In Brief

In April 2023, Arkansas Governor Sarah Huckabee Sanders signed into law SB 396, the Social Media Safety Act (the “Act”). Arkansas is the second state to enact a law that specifically regulates minors’ social media use, following Utah’s recent social media legislation.

The Act, which takes effect on September 1, 2023, requires social media platforms (as defined under the Act) to verify account holders ages in order to prohibit Arkansas residents younger than 18 years of age from being account holders, without the express consent of a parent or legal guardian. Further, among other potential sanctions, the Act establishes a private right of action of USD $2,500 per violation.

Background

Arkansas’ law arrives amid increasing attention—from lawmakers, regulators, and certain members of the public—into the ways that children and teenagers interact with social media platforms. At the federal level, the Senate has resumed hearings on children’s online safety and the Federal Trade Commission (FTC) is conducting consultations and hosting events to gauge public opinion on issues around minors’ online activity. At the state level, in September 2022, California enacted the Age-Appropriate Design Code Act, requiring certain providers of online services, likely to be accessed by minors, to conduct data protection impact assessments, and design their services in accordance with online safety and privacy principles. More recently, in March 2023, Utah’s Governor Spencer Cox signed two bills (S.B. 152 and H.B. 311), enacting the Utah Social Media Regulation Act.

In depth

Social media companies subject to the Act will have to verify the ages of new and existing account holders, and only allow Arkansas residents who are minors to be account holders with consent of a parent or legal guardian. The Act is prescriptive about how covered companies must verify the age of account holders. At the same time, however, the Act includes numerous exemptions and will therefore most likely not apply to the wider group of social media companies that are subject to other similar laws such as the Utah Social Media Regulation Act or California’s Social Media Content Moderation Law.

Scope: The Act applies to “social media platforms” defined as an internet-based service that (1) has Arkansas users, and (2) functions substantially to allow users to interact with each other. Despite this broad definition, the Act has numerous carve-outs, notably, the Act only applies to social media platforms controlled by entities with annual gross revenue exceeding USD $100 million.

The Act also expressly does not apply to:

  • services that function exclusively or predominantly as email or direct messaging services;
  • media companies that exclusively offer subscription content that users “follow” and whose platforms’ primary purpose is not social interaction as opposed to services that allow users to “generate short video clips of dancing, voice overs, or other acts of entertainment” whose primary purpose is not educational or informational and therefore, do not fall under the exclusions;
  • companies that exclusively offer interactive or virtual gaming services;
  • companies that offer cloud storage services, enterprise cybersecurity services, educational devices, or enterprise collaboration tools for kindergarten through grade twelve schools and who derive less than 25% of their revenue from operating a social media platform;
  • companies that provide “career development opportunities.” The statute does not define this term but does list examples including professional networking, job skills, learning certifications, and job posting and application services.
  • streaming media sites that only provide licensed media, as opposed to hosting user-generated content;
  • news, sports, entertainment, and other content that is preselected by the provider;
  • online shopping platforms, as long as interaction between users is limited to the ability to post and comment on reviews, display lists of goods for sale or wish lists, and functions focused on online shopping;
  • B2B software, cloud storage platforms, shared document collaboration tools, data visualization platforms, libraries or hubs, platforms whose primary purpose is to permit comments on a digital news website or academic or other research.

It is worth noting that the Act does not indicate how to determine a site’s “primary purpose,” which may become a flashpoint in disputes surrounding the scope of the law.

Requirements:  Covered social media platforms must use a third party vendor to perform reasonable age verification before allowing access, including providing a digitized identification card, which is defined as a data file connected to “a state-approved application”; government-issued identification; or “any commercially reasonable age verification method.”

The law also prohibits a covered social media company from retaining “any identifying information of the individual after access to the platform has been granted.” The Act does not define “identifying information” nor does it specify how this might work in practice. Further the Act does not provide any guidance or detail on the form of consent that needs to be provided for account holders under the age of 18.

Penalties and enforcement: In addition to the private right of action for USD 2,500 per violation, the Arkansas Attorney General may initiate enforcement actions. . Violators may also be held liable for damages resulting from the minor accessing the platform without the required consent, court costs, and attorney fees.

Key Takeaways

The Act goes into effect on September 1, 2023, giving companies less than half a year to comply. Companies should assess now whether the Act applies to them and look out for further clarifications as to age verification and parental consent mechanisms.  

Additionally, since numerous state lawmakers are considering similar laws and regulations, businesses in this space should continue to monitor for further developments.

Should you have questions about this or other data privacy issues, reach out to any of the Baker McKenzie attorneys listed in this alert.

Author

Cynthia is an Intellectual Property Partner in Baker McKenzie's Palo Alto office. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields.

Author

Helena practices international commercial law with a focus on assisting and advising technology companies with cross-border transactions, drafting and negotiating commercial agreements, and advising on global data privacy law compliance. Helena also advises software developers, e-commerce companies, and global mobile and web gaming developers on regulatory restrictions, intellectual property, contracting and data privacy.

Author

Jonathan Tam is a partner in the San Francisco office focused on global privacy, advertising, intellectual property, content moderation and consumer protection laws. He is a qualified attorney in Canada and the U.S. passionate about helping clients achieve their commercial objectives while managing legal risks. He is well versed in the legal considerations that apply to many of the world’s cutting-edge technologies, including AI-driven solutions, wearables, connected cars, Web3, DAOs, NFTs, VR/AR, crypto, metaverses and the internet of everything.

Author

Fernanda Rodriguez is an associate in Baker McKenzie’s Intellectual Property & Technology Practice Group and resides in the Firm’s Houston Office. Fernanda focuses on intellectual property (IP) litigation and brand enforcement as well as matters involving data privacy and data protection.

Author

Avi Toltzis is a Knowledge Lawyer in Baker McKenzie's Chicago office.