What is the Texas SCOPE Act (HB 18) and how to comply?

The Texas SCOPE Act (H.B. 18), which stands for the Securing Children Online through Parental Empowerment, is designed to protect minor children (under 18) from harmful content and data collection practices. Part of the act went into effect on September 1, 2024. This new law primarily applies to digital services that provide an online platform for social interaction between users that: (1) allow users to create a public or semi-public profile to use the service, and (2) allow users to create or post content that can be viewed by other users of the service. This includes digital services such as message boards, chat rooms, video channels, or a main feed that presents users content created and posted by other users. 

The Act mandates strict age registration and verification for minors on covered digital services, particularly large social networks. Covered digital services may need to obtain parental consent for users under 18, and give parents more tools to monitor their children’s online interactions. The Act includes limiting data collection, banning targeted advertising, and not allowing financial transactions without parental consent. 

However, the Act has faced significant legal challenges, and a partial injunction has been imposed by a U.S. District Judge on August 30, 2024, temporarily pausing the implementation of the “monitoring and filtering” requirements due to concerns about privacy, free speech, and the feasibility of enforcement.

What you need to know 

Effective Date:
September 1, 2024*
*A portion of the bill

 Key Requirements:
With the partial injunction covered digital service providers (DSP) must still:

• Limit data collection, ban targeted advertising, and not allow financial transactions without parental consent. 
  
  
• Make a commercially reasonable effort to prevent advertisers on the DSP’s service from targeting a known minor with content that facilitates, promotes, or offer[s] a product, service, or activity that is unlawful for a minor in this state to use or engage in.
  
  
• Implement a plan to “prevent the known minor’s exposure to harmful material,” including content that promotes or “glorifies” things like suicide, self-harm, substance abuse, and “grooming.”
  
  
• Collect age prior to a user entering into an agreement to create/ register for an account.
  
  
• Give users ability to declare that they are a minor (e.g., under 18 years of age).
  
  
• Prevent a user from changing their registered age unless the alteration process involves a commercially reasonable review process.
  
  
• Implement a “commercially reasonable age verification method” for any service whose content is deemed more than one-third harmful or obscene (as defined by an existing Texas statute).
  
  
• Limit collection of the known minor’s personal identifiable information (PII) to information reasonably necessary to provide the digital service and limit use of the PII to the purpose for which the information was collected.
  
  
• Disclose an overview of their algorithms for providing content; promoting, ranking, and filtering content; and the PII used to provide content.

Verification of Parent or Guardian
A DSP shall verify, using a commercially reasonable method and for each person seeking to perform an action on a digital service as a minor's parent or guardian: (1) the person's identity; and (2) the relationship of the person to the known minor.

Powers of a Verified Parent
A verified parent is entitled to alter the duties of a digital service provider under Section 509.052 with regard to the verified parent's known minor.

• Create and provide parental tools for digital services. Parents must be able to “control the known minor’s privacy and account settings,” alter data collection and financial transaction settings for the minor, and “monitor and limit the amount of time the known minor spends” using the DSP.
  
  
• A known minor's verified parent may submit a request to a digital service provider to: (1) review and download any personal identifying information associated with the minor in the possession of the digital service provider; and (2) delete any personal identifying information associated with the minor collected or processed by the digital service provider.
  
  
• Allow parents to dispute the registered age of their child by notifying “a DSP that the minor is younger than 18 years of age” or successfully disput[ing] the registered age of the minor. If a parent disputes the age of their child, the DSP must treat the user as a known minor.

NOTE: The requirement to obtain parental consent would not be retroactive for accounts that already exist, for which users already agreed to term and use contracts, however services will be expected to fulfill a duty of exercising reasonable care to prevent harm to a known minor – another part of the bill.

Who needs to comply?
Digital services that provide an online platform for social interaction between users that:

• Allow users to create a public or semi-public profile to use the service, and
• Allow users to create or post content that can be viewed by other users of the service. This includes digital services such as message boards, chat rooms, video channels, or a main feed that presents users content created and posted by other users. 

Who does NOT need to comply?
The SCOPE Act contains numerous exemptions including the following: 

• State agencies;
• Small businesses as defined by the Small Business Administration (SBA);
• Financial institutions or data subject to Title V, the Gramm-Leach-Bliley Act; covered entities or business associates governed by federal laws like HIPAA and the HITECH Act; and institutions of higher education;
• Digital service providers who process user data for express purposes of employment or education services; 
• A digital service provider’s facilitation of e-mail or direct messaging services as long as the digital service only provides those services; or
• A digital service provider’s facilitation of access to news, sports, commerce, or content primarily generated or selected by the digital service provider; and allows chat, comment, or other interactive functionality that is incidental to the digital service.         
• Internet service providers, search engines, or cloud service providers can be exempt unless they are responsible for the creation of harmful material or other content described by Section 509.053(a) of the Act. For example, when an internet service provider, search engine, or cloud service provider solely supplies the internet access or connection, allows for downloads, access to software, or other service to a website, they are generally not considered actionable since they often do not have control over the harmful content in question.

Enforcement:
A violation of the SCOPE Act is a deceptive trade practice enforceable only by the Consumer Protection Division of the Office of the Attorney General of Texas, which may seek:

• Injunctive relief
• Civil penalties of up to $ 10,000 per violation
• Attorneys’ fees

The Act does not confer a private right of action but allows parents and guardians of known minors to file suit to obtain a declaratory judgment against a digital service provider. A court may not certify a case brought under the Act as a class action.

Consumers can file complaints with the Texas AG online here.

How can your business comply with the Texas SCOPE Act requirements?
PRIVO’s specialized privacy tech solutions and Kids Privacy Assured expert services were engineered specifically to address minors online and include the entire spectrum of age, identity and privacy needs for companies whose business objectives involve engaging directly or indirectly with minors, offering stand-alone micro services. 

Contact us to learn more and to see a demo of our easy to implement compliant smart age gate, age verification and parental consent services to help your company comply with the SCOPE Act and other state, federal and international regulations.

For more information about the SCOPE Act:
>> View the bill
>> View the Injunction