Full Report
Texas has become a leading enforcer of internet rules. Its latest probe includes some platforms that privacy experts describe as unusual suspects.
Analysis Summary
# Regulation/Compliance: Texas Youth Privacy and Social Media Oversight (SCOPE Act & TDPSA Enforcement)
## Overview
This summary focuses on the recent enforcement actions taken by the Texas Attorney General (AG) against major technology companies (including social media, chat services, and AI platforms) concerning their handling of data, content moderation, and safety protocols related to minors under Texas law, specifically referencing the Texas SCOPE Act and the Texas Data Privacy and Security Act (TDPSA).
## Key Details
- **Issuing Authority:** Office of the Attorney General of Texas (Ken Paxton), enforcing state laws.
- **Effective Date:** The investigation targets compliance with statutes that are already in effect (e.g., TDPSA effective July, SCOPE Act provisions also being enforced).
- **Jurisdiction:** State of Texas.
- **Status:** In Effect (Enforcement actions are currently underway).
## Requirements
### Mandatory Requirements (Based on Referenced Laws Being Enforced)
1. **Age Verification & Parental Control (SCOPE Act):** Services with social media/chat functions targeting users under 18 must ask for users' age. Parents/guardians must be given power over minors’ account settings.
2. **Data Minimization for Minors (SCOPE Act):** Companies are barred from selling information gathered about minors without explicit parental permission.
3. **Parental Consent for Data Processing (TDPSA):** Requires parental consent before processing data derived from users younger than 13.
4. **Content Restrictions (SCOPE Act - content restriction portion ruled vague but potentially subject to other laws):** While one provision regarding taking steps to prevent minors from seeing self-harm/abusive content was found too vague, companies are generally expected to comply with safeguarding laws.
5. **Data Disclosure:** Companies must be prepared to detail lists of whom minors’ data is sold or shared with.
### Recommended Practices
1. **Proactive Compliance with State Laws:** Given the expansion of state-level enforcement (Maryland, New York also mentioned), services should review compliance beyond just federal standards (which focus solely on under-13 users).
2. **Clarity on Data Practices:** Ensure all data collection, sharing, and selling practices regarding minors are transparent and align with expected parental consent thresholds.
## Affected Organizations
- **Industries:** Technology sector, specifically social media companies, chat services, AI chatbot providers (e.g., Character.AI, Reddit, Instagram, Discord, Rumble, Quora, WeChat, Kick, Kik, Pinterest, Telegram, Twitch, Tumblr, WhatsApp, Whisper).
- **Organization Size:** Not explicitly specified, but the high-profile nature suggests large entities with significant Texas user bases are primary targets.
- **Geographic Scope:** Any company that registers users under the age of 18 in Texas or offers these services to Texas residents.
## Compliance Timeline
- **Next Week:** Deadline established by the AG’s office for the 15 targeted companies to answer demands concerning user numbers, data sharing lists, and compliance details.
- **Ongoing:** Continuous compliance required under the SCOPE Act and TDPSA.
- **Later This Year (External):** Other states (Maryland, New York) are expected to enforce similar laws.
## Implementation Guidance
### Assessment Phase
- **Identify Covered Services:** Determine which organizational offerings qualify as "social media or chat functions" under the SCOPE Act.
- **User Base Audit:** Quantify the number of Texas minors served by these functions.
- **Data Flow Mapping:** Document all instances where data belonging to minors (especially those under 13) is processed, sold, or shared.
### Implementation Phase
- **Enhance Age Gating:** Implement robust mechanisms to reliably ascertain user ages.
- **Refine Parental Controls:** Ensure parents/guardians have unambiguous control over minors’ account settings and data access.
- **Review Data Transactions:** Cease any selling or sharing of minor data without explicit, verified parental permission, especially for users under 13 as per TDPSA.
### Validation Phase
- **Internal Review:** Verify that answers provided to the AG’s demands (user statistics, data sharing lists) are fully accurate.
- **Legal Review:** Assess existing consent mechanisms against both SCOPE Act and TDPSA requirements.
## Technical Requirements
1. Auditable mechanisms for collecting and recording stated user age.
2. Functionality allowing parents/guardians to manage aspects of a minor’s account settings.
3. Strict protocols ensuring no sale or unauthorized disclosure of minor user data.
## Penalties & Enforcement
- **Fines:** Could amount to "up to hundreds of millions of dollars per company" based on the AG’s stated enforcement posture.
- **Other Consequences:** Requirement to fundamentally change business practices, public scrutiny, and mandatory disclosures resulting from investigative demands.
- **Enforcement:** Through legal action spearheaded by the Texas Attorney General’s office, leveraging state statutes against deceptive business practices if direct statutory violations are not proven (i.e., pursuing narrower cases). Enforcement relies on the state’s "pretty significant hammer."
## Related Standards
- **Texas SCOPE Act (Social Media Companies Offering Reasonable Protection of Minors Act):** The primary statute being enforced regarding minors under 18.
- **Texas Data Privacy and Security Act (TDPSA):** Relevant for data processing consent requirements for users under 13.
- **Case Law/Pending Litigation:** Ongoing lawsuits against companies like TikTok and Character.AI set precedents for interpretation of required safety and privacy measures.
## Resources
- **Official Documentation:** Texas AG press releases regarding the investigations and the text of the SCOPE Act and TDPSA (links provided in the article are defanged).
- **Guidance Documents:** Insights from privacy experts specializing in youth regulation (Fairplay, etc.).
- **Tools:** Auditing and data inventory tools necessary to map data flows.
## Practical Recommendations
1. **Respond Immediately to AG Demands:** Companies targeted must provide comprehensive responses by the stipulated deadline next week, detailing user counts and data sharing practices.
2. **Strengthen Age Verification:** Prioritize implementing more reliable age verification technologies, as current methods may be susceptible to the minor-reported inaccurate birthdate issue.
3. **Anticipate Broader State Action:** Assume compliance must meet the strictest state standard (like SCOPE’s under-18 scope) until jurisdictionally clarified, as other states are adopting similar legislation.
4. **Review Deceptive Practices:** Prepare defense or remediation plans for potential claims under existing deceptive trade practices laws, especially related to how data usage is communicated to parents/users.