0
Social media apps on the screen of an smartphone device.

California’s Social Media Transparency Law

Disclosure Obligations, Hate Speech & AG Reports

Legislators across the United States have been grappling with how to regulate social media companies. In Texas, the 5th Circuit upheld a law limiting how social media platforms can moderate content.[1] In Florida, a brief was filed asking the U.S. Supreme Court to reverse the 11th Circuit’s decision to strike down a law preventing how social media platforms can moderate users.[2] Now, with Governor Newsom signing AB 587 into law, California joins the legislative efforts. Effective January 1, 2024, AB 587 imposes new disclosure and reporting obligations on companies operating social media platforms. A social media platform falls under the law if:
  • The company operating the platform generated at least one hundred million in gross revenue during the preceding calendar year;[3]
  • The platform is a “public or semipublic internet-based service or application”[4] with users “in California;”[5]
  • A substantial function of the platform is to connect users to allow them to “interact socially” with each other in the platform;[6] and
  • Users can:
    • construct “public or semipublic” profiles for the purpose of signing in and using the platform;[7]
    • populate a list of other users with whom they share a social connection within the platform;[8] and
    • post content viewable by other users.[9]
In addition, the law does not apply to services or applications for which user interactions are limited to direct messages, commercial transactions, or consumer reviews of products, sellers, services, events, or places, or any combination thereof.[10] Disclosure Obligations A covered social media platform must disclose to users the existence and contents of the platform’s terms of service.[11] In addition, the terms of service must disclose:
  • Permitted user behavior and activities on the platform, and activities that may subject the user or their content to negative actions;[12]
  • Potential negative actions that may be taken, such as removal, demonetization, deprioritization, or banning;[13]
  • Contact information for asking questions about the terms of service;[14] and
  • A process by which users can flag content, groups, or other users believed to be violating the terms of service.[15]
These disclosure obligations should feel familiar to businesses already operating in the social media industry. The more onerous requirements stem from the law’s reporting obligations to the California AG. Reporting Obligations to the California AG A covered social media company, on a “semiannual basis,” must provide the California AG with a “terms of service report.”[16] As part of this report, the company must detail whether it defines the following categories of content in its terms of service:
  • Hate speech or racism.
  • Extremism or radicalization.
  • Disinformation or misinformation.
  • Harassment.
  • Foreign political interference.
Interestingly, the law is written so as not to require a covered company to define these categories of content; rather, it merely requires disclosure of whether the company does so. That said, much of what the law requires as part of the report to the AG pertains to the company’s actions taken in response to content falling within one of the above categories. For example, the company must disclose any existing policies intended to address the above categories of content,[17] and the total number of content items flagged for belonging to one of those categories.[18] Failure to submit a report as required can result in a civil penalty of $15,000 per violation per day. So, while the law appears not to require defining the above categories, it seems unlikely that a company can provide a conforming report – and therefore avoid the penalty – without defining what constitutes hate speech, harassment, and so forth. But this raises an important compliance question: how should a company define these categories? And could a company violate the law if, say, they define misinformation or foreign political interference in a way that does not comport with the California AG’s expectations? Given the current legal challenges facing other social media laws across the country, the law will likely be challenged on First Amendment grounds, so time will tell whether the law survives long enough to answer these questions. In the meantime, companies should consider how to navigate the growing state laws either requiring or forbidding moderation of user activities and content.
[1] https://www.politico.com/news/2022/09/16/5th-circuit-upholds-texas-law-forbidding-social-media-censorship-again-00057316. [2] https://www.axios.com/2022/09/21/florida-supreme-court-social-media-law. [3] AB 587, 22680. [4] 22675(e). This excludes services or applications meant to facilitate communication between employees or affiliates within a business or enterprise, so long as the service or platform restricts access to those categories of users. 22675(c). [5] 22675(e). The law provides no guidance on what it means for a user to be “in California,” but the bill’s legislative introduction uses the language “consumers residing in California.” [6] 22675(e)(1)(A). And while the law does not define “interact[ing] socially,” services or platforms that provide “email or direct messaging” services do not satisfy this requirement on that basis alone. 22675(e)(1)(B). [7] 22675(e)(2)(A). Again, this exempts services or platforms in which employees or affiliates can create profiles, when that service or platform restricts access only to those categories of users. 22675(c). [8] 22675(e)(2)(B). [9] 22675(e)(2)(C). [10] 22681. [11] 22676(a). [12] 22675(f). [13] 22676(b)(3). [14] 22676(b)(1). [15] 22676(b)(2). [16] 22677(a). [17] 22677(a)(4)(A). [18] 22677(a)(5)(A)(i).
0
A close-up picture of code.

The California Age-Appropriate Design Code

***Update: On September 15, 2022, Governor Newsom signed AB 2273, establishing the California Age-Appropriate Design Code Act. Who It Covers, What It Requires & How It Compares to the UK Effective July 1, 2024, the California Age-Appropriate Design Code imposes obligations on businesses [1] that provide an “online service, product, or feature” that is “likely to be accessed by children.” [2] Children are defined as California residents [3] “who are under 18 years of age.” [4] The law provides factors for whether an online service, product, or feature (S/P/F) is “likely to be accessed” by California residents under the age of 18: [5]
  • It is directed to children as defined by COPPA. [6]
  • It is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children, or it is substantially similar to an online S/P/F that meets this factor.
  • It displays advertisements marketed to children.
  • It has design elements known to be of interest to children, including games, cartoons, music, and celebrities who appeal to children.
  • Based on internal research, a significant amount of the audience is children.
An online S/P/F is defined by what it is not, and the definition notably exempts the “delivery or use of a physical product.” [7] This exemption diverts from the UK version of the law, which covers “connected toys and devices.” [8] Compared to the UK’s Common-Sense Approach The US version of the law provides no guidance on what it means for a “significant number of children” to “routinely access[]” the online S/P/F. However, the law makes clear in its legislative findings that covered businesses may look to guidance and innovation in response to the UK version when developing US-covered online S/P/F. [9] ICO states that the term “likely to be accessed by” is purposefully broad, covering “services that children [are] using in reality,” not just those services specifically targeting children. [10] However, ICO recognizes that the term is not so broad as to “cover all services that children could possibly access.” [11] The key difference is whether it is “more probable than not” that an online S/P/F will be accessed by children, and businesses should take a “common sense approach to this question.” [12] To illustrate this point:
  • If an online S/P/F is the kind “you would not want children to use in any case,” then the business should focus on preventing children from accessing the online S/P/F, rather than making it child friendly. [13]
  • If a business’s common-sense analysis reveals that children make up a “substantive and identifiable user group” routinely accessing the online S/P/F, then the “likely to be accessed” definition will apply. [14]
  • If that analysis does not reveal such a group yet causes the business to “think that children will want to use it,” then the business “should conform to the [law’s] standards.” [15]
  • If a business decides that the online S/P/F is not likely to be accessed by children, the business should “document and support” the reasons for such a determination, and incorporate such evidence as “market research, current evidence on user behaviour, the user base of similar or existing service,” and more. [16]
While this does not specify a threshold for what constitutes a “significant number of children,” it does demonstrate ICO’s view on the breadth of the law’s application. In sum, businesses should make a common-sense determination — based on actual evidence (e.g., internal or market) — as to whether it is more probable than not for a substantive and identifiable user group of children to either routinely access or want to access the online S/P/F. Top 3 Pain Points for Businesses If a business makes such a determination and finds that their online S/P/F is covered by the law, the business must take several steps to ensure compliance. We identified the following as among the more onerous steps that must be taken.
  1. Data Protection Impact Assessments & Risk Mitigation Plans
Before offering any new online S/P/F likely to be accessed by children, the business must complete a Data Protection Impact Assessment (DPIA) for it and maintain DPIA documentation for as long as the online S/P/F is likely to be accessed by children. [17] Businesses must biennially review all DPIAs. Businesses must further document any risk of material detriment to children that arises from data management practices identified in the DPIA and create a timed plan to mitigate or eliminate the risk before the online S/P/F is accessed by children. [18]
  1. Estimate Age of Child Users or Treat All Consumers as Children
Covered businesses must estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers. [19] The law provides no further guidance on how one makes such an estimation, but ICO published guidance for the UK version. [20]
  1. High Privacy & Tracking Signals as Default Settings for Children
Covered businesses must configure all default privacy settings provided to children by the online S/P/F to settings that offer a “high level of privacy,” unless the business can demonstrate a compelling reason that a different setting is in the best interests of children. [21] If the online S/P/F allows a parent, guardian, or other consumer to track the child’s location, it must also provide an “obvious signal” to the child when the child is being tracked or monitored. [22]
[1] The law applies to “businesses” as defined by the California Consumer Privacy Act (CCPA), 1798.140(c). [2] 1798.99.31(a). [3] The law incorporates the CCPA’s definition for “consumer,” 1798.140(g). [4] 1798.99.30(b)(1). [5] 1798.99.30(b)(4). [6] Which means:
  • A commercial website or online service that is targeted to children; or
  • That portion of a commercial website or online service is targeted to children. 15 U.S.C. § 6501(10)(A).
[7] 1798.99.30(b)(5), which also exempts broadband internet access service and telecommunications service. [8] According to ICO, connected toys and devices are “children’s toys and other devices which are connected to the internet. They are physical products which are supported by functionality provided through an internet connection.” https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/14-connected-toys-and-devices. [9] AB 2273, Sec. 1(d). [10] https://ico.org.uk/media/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services-2-1.pdf, at 17. [11] Id. [12] Id, at 17-18. [13] Id, at 18. [14] Id. [15] Id. [16] Id. [17] The eight DPIA requirements can be found at 1798.99.31(a)(1)(B). [18] 1798.99.31(a)(2). [19] 1798.99.31(a)(5). [20] These methods include the user self-declaring their age, AI algorithms establishing a user’s age, third-party verification services, confirmation from a known adult account holder, hard identifiers (e.g., passports or similar documents), or some form of technical measures. https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/3-age-appropriate-application. [21] 1798.99.31(a)(6). [22] 1798.99.31(a)(8).
Image of computer coding. Some of the coding is blurred.

THE CALIFORNIA AGE-APPROPRIATE DESIGN CODE

Image Credit: Markus Spiske from Unsplash

***Update: On September 15, 2022, Governor Newsom signed AB 2273, establishing the California Age-Appropriate Design Code Act.

Who It Covers, What It Requires & How It Compares to the UK

Effective July 1, 2024, the California Age-Appropriate Design Code imposes obligations on businesses[1] that provide an “online service, product, or feature” that is “likely to be accessed by children.”[2] Children are defined as California residents[3] “who are under 18 years of age.”[4] The law provides factors for whether an online service, product, or feature (S/P/F) is “likely to be accessed” by California residents under the age of 18:[5]

  • It is directed to children as defined by COPPA.[6]
  • It is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children, or it is substantially similar to an online S/P/F that meets this factor.
  • It displays advertisements marketed to children.
  • It has design elements known to be of interest to children, including games, cartoons, music, and celebrities who appeal to children.
  • Based on internal research, a significant amount of the audience is children.

An online S/P/F is defined by what it is not, and the definition notably exempts the “delivery or use of a physical product.”[7] This exemption diverts from the UK version of the law, which covers “connected toys and devices.”[8]

Compared to the UK’s Common-Sense Approach

The US version of the law provides no guidance on what it means for a “significant number of children” to “routinely access[]” the online S/P/F. However, the law makes clear in its legislative findings that covered businesses may look to guidance and innovation in response to the UK version when developing US-covered online S/P/F.[9]

ICO states that the term “likely to be accessed by” is purposefully broad, covering “services that children [are] using in reality,” not just those services specifically targeting children.[10] However, ICO recognizes that the term is not so broad as to “cover all services that children could possibly access.”[11] The key difference is whether it is “more probable than not” that an online S/P/F will be accessed by children, and businesses should take a “common sense approach to this question.”[12]

To illustrate this point:

Read More

Press Release – Metaverse Law

On or about 7/5/2022, Falcon Rappaport & Berkman PLLC (“FRB”) and Metaverse Law Corporation (“Metaverse Law”) have agreed to resolve their dispute in the United States District Court for the Southern District of New York. As part of a global resolution, the parties have agreed that FRB can refer to itself as a metaverse law firm in a descriptive manner, given the proliferation and greater accessibility of the public into metaverse, Web 3.0, and virtual reality spaces. Nevertheless, the parties agree that METAVERSE LAW remains Metaverse Law’s trademark and Metaverse Law maintains the right to prosecute any non-descriptive infringement of the mark’s use.

FRB is a full-service business law firm that combines the deep knowledge and understanding of attorneys who proudly advise clients seeking solutions to their most complex matters, including businesses and individuals working in cryptocurrency and NFTs. FRB has led the charge into the metaverse and opened a law office in Decentraland in August 2021 (located at Parcel 25, -125). FRB differentiates itself by approaching matters with a level of depth and variety of skills unmatched by typical advisors, following through on a firm-wide commitment to excellent service, offering access to thought leaders in numerous areas of professional practice, and engaging in a partnership with clients to develop and achieve legal, business, and personal objectives.

Metaverse Law launched in 2018 and is a California-based privacy, AI, and cybersecurity law firm. Metaverse Law assists startups to multinationals with their CCPA, GDPR, and other data privacy obligations. Metaverse Law is a proponent of decentralized virtual reality spaces (as opposed to the panopticon of a singular dystopian metaverse) and advises tech companies and law firms alike on consumer privacy, ethics, and good governance inside and outside of their metaverses.

Map of the United States - State Privacy Laws

And Then There Were Five…

Image Credit: Free-Photos from Pixabay.

Just last summer, in July of 2021, Colorado joined California and Virginia, and became the third U.S. state with a comprehensive consumer privacy law. The Colorado Privacy Act is set to take effect in July 2023.

Hot on its heels, and within just two months of each other, first Utah in March of 2022, now Connecticut in May of 2022, passed privacy bills which will become effective in 2023.

So far, California remains the only state which allows for a private right of action in connection with its privacy bill. For more information, please see our comparison of the current U.S. state consumer privacy laws below.

For our unofficial redline of the CPRA, click here.

Follow these links for the official text of the CPRA, CPA, CTDPA, UCPA, and VCDPA.

To view and download a PDF version of this chart, click here.

1 13 14 15 16 17 28