On May 3, 2023, Utah’s Online Pornography Viewing Age Requirements Act (the “Act”) went into effect. The Act states that website operators must require internet users to prove they are eighteen years of age or older through a “digitized identification card” or third-party age-verification service when accessing websites containing “pornography or other materials harmful to minors.” In other words, to access adult websites in Utah, users must either upload their driver’s license (or other state-issued identification) or subject themselves to third-party age verification through tools such as biometric scanning. Simply clicking “I am 18 or older” is no longer sufficient with this legislation; an individual must now give personally identifiable information, including in some cases, a biometric face scan.

Adult Content Websites Require Collection of Personal Data

The Act is similar to Louisiana’s Act No. 440, which also requires that websites providing pornographic material provide for reasonable age verification. But the Utah and Louisiana laws differ in one significant way: In Louisiana, the state government created a digital wallet that allows website operators to securely verify state IDs against the Louisiana database. This provides added security because website operators are not required to involve third-party services that may share or sell consumer data in accordance with stated privacy practices. Utah, however, has no state government database. Website operators may have no choice but to utilize a third-party service to verify age if the operator wants to provide access to individuals in Utah. As with all laws, there comes a balancing of what is needed to meet the government’s stated goal without unfairly impairing the rights of businesses and their customers. 

We see one consequence of this in one company’s response. In response to the Act, adult-oriented platforms owned by MindGeek (such as Pornhub, Brazzers, YouPorn, and Redtube) have blocked access in Utah. In a video statement, Pornhub spokesperson Sharita Bell explained the decision: “While safety and compliance are at the forefront of our mission, giving your ID card every time you want to visit an adult platform is not the most effective solution for protecting our users – and in fact, will put children and your privacy at risk.” 

While one company completely terminates service in the subject jurisdiction, another business may seek to collect even more personal information about its customers in an attempt to comply. And, in doing so, potentially trigger the applicability of other privacy laws. Adult-website, xHamster, requires individuals in Utah to either (a) use third-party facial analysis technology that estimates one’s age by providing live access to the webcam available in the user’s device, or (b) upload government-issued identification. Both the facial recognition analysis and ID upload are provided through the digital identity company Yoti. The process, according to Vice News, is cumbersome. Users must:

  1. download the Yoti app on a mobile phone,
  2. sign up for an account,
  3. scan a QR code,
  4. provide consent for Yoti to either scan the user’s face or scan their ID,
  5. enter a date of birth,
  6. agree to several pages of terms and conditions and privacy policies,
  7. acknowledge how Yoti may use personal data for research purposes,
  8. obtain a verification code via text,
  9. create a 5-digit pin,
  10. scan and upload either a selfie or ID, and then
  11. wait for Yoti to review.

After being approved by Yoti, the user must then register an account with xHamster or scan their face for Yoti every time they wish to access the website. 

State Legislatures Are Also Targeting Social Media Platforms

Adult websites are not the only target of age verification laws. This year, Utah also enacted the Utah Social Media Regulation Act, which requires social media platforms like Facebook, Twitter, and Instagram, to confirm users are at least eighteen years old or have the express consent of a parent or guardian. Last month, the Arkansas legislature enacted a similar law. The Arkansas legislation creates a carve-out for companies that derive less than 25% of their total revenue from running a social media platform, and also sell (a) cloud storage services, (b) business cybersecurity services, or (c) educational technology and that simultaneously derive less than 25% of their total revenue from running a social media platform. Connecticut, New York, and Wisconsin are considering similar social media regulatory bills. Further, the EU’s Digital Services Act and Britain’s Online Safety Bill similarly require age verification in order to change a user’s internet experience with respect to targeted advertising based on age.

The Free Speech Coalition, a trade association for the adult entertainment industry, has filed a lawsuit challenging the Act. Privacy advocates have also expressed concern about the Act’s practical requirement that personally identifiable information be shared with third parties who are entitled to process that information according to their respective terms and conditions. Indeed, the wave of age verification legislation across the country demonstrates that companies will need to think critically about the nature of their services and the response consumers will have with respect to how personal data is collected, shared, and processed to verify age. State privacy laws like the California Consumer Privacy Act, Virginia Consumer Data Protection Act, and Colorado Privacy Act only complicate this analysis. 

Next Steps for Website Operators.

As with all technology issues and the laws that attempt to regulate them and balance all interests in the process, there remains a lot to be seen in how these laws are enacted and enforced. That said, here are some basic recommendations to businesses seeking to comply with applicable laws. 

  • Website operators should take an inventory of services to determine whether any offerings could constitute either adult material or social media content to identify whether age verification legislation is applicable.
  • Operators should also look to see if state regulations relating to privacy options, such as the California Age-Appropriate Design Code Act, govern the operator’s platform.  
  • The next step is to determine the best means of authenticating user identity, and reconciling how information sharing to authenticate identity may or may not align with a user’s goals and preferences. 
  • From there, website operators may need to consider the impact of state legislation relating to the collection and processing of personally identifiable information in general could impact the use of potential third-party providers and authentication technologies.

Taft’s Privacy and Data Security attorneys will continue to monitor this and other developments relating to age verification legislation. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application, which is free for download from Google and Apple.