On June 13, 2023, Texas Governor Greg Abbott signed the Securing Children Online through Parental Empowerment Act (HB 18) (SCOPE Act). With this signing, Texas joins Utah and Arkansas in regulating social media and its impact on minors and their mental health.

The SCOPE Act requires covered “digital service providers” to provide minors with certain data protections, prevent minors from accessing harmful content, and give parents tools to manage their child’s use of the service. The Act also has age verification requirements for digital service providers that knowingly distribute a significant amount of “harmful” or “obscene” content.

Of particular interest, the SCOPE Act requires a joint legislative committee to conduct a study on the mental health impact of various forms of media on minors, including social media. This provision reflects a heightened interest in how services with certain social features affect children and teens as compared to other screen-based activities, such as watching movies or playing video games. We are likely to see additional legislation at the state and federal levels on this issue going forward.

This alert summarizes the SCOPE Act’s key provisions, which will take effect on September 1, 2024.

Who Does the SCOPE Act Apply To?

Aside from Section 509.057 (discussed further below), the SCOPE Act applies to digital service providers whose service:

1. Has a “primary function” of allowing users to “socially interact” with other users,
2. Allows users to create public or semi-public profiles in order to use the service, and
3. Allows users to create or post content that can be viewed by other users.

The Act provides examples of how user content may be viewed by others, including message boards, chat rooms, and landing pages or feeds that present other users’ content.

Notably, the Act exempts digital service providers whose primary function is to provide access to “news, sports, entertainment, commerce, or content selected by [the service]” where the interactive functionality is “incidental” to using the service.

What Are the Duties of Covered Digital Service Providers?

Covered digital service providers cannot enter into an agreement with a user to create an account unless the user has provided their age. In addition to users having the ability to declare that they are minors (e.g., under 18 years of age), a user will be considered a “known minor” if a parent or guardian notifies the company of the child’s age, disputes the registered age of their child’s account, or otherwise performs a parental function as outlined by the law.

The SCOPE Act imposes data minimization and purpose limitation requirements for minors’ personal identifying information (PII). Covered digital service providers cannot share minors’ PII, collect minors’ precise geolocation data, or display targeted advertising to minors. The companies also cannot allow minors to engage in financial transactions by default.

Covered digital service providers also have an affirmative duty to develop a strategy for preventing exposure to “harmful material” for minors. This includes content that “promotes, glorifies, or facilitates” suicide, self-harm, eating disorders, substance abuse, stalking, bullying, harassment, grooming, trafficking, child pornography, or other sexual exploitation or abuse. The Act provides examples of technologies and processes that can be used to implement such a strategy, including the use of filtering technology to block content and the creation of a database of keywords used for filter evasion. Additionally, covered digital service providers must make reasonable efforts to prevent targeted advertisements that promote or offer products or activities that are unlawful for minors to use or engage in (e.g., alcohol, gambling).

What Tools and Rights Do Parents Have?

In order for parents to effectively supervise their child’s account, covered digital service providers must provide tools that allow parents to control privacy settings and monitor the amount of time the minor can spend using the service. The SCOPE Act also allows parents to make changes concerning the child’s account, such as allowing targeted advertising, use of geolocation data, or their child’s engagement in restricted financial transactions.

Covered digital service providers must also provide parents the right to access, port, and/or delete the minor’s PII.

Are There Other Requirements for Covered Digital Service Providers?

As previewed above, Section 509.057 is somewhat removed from the Act’s other requirements. Instead of applying only to digital service providers who satisfy the three criteria enumerated earlier, this section applies more broadly. Any digital service provider who knowingly publishes or distributes material, “more than one-third of which is harmful material or obscene,” must use “a commercially reasonable age verification method” to determine that users are not minors. Companies cannot enter into agreements with users under 18 years of age who are trying to access content through the service. This portion of the law seems to mirror laws in several other states, including Louisiana and Virginia, that require age verification before accessing sites with pornographic material.

Who Can Enforce the Law?

Any violation of the SCOPE Act’s provisions for digital service providers is considered a deceptive act or practice under Texas law, enforceable by the state’s Attorney General. The SCOPE Act’s requirements for digital service providers does not generally provide for a private right of action. However, parents or guardians of known minors can bring causes of action seeking a declaratory judgment or injunction against the company if they believe they are affected by the company’s violation.

What Are the Provisions for Further Research?

Article 4 of the SCOPE Act provides for a joint legislative committee to conduct a study on the effects of media on minors. The committee will examine the health and developmental effects of media on minors. Likewise, the committee will examine the effects of exposure to various types of media, including social media, websites, television and film, AI, and video games.

Takeaways

Companies that fall within scope of the SCOPE Act should start evaluating how they plan to comply with the law. Because the law requires companies to collect age information, companies will have actual knowledge as to whether users are under 18 and under 13. As such, companies should also evaluate their practices with respect to other children’s privacy laws, such as the Children’s Online Privacy Protection Act.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues, especially in the area of children’s and minors’ data, and will monitor guidance and other state-level developments to assist clients with compliance. For more information or advice concerning your compliance efforts, please contact Christopher Olsen, Rebecca Weitzel Garcia, or any member of the firm’s privacy and cybersecurity practice.