Texas AG Brings SCOPE Act Enforcement Action Against TikTok – Just One Month After Law Took Effect

The Texas Attorney General’s (AG) office announced its first enforcement action under a new children’s and teens’ state privacy law that went into effect a mere month ago. Texas’ Securing Children Online Through Parental Empowerment Act (SCOPE Act) took effect on September 1, and on October 2, the Texas AG filed a civil suit against TikTok, for operating its digital service in a manner that violates the new law.

Below, we provide a deeper dive into the SCOPE Act and discuss the new enforcement action against TikTok, explaining impacts for other businesses that are subject to Texas’ broad new law.

Summary of the SCOPE Act

Effectiveness and Federal Court Injunction. Prior to the law taking effect on September 1, 2024, the Computer & Communication Industry Association and NetChoice filed suit in the Western District of Texas challenging monitoring and filtering requirements of the new SCOPE Act.

In a last-minute ruling, the federal judge granted an injunction on a key element of the SCOPE Act, finding that it could infringe on First Amendment rights. Specifically, the court held that the Texas AG may not enforce the SCOPE Act’s duty for Digital Services Providers (DSPs) to prevent harm to known minors. That provision would have required that a DSP monitor certain categories of content (e.g., content that promotes, glorifies, or facilitates topics like suicide, substance abuse, and stalking, among others) and create a filtering system to ensure the content is not viewed by a child. However, the other requirements under the SCOPE Act were allowed to take effect on September 1.

Applicability. The SCOPE Act applies generally to DSPs, which are defined broadly as persons who own or operate a website, application, program, or software that collects or processes personal identifying information (PII) with internet connectivity. Overall, most of the law’s provisions only apply to DSPs that provide services that: (1) connect users so they can socially interact with other users on the digital service; (2) allow users to create a public or semi-public profile; and (3) allow users to create or post content that can be viewed by other users of the digital service (including message boards, chat rooms, or landing pages, video channels, and main feeds that present to a user content created and posted by other users). However, there is one provision – the “duty as to harmful material” – that applies to all digital service providers.

Importantly, the new law has various carve-outs for certain entities, types of data, and activities. These include exemptions for financial institutions and data subject to the Gramm-Leach-Bliley Act; covered businesses and business associates governed by HIPAA; certain small businesses; digital services that only facilitate email or direct messaging services; and digital services that primarily function to provide a user with access to news, sports, commerce, or content primarily generated or selected by the DSP, among other exemptions.

Finally, for the purposes of the SCOPE Act:

  • PII is any information, including sensitive information, that is linked or reasonably linkable to an identified or identifiable individual; and
  • A minor is an individual under the age of 18 who does not have legal restrictions that limit a minor’s ability to make decisions and enter contracts.

New Obligations Under the SCOPE Act. Specifically, the following affirmative obligations set out in the SCOPE Act are now in effect:

  • Register Age of User. A DSP must (i) register the age of the person creating an account for a digital service; and (ii) prevent the person from later altering their age without undergoing a commercially reasonable review process. Notably, a parent may dispute the registered age of a minor.
  • Agreements with Minors. A DSP has certain minimization requirements for collection of PII from known minors, and a DSP may not (i) allow a child to purchase or engage in financial transactions; (ii) share, disclose, or sell a child’s PII; (iii) use their services to collect a child’s precise geolocation; or (iv) deliver targeted advertising to a child.
  • Parental Tools. A DSP must create and provide parents and guardians with tools to supervise the minor’s use of the service. These include the ability to (i) control the child’s privacy and account settings; (ii) allow the minor’s PII to be sold, used for targeted advertising, or for precise geolocation collection; (iii) restrict the ability of a child to make purchases or engage in financial transactions; and (iv) monitor and limit the amount of time the child spends using the service. DSPs must also offer a method for parents to submit requests to access PII associated with their child. This method must allow a parent to review and download any information in the possession of the provider and delete any information collected or processed by that provider.
  • Advertising and Marketing. A DSP may not advertise products, services, or activities that are unlawful for minors.
  • Use of Algorithms. A DSP must disclose how algorithms are used to provide information or content and the manner in which the algorithm promotes, ranks, and filters this information or content. This includes disclosing if children’s PII is used as an input in the algorithms.
  • Duty as to Harmful Material. A DSP that knowingly publishes or distributes material, more than one-third of which is harmful or obscene, must use a commercial reasonable age verification method to verify that any person seeking to access content through the provider’s digital service is 18 years of age or older.
  • Duty to Verify a Parent or Guardian. A DSP shall verify, using a commercially reasonable method, each person seeking to perform an action on a digital service as a minor’s parent or guardian.

Enforcements and Penalties. The SCOPE Act is enforceable by the Consumer Protection Division of the Office of the Attorney General of Texas, which may seek civil penalties of up to $10,000 per violation, injunctive relief, and attorney’s fees. The SCOPE Act does not confer a broad private right of action, but it does allow parents and guardians of known minors to file suit to obtain a declaratory judgment against a digital service provider.

The Enforcement Action Against TikTok

According to the Texas AG filing, TikTok violates the SCOPE Act by (1) unlawfully sharing, disclosing, and selling known minors’ personal identifying information; (2) failing to use a commercially reasonable method for a parent or guardian to verify their identity and relationship to a minor; and (3) failing to create and provide parental tools for the accounts of minors.

First, the Texas AG alleges that TikTok shares, discloses, and sells a known minor’s personal identifying information including but not limited to “date of birth, email, phone number, and device settings, such as device type, language preference, and country setting, as well as data about a user’s interaction with TikTok, such as videos viewed, “liked” or shared, accounts followed, comments, content created, video captions, sounds, and hashtags.” The type of personal identifying information sold and shared is dependent on the user’s privacy settings and status as a “public” or “private” account. Second, the filing states that TikTok fails to verify a parent’s identity and relationship with a known minor. Third, the filing alleges TikTok failed to implement “parental tools” to allow a verified parent to control or limit a known minor’s privacy settings or supervise the known minor’s use of a digital service.

The Texas AG is seeking civil penalties of up to $10,000 per violation and injunctive relief to prevent future violations of the SCOPE Act by TikTok.  

Implications for Businesses

Given the broad definitions under the SCOPE Act, businesses that would not necessarily expect to be covered may fall under the definition of a DSP. Any business that provides an online service that allows for interactive engagement, such as a message board or chat room, should carefully assess the SCOPE Act to determine if they are subject to its requirements.

In terms of enforcement, the Texas AG’s first enforcement action under the SCOPE Act, which came a mere month after the law took effect, sends a clear signal to covered businesses that compliance with the SCOPE Act will be closely monitored by the AG.

Wiley’s Privacy, Cyber & Data Governance team assists clients with a full spectrum of privacy, cybersecurity, and data governance issues, which includes monitoring and advising on the development of state privacy laws and regulations. Please reach out to any of the authors with questions.

Tags

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek