Photo of Evan Davis

Evan Davis advises clients in the technology, consumer products, retail, and video gaming industries on varied privacy and data protection matters.

After a flurry of legislative activity across the United States related to kids’ privacy and safety online, in recent weeks, federal courts in Arkansas and California have enjoined two notable state laws. A federal court in Arkansas preliminarily enjoined the Arkansas Social Media Safety Act (AR SMSA) on August 31, the day before the statute was scheduled to take effect for social media platforms in scope. The U.S. District Court for the Western District of Arkansas found that the plaintiff, NetChoice, LLC, is likely to succeed on the merits of its constitutional challenges.

Less than three weeks later, on September 18, the U.S. District Court for the Northern District of California also preliminarily enjoined California’s Age-Appropriate Design Code (CA AADC), holding that NetChoice is likely to succeed in showing that 10 CA AADC requirements violate the First Amendment.Continue Reading Federal Courts Preliminarily Enjoin Arkansas Social Media Safety Act and California Age-Appropriate Design Code

For the first time since 2015, the Federal Trade Commission (FTC) has been asked to approve a new “verifiable parental consent” (VPC) method under the Children’s Online Privacy Protection (COPPA) Rule. Under COPPA, operators of online sites and services “directed to children” under 13 must obtain VPC before collecting personal information from a child online. The COPPA Rule enumerates several acceptable methods for obtaining VPC, but also allows interested parties to submit new VPC methods to the FTC for approval. The FTC has announced that the Entertainment Software Rating Board (ESRB), which operates a COPPA safe harbor program, along with Yoti Ltd., a digital identity company that offers identity verification, age assurance, reusable digital identity, and e-signature solutions, and SuperAwesome Ltd., which provides technology to help companies comply with parental verification requirements, submitted an application for a new VPC method utilizing “Privacy-Protective Facial Age Estimation,” which is designed to analyze the geometry of a parent’s face to confirm that they are an adult.Continue Reading COPPA: Public Comment Period Open for Proposed Verifiable Parental Consent Method

On June 6, 2023, Florida Governor Ron DeSantis signed Senate Bill 262 into law. SB 262 is a departure from the comprehensive privacy laws enacted by other states for a variety of reasons, including its (1) ban on government-directed moderation of social media, (2) restrictions on online interactions with minors (somewhat akin to the California Age-Appropriate Design Code), and (3) establishment of a “digital bill of rights” that creates general consumer privacy rights similar in many respects to those adopted in other states but, unlike them, Florida’s are narrowly applicable. Governor DeSantis has not shied away from saying the new law is directly aimed at “Big Tech,” and the targeted application of certain aspects of the law reflects that goal.

The ban on government-directed moderation took effect on July 1, 2023, with the protections for minors and digital bill of rights provisions set to take effect on July 1, 2024.Continue Reading Florida Enacts “Digital Bill of Rights” Combining Narrowly Applicable “Comprehensive” Privacy Provisions and More Broadly Applicable Restrictions on Children’s Privacy and Social Media Restrictions

Less than one month after Utah adopted the nation’s first law restricting the use of social media platforms by minors under 18, Arkansas last week enacted its Social Media Safety Act (the Act), SB396. The Act, which goes into effect on September 1, 2023, similarly bars minors from holding accounts on social media platforms without parental consent and requires social media companies to complete “reasonable age verification” via a third-party vendor.Continue Reading Arkansas Becomes Second State To Enact Social Media Restrictions for Minors

On March 28, Iowa Governor Kim Reynolds signed Senate File 262, effective January 1, 2025, making Iowa the sixth state to offer comprehensive privacy protections. Iowa’s new legislation appears to be the most business-friendly omnibus privacy law yet, with fewer requirements than those of other states. The law will apply to a person who conducts business in Iowa or produces products or services targeted to Iowa residents, and who meets either of the following requirements in a calendar year: (1) processes the personal data of 100,000 consumers or more (consumers defined as residents of Iowa “acting only in an individual or household context”) or (2) controls or processes the personal data of at least 25,000 consumers and derives over 50% of annual gross revenue from the sale of personal data.Continue Reading Joining the Privacy Party: Iowa Becomes the Sixth State To Adopt a Comprehensive Privacy Law

Utah state lawmakers are poised to change how (and when) minors who reside in Utah can use social media. Introduced in January, S.B. 152 and H.B. 311 recently cleared the Utah legislature and both bills have been sent to Governor Spencer Cox, who dismissed industry concerns that the bills would pose privacy risks, impede minors’ independence, and violate the First Amendment. If signed, the bills would go into effect on March 1, 2024.Continue Reading Utah Legislature Approves Social Media Restrictions for Minors