NOTICES OF PROPOSED RULES

R152-71

R152-71. Utah Minor Protection In Social Media Act Rule

09/16/2024

NOTICE OF SUBSTANTIVE CHANGE

TYPE OF FILING: New

Rule or Section Number:

R152-71

Filing ID: 56691

Agency Information

1. Title catchline:

Commerce, Consumer Protection

Building:

Heber Wells

Street address:

160 E 300 S

City, state:

Salt Lake City, UT

Mailing address:

PO Box 146704

City, state and zip:

Salt Lake City, UT 84114-6704

Contact persons:

Name:

Phone:

Email:

Daniel Larsen

801-530-6601

dcprules@utah.gov

Please address questions regarding information on this notice to the persons listed above.

General Information

2. Rule or section catchline:

R152-71. Utah Minor Protection In Social Media Act Rule

3. Purpose of the new rule or reason for the change:

This rule is being enacted as required by S.B. 194, 2024 General Session, codified as Title 13, Chapter 71, Utah Minor Protection In Social Media Act.

4. Summary of the new rule or change:

This rule: defines terms; establishes the processes and means by which a social media company may assure whether a current or prospective Utah account holder is a minor in accordance with Section 13-71-201, and obtain verifiable parental consent in accordance with Section 13-71-203; establishes criteria a social media company may use to determine whether its age assurance system is at least 95% accurate in determining whether a current or prospective Utah account holder is a minor; establishes standards applicable to data use, retention, protection, and disposal; and aids the division's administration and enforcement of Title 13, Chapter 71, Utah Minor Protection in Social Media Act.

Fiscal Information

5. Provide an estimate and written explanation of the aggregate anticipated cost or savings to:

A) State budget:

The proposed rule is not anticipated to have a fiscal impact on the state budget beyond that already described in the Fiscal Note to S.B. 194 (2024).

B) Local governments:

The proposed rule is not anticipated to have a fiscal impact on the local governments beyond that already described in the Fiscal Note to S.B. 194 (2024).

C) Small businesses ("small business" means a business employing 1-49 persons):

The proposed rule is not anticipated to have a fiscal impact on small businesses beyond those already described in the Fiscal Note to S.B. 194 (2024).

D) Non-small businesses ("non-small business" means a business employing 50 or more persons):

This rule will have a fiscal impact on non-small businesses that is inestimable because the number of non-small businesses to which this rule will apply is not readily available and is fluid.

Additionally, the costs will vary depending on the age assurance and parental consent verification methods chosen by a social media company.

However, the Division of Consumer Protection (Division) anticipates that age assurance costs for a social media company will be: a range of $0.05 to $0.45 per completed age assurance attempt or parental consent verification per Utah account holder, depending on method used, vendor, and volume; and $2,000, at minimum, per year per social media company for geo location services.

Depending on the services used, there may be up-front and ongoing costs or fees but these costs or fees are inestimable, particularly if a social media company already employs age assurance or parental consent verification methods.

Similarly, costs related to data use, protection, and retention standards are inestimable because social media companies use varying methods to comply with other similar regulations, including Title 13, Chapter 61, Utah Consumer Privacy Act, the European Union's General Data Protection Regulation, and the California Consumer Privacy Act, among others.

A social media company's existing data use, protection, and retention standards, which are unknown to the Division, are expected to impact the cost of compliance with this rule, rendering these costs inestimable.

E) Persons other than small businesses, non-small businesses, state, or local government entities ("person" means any individual, partnership, corporation, association, governmental entity, or public or private organization of any character other than an agency):

The proposed rule is not anticipated to have a fiscal impact on persons other than small businesses, non-small businesses, state, or local government entities beyond that already described in the Fiscal Note to S.B. 194 (2024).

F) Compliance costs for affected persons (How much will it cost an impacted entity to adhere to this rule or its changes?):

Compliance costs for affected persons are inestimable because the number of affected persons to whom this rule will apply is not readily available and is fluid.

Additionally, the costs will vary depending on the age assurance and parental consent verification methods chosen by a social media company.

However, the Division anticipates that age assurance costs for a social media company will be: a range of $0.05 to $0.45 per completed age assurance attempt or parental consent verification per Utah account holder, depending on method used, vendor, and volume; and $2,000, at minimum, per year per social media company for geo location services.

Depending on the services used, there may be up-front and ongoing costs or fees but these costs or fees are inestimable, particularly if a social media company already employs age assurance or parental consent verification methods.

Similarly, costs related to data use, protection, and retention standards are inestimable because social media companies use varying methods to comply with other similar regulations, including Title 13, Chapter 61, Utah Consumer Privacy Act, the European Union's General Data Protection Regulation, and the California Consumer Privacy Act, among others.

A social media company's existing data use, protection, and retention standards, which are unknown to the Division, are expected to impact the cost of compliance with this rule, rendering these costs inestimable.

G) Regulatory Impact Summary Table (This table only includes fiscal impacts that could be measured. If there are inestimable fiscal impacts, they will not be included in this table. Inestimable impacts will be included in narratives above.)

Regulatory Impact Table

Fiscal Cost

FY2025

FY2026

FY2027

State Government

$0

$0

$0

Local Governments

$0

$0

$0

Small Businesses

$0

$0

$0

Non-Small Businesses

$0

$0

$0

Other Persons

$0

$0

$0

Total Fiscal Cost

$0

$0

$0

Fiscal Benefits

FY2025

FY2026

FY2027

State Government

$0

$0

$0

Local Governments

$0

$0

$0

Small Businesses

$0

$0

$0

Non-Small Businesses

$0

$0

$0

Other Persons

$0

$0

$0

Total Fiscal Benefits

$0

$0

$0

Net Fiscal Benefits

$0

$0

$0

H) Department head comments on fiscal impact and approval of regulatory impact analysis:

The Executive Director of the Department of Commerce, Margaret Busse, has reviewed and approved this regulatory impact analysis.

Citation Information

6. Provide citations to the statutory authority for the rule. If there is also a federal requirement for the rule, provide a citation to that requirement:

Subsection 13-2-5(1)

Subsection 13-71-302(1)

Public Notice Information

8. The public may submit written or oral comments to the agency identified in box 1. (The public may also request a hearing by submitting a written request to the agency. See Section 63G-3-302 and Rule R15-1 for more information.)

A) Comments will be accepted until: 09/16/2024

B) A public hearing (optional) will be held:

Date:

Time:

Place (physical address or URL):

08/29/2024

10:00 AM to 11:00 AM

Utah State Capitol Building, 350 N. State Street, Senate Room 220, Salt Lake City, UT

9. This rule change MAY become effective on: 10/01/2024

NOTE: The date above is the date the agency anticipates making the rule or its changes effective. It is NOT the effective date.

Agency Authorization Information

Agency head or designee and title: Daniel Larsen, Managing Analyst

Date: 08/01/2024

R152. Commerce, Consumer Protection.

R152-71. Utah Minor Protection in Social Media Act Rule.

R152-71-1. Purpose.

The purpose of this rule is to:

(1) to establish the processes and means by which a social media company may:

(a) assure whether a current or prospective Utah account holder is a minor in accordance with Sections 13-71-201 and 13-71-302; and

(b) obtain verifiable parental consent in accordance with Sections 13-71-203 and 13-71-302;

(2) establish criteria a social media company may use to determine whether the social media company's age assurance system is at least 95% accurate in determining whether a current or prospective Utah account holder is a minor;

(3) establish standards applicable to data use, retention, protection, and disposal; and

(4) aid the division's administration and enforcement of Title 13, Chapter 71, Utah Minor Protection in Social Media Act.

R152-71-2. Authority.

This rule is promulgated in accordance with Subsections 13-2-5(1) and 13-71-302(1).

R152-71-3. Definitions.

(1) "Assurance of confidentiality" means a presumption that a social media company will restrict access to a Utah minor account holder's personal information to as few parties as possible.

(2) "False negative" means an age assurance system's incorrect determination that a current or prospective Utah account holder is a minor.

(3)(a) "False negative rate" means the rate at which a social media company's age assurance system incorrectly determines a current or prospective Utah account holder is a minor.

(b) "False negative rate" is calculated as (false negative rate = false negatives ÷ (false negatives + true positives)).

(4) "False positive" means an age assurance system's incorrect determination that a current or prospective Utah account holder is not a minor.

(5)(a) "False positive rate" means the rate at which a social media company's age assurance system incorrectly determines a current or prospective Utah account holder is not a minor.

(b) "False positive rate" is calculated as (false positive rate = false positives ÷ (false positives + true negatives)).

(6) "Liveness" means verification that information provided by a user to a social media company's age assurance system is from a human being, and not from an imitation including a photo, video, or other replica.

(7) "Liveness false acceptance rate" means the proportion of users incorrectly accepted by an age assurance system as being live.

(8) "Outcome error parity" means an age assurance system's determinations are correct or incorrect in equal proportion for individuals of different skin color and sex.

(9) "True negative" means an age assurance system's correct determination that a current or prospective Utah account holder is a minor.

(10) "True positive" means an age assurance system's correct determination that a current or prospective Utah account holder is not a minor.

(11) "Upper and lower limit" means the age range between 16 and 20 years of age.

R152-71-4. Processes and Means of Age Assurance -- Safe Harbor.

(1) A social media company's age assurance system qualifies for the safe harbor described by Subsection 13-71-302(2) if:

(a) the processes and means used by the age assurance system produce outcomes that satisfy the criteria in the following table:

TABLE

Accuracy of Age Assurance Outcomes

Liveness false acceptance rate maximum

False positive rate maximum

False negative rate maximum

Accuracy within upper and lower limit

Outcome error parity maximum disparity

1%

3%

10%

95%

1%

(b) the age assurance system's results are verified annually by an independent third-party auditor; and

(c) the social media company provides reasonable means by which a current or prospective Utah account holder may challenge an incorrect age assurance result.

(2)(a) A social media company may use a third party's age assurance system, provided that the third party complies with the requirements of Title 13, Chapter 71, Utah Minor Protection in Social Media Act and this rule.

(b) A social media company that uses a third party's age assurance system may not use the same third party to verify the age assurance system's results, as described by Subsection R152-71-4(1)(b).

R152-71-5. Processes and Means of Obtaining Verifiable Parental Consent.

(1) A social media company shall, taking into consideration available technology that is reasonably calculated to ensure that the person providing consent is the minor's parent or guardian, make reasonable efforts to confirm a parent's or guardian's consent for a minor to change data privacy settings in accordance with Section 13-71-202, or to overcome the presumption of confidentiality described by Subsection 13-71-204(2), by:

(a) using a method that complies with 16 CFR 312.5(b)(2) or (3), or has been approved by the Federal Trade Commission in accordance with 16 CFR 312.12(a); and

(b) obtaining a written attestation from the parent or guardian that they are the minor's legal guardian.

(2) A social media company shall provide a reasonable method by which a Utah minor account holder's parent or guardian may revoke the parent's or guardian's prior consent.

R152-71-6. Age Assurance Accuracy.

(1)(a) A social media company's age assurance system is 95% accurate, in accordance with Subsection 13-71-302(1)(b), if it correctly determines that a Utah account holder is a minor in 95% of age assurance attempts.

(b) To determine whether its age assurance system is 95% accurate, a social media company shall:

(i) randomly sample age assurance attempts made with respect to 1,400 or more unique current Utah account holders, half of whom the age assurance system identified as a minor, and half of whom the age assurance system identified as not a minor; and

(ii) for each Utah account holder selected in the sample, review whether the age assurance system's determination was correct.

(2) A social media company may use a third party's age assurance system, provided that the third party complies with the requirements of Title 13, Chapter 71, Utah Minor Protection in Social Media Act and this rule.

R152-71-7. Age Assurance and Verifiable Parental Consent Data -- Permitted Use, Retention, Protection, and Disposal.

(1) A social media company may not collect more than the least amount of data reasonably necessary to comply with Sections 13-71-201 and 13-71-204.

(2) Data collected by a social media company to comply with Sections 13-71-201 and 13-71-204 shall be:

(a) maintained in accordance with the security practices described by Subsection 13-61-302(2), and not transferred to a third party as defined by Subsection 13-61-101(36);

(b) segregated from all data the social media company maintains in its normal course of business;

(c) deleted by permanently and completely erasing the collected data as quickly as possible, but no more than 45 days after the social media company or its agent:

(i) completes the age assurance process;

(ii) uses the data to verify parental consent;

(iii) determines a current or prospective Utah account holder failed to meet the verification requirements within the required time period; or

(iv) determines parental consent was denied; and

(d) used only to comply with Sections 13-71-201 and 13-71-204, and for no other purpose.

(3) A social media company may extend the 45-day deadline identified in Subsection R152-71-7(2)(c) by up to an additional 45 days:

(a) one time per age assurance attempt;

(b) if the extension is reasonably necessary in accordance with Subsection 13-61-203(2)(b); and

(c) the social media complies with Subsection 13-61-203(2)(c).

(4) A social media company or its agent shall create a record related to each Utah account holder for which an age assurance attempt is made describing:

(a) the date it completed the age assurance process and verified parental consent for the account if the account holder is a minor;

(b) the type of data collected to assure the Utah account holder's age and to verify parental consent; and

(c) the date it deleted data collected to comply with Sections 13-71-201 and 13-71-204, and this rule.

(5) A person who seeks to verify their account may, in accordance with Section 13-61-202, request that their data be deleted before the verification process is completed.

(6) A social media company shall comply with a consumer's request to delete in accordance with Section 13-61-203.

(7) Data collected by a social media company to comply with Sections 13-71-201 and 13-71-204 may not be stored, maintained, transferred, or processed outside the United States of America.

KEY: social media, age assurance, parental consent, data privacy

Date of Last Change: 2024

Authorizing, and Implemented or Interpreted Law: 13-2-5(1); 13-71-302(1)