Privacy experts who spoke to WIRED described Rumble, Quora and WeChat as unusual suspects, but declined to speculate on the reasoning behind their inclusion in the investigation. Josh Golin, executive director of the nonprofit Fairplay, which advocates for children’s digital safety, says the concerns aren’t always obvious. Few advocacy groups have worried about Pinterest, for example, until the case of a British teenager who died of self-harm after being exposed to sensitive content on the platform, he says.
Paxton’s press release last month called his new investigation “a critical step toward ensuring that social media and AI companies comply with our laws designed to protect children from exploitation and harm.”
The United States Congress never passed comprehensive privacy lawand that did not significantly update the rules on children’s safety on the Internet in a quarter of a century. This is why state legislators and regulators played a big role.
Paxton’s investigation focused on compliance with the Texas Child Online Protection Through Parent Empowerment Act, or SCOPE, which came into force in September. It applies to any website or application with social media or chat functions that registers users under the age of 18, making it broader than the federal law that only covers services intended for users under the age of 13.
SCOPE requires services to request a user’s age and give parents or guardians power over a child’s account settings and user data. Companies are also prohibited from selling information collected about minors without parental permission. In October, Paxton sued TikTok for allegedly violating the law by providing inadequate parental controls and disclosing information without consent. TikTok has denied the allegations.
The investigation released last month also invoked the Texas Data Privacy and Security Act, or TDPSAwhich came into effect in July and requires parental consent before processing data on users under the age of 13. Paxton’s office has asked the companies under investigation to provide details on their compliance with the SCOPE Act and TDPSA, according to legal requests obtained through public records requests.
In total, the companies must answer eight questions by next week, including the number of Texas minors they count as beneficiaries who were barred from registering an incorrect date of birth. Lists of who minors’ information is sold or shared with must be submitted. It could not be ascertained whether any companies have already responded to the demand.
Lobbying groups of technology companies are challenging the SCOPE Act’s constitutionality in court. In August, they secured an initial and partial victory when a federal judge in Austin, Texas, ruled that a provision requiring companies to take steps to prevent minors from viewing self-harm and offensive content was too vague.
But even an outright victory may not be a panacea for tech companies. States, including Maryland and New York, are expected to implement similar laws early this year, according to Ariel Fox Johnson, an attorney and director of the consulting firm Digital Smarts Law & Policy. And state attorneys general could resort to prosecuting narrower cases under their time-honored laws that prohibit fraudulent business practices. “What we see is that information is often shared or sold or disclosed in ways that families didn’t expect or understand,” Johnson says. “As more and more laws are passed creating strong requirements, it seems to be becoming increasingly clear that not everyone is following them.”