The SCOPE Act in Pictures: What to Do…

As we previously discussed, youth privacy remains an enforcement priority for many attorneys general across the country, and Texas is no exception. In 2023, Texas passed the Securing Children Online Through Parental Empowerment (SCOPE) Act, which was intended to broadly prevent Texas children from accessing certain “harmful” content via social media platforms. But on August 30, 2024, the Western District of Texas blocked some key aspects of the law — just days before the law was set to go into effect on September 1, 2024. Below, we describe the requirements of the SCOPE Act, which parts of the statute’s law were affected by the court’s order, and what companies should be aware of as they move forward.

SCOPE OF APPLICATION Act

According to the state, the SCOPE Act aims to protect children under the age of 18 “harmful content and data collection practices.” It applies to digital service providers (DSPs) that host platforms that allow users to create public profiles, post public content, and interact with other users. Please note, however, that a number of entities are exempt from the statute, including small businesses as defined by the U.S. Small Business Administration, financial institutions subject to the Gramm-Leach-Bliley Act, and institutions of higher education.

The law (as originally intended) imposes a number of requirements on DSPs, including:

(1) Registration obligation: DSPs must record the age of a person who signs up for an account on their platform and prevent that person from changing his or her age later.
(2) Limitations on data collection, sharing and targeting: They are required to limit the collection and use of PII from minors and must prohibit minors from making purchases or engaging in other financial transactions through the platform unless their parent or guardian has given permission (in which case the service provider must still “restrict the ability of minors to make purchases). DSPs are also prohibited from collecting the geolocation information of minors, serving targeted advertisements to minors, and sharing or selling minors’ PII (unless a parent or guardian, using the parental controls described in (4) below, data practices).
(3) Algorithm-related disclosures: They must clearly disclose (in their terms of service, privacy policy, or other similar agreement) how they use algorithms to serve content to minors, how their algorithms rank or filter content, and what PII their algorithms take into account.
(4) Parental control:
DSPs are further required to create and publish parental tools that allow a parent or guardian, after their identity has been verified by the service provider, to review the minor’s privacy and account settings, monitor the amount of time the minor spends on the platform spends, and view, download, or delete the minor’s PII. Parental controls should also provide parents with the ability to modify the DSP’s duties related to data collection, data sharing, targeted advertising, and child purchasing.
(5) Advertising and marketing: They should try to prevent advertisers on their platforms from targeting minors with ads that promote products or services that are illegal for minors in Texas.
(6) Damage prevention: As originally intended, the SCOPE Act requires DSPs to develop and implement a strategy to prevent minors’ exposure to these substances “harmful” material – that is, material that “promotes, glorifies or enables suicide, self-harm, eating disorders, substance abuse, stalking, bullying, harassment, grooming, human trafficking, child pornography or other sexual exploitation or abuse.” (These terms are not defined in the statutes.) This includes “damage prevention” provisions, DSPs must apply filtering technology to them and create a database of them “harmful” material, and are required to use hash sharing technology and other protocols to identify recurring harmful content. If the DSP hereafter knowingly publishes or distributes content, more than a third of which is “harmful” to minors, use should be made of a “commercially reasonable age verification method” to verify the age of the user accessing the content.

Loss prevention requirements blocked by court order

On July 30, 2024, free speech advocacy groups filed suit in the Western District of Texas seeking to block the SCOPE Act in its entirety, claiming it violates the First Amendment, is void because vagueness, unconstitutional prior restrictions and pressure. Section 230 of the Communications Decency Act.

In a 38-page order, Judge Robert Pitman sided in part with the plaintiffs, tentatively enjoining what we described above as the statutory provisions of the statute. “damage prevention” requirements (i.e. (6), above), but leaves the rest of the law (i.e. (1)-(5), above) intact. In granting a preliminary injunction regarding the harm prevention requirements, Judge Pittman expressed doubt as to whether Texas has a compelling interest in regulating the types of content it describes in the law as “harmful” and explained that the regulated topics are anyway too vague and broad as written. In his opinion, Judge Pitman wrote: “Under these indefinite meanings, it is easy to see how an attorney general could arbitrarily discriminate in enforcing the law.”

What you need to know moving forward

On September 1, the majority of the SCOPE Act’s requirements (i.e. (1)-(5), above) came into effect, meaning social media platforms and similar companies must ensure they are compliant. Of particular concern are the law’s requirements that service providers, unless authorized by a parent or guardian through parental controls, (i) prohibit minors from making purchases or other financial transactions and (ii) refrain from collecting and selling of minors. geolocation data and PII.

The SCOPE Act is just one of a number of state statutes governing youth privacy that were blocked by a court order this year. For example, Mississippi, Ohio, and California attempted to pass similar legislation but were blocked in whole or in part by lawsuits initiated by interest groups. While we will continue to monitor for updates, it is clear that youth privacy remains a hot topic for regulators and advocacy groups alike.