The specific methods listed under 16 CFR 312.5(b)(2) face similar constraints and challenges to other age assurance methods, presenting significant privacy risks and difficulties for platforms attempting to verify at scale.
The Division should clarify the “reasonable efforts” standard to minimize privacy risks and ensure practical steps are taken toward compliance.
Given the costs outlined above, many or most platforms will likely consider a safe harbor program as outlined in 16 CFR 312.5(b)(3) to meet the “reasonable efforts” standard set out in R152-71-5 (1). Adding greater clarity around this path to compliance, in light of the challenges and costs associated with the heightened requirements in this rule, could minimize privacy risks and ensure companies can take practical measures to comply.
In general, a safe harbor program eligible for approval under COPPA is a self-regulatory framework that platforms follow to ensure reasonable efforts are taken toward compliance. To gain approval, a proposed safe harbor program must demonstrate it offers protections equal to or greater than those in §§ 312.2 through 312.8, and 312.10, and must include an independent assessment mechanism to evaluate compliance. These assessments are typically conducted annually to ensure that operators adhere to guidelines. Safe harbor programs also require clear penalties for non-compliance, ranging from public disclosures of violations to referrals to the FTC. Maintaining compliance under a safe harbor program still requires resources for regular assessments, reporting, and potential enforcement actions.
However, in light of the greater requirement of obtaining parental consent in Utah’s rule, examining how “reasonable efforts” have been applied in past parental consent cases is essential for assessing these rules.
Methods like credit card verification or government-issued ID checks are considered robust but can be expensive and raise privacy concerns, especially regarding the handling and storage of sensitive personal data. Other approaches, such as confirmatory emails with additional follow-up steps like phone calls or physical mail, provide a lower-cost alternative but carry a higher risk of being manipulated by tech-savvy minors. These examples illustrate the varying degrees of complexity, costs, and privacy trade-offs involved in meeting parental consent requirements.
Each method presents different challenges, highlighting the need for careful consideration of how these requirements will be implemented in practice and the potential impact on both users and platform. Without a clear safe harbor built around the “reasonable efforts” component of this rule, companies will face even greater barriers to ensuring all those necessary considerations are made.
The Division should provide more clarity around “written attestation” in R152-71-5(1)(b).
The second portion of the proposed rule is “a written attestation from the parent or guardian that they are the minor's legal guardian.” Presumably this step is meant to be a proactive statement by the parent or guardian that they approve of a minor transforming their account from a Utah minor experience to an adult experience. This step seems to assume the identity and relationship of the person claiming to be a parent has already been sufficiently verified. The Division should make clear why this step is required and should be specific about what is necessary for a sufficient “attestation” in order to avoid legal ambiguities. As written, the attestation could be as simple as a check box underneath text that says something to the effect “I am the parent or guardian of the account holder.” Such a method would be the least onerous but also the least accurate.
Conclusion
In sum, even though the underlying legislation is preliminarily enjoined, we hope these comments will serve to inform the Division, and guide the development of these rules toward an outcome that minimizes safety risks, more closely reflects the costs of compliance, and clarifies ambiguities.
We appreciate the opportunity to offer comments in this matter and thank you for your consideration.
Respectfully submitted,
Taylor Barkley, Caden Rosenbaum, and Devin McCormick