An Open Letter to Utah Senator Todd Weiler
May 2, 2023
The Honorable Todd D. Weiler
1248 W 1900 South
Woods Cross, UT 84087
Subject: Compliance with SB287
Dear Senator Weiler,
I am writing to express my concerns about the bill you sponsored, SB287, which takes effect on May 3. As the Executive Director of the Free Speech Coalition, the trade organization for the adult industry, I am tasked with interpreting your bill to create guidance for our members when the law goes into effect. Unfortunately, despite consulting over a dozen lawyers, I must admit I'm stumped. The law is so vague — and the requirements for compliance so contradictory — I cannot figure out how FSC members can follow this law.
SB287 gives three options for complying with the law, none of which we understand, despite being intimately familiar with existing age-verification protocols:
First, a "digitized information card … available through a state-approved application". Unlike Louisiana (which crafted the legislation SB287 is based on), Utah does not have a system for verifying a Mobile Driver's License online.
Second, verification through a database that is "regularly used by government agencies and businesses for the purpose of age verification." We are unaware of how to determine whether a database meets this criterion and would appreciate it if you could provide direction on this point.
Third, "any commercially reasonable method that relies on public or private transactional data to verify the age of the person attempting to access the material." This language seems to imply that age verification providers must contract with data brokers — an option with significant privacy issues for Utahns. This is especially so since the law does not require providers to meet any of the security standards used by reputable age verification services (for example, ISO/IEC 27001, SOC 2, or BSI PAS 1296:2018).
There are many other methods of age verification in use that are not specifically authorized by the law. For example:
Non-digitized identification documents
Mobile phone records
Biometric analysis
Open banking and credit card data
We are concerned that because the bill is unclear on which approaches are approved, it is possible that different courts could interpret the law in different ways. Without unambiguous guidance, we fear that even sites that make a good-faith effort to comply risk being sued, even if they are using more aggressive methods of age verification.
Beyond the method of compliance, the fundamental question of which sites are required to institute age verification is entirely unclear. SB287 specifies that sites containing more than 33 ⅓ percent material "harmful to minors" must institute age-verification protocols. How is that percentage calculated? The volume of data? The number of posts? What is the proper metric to measure? Gigabytes? Character count? The number of images? Video runtime? Does the law apply to social media platforms, like Twitter and Reddit, which host substantial amounts of content that the law designates harmful to minors?
Further, SB287 specifies that the commercial entity which posts the content to the internet from a site with a substantial portion of such material is liable. In this case, who is responsible — the website on which such content is posted, the entity that posted the content, or both?
You may recall that we wrote to you while the legislature was considering this bill, requesting a dialogue about these issues. While we understand that you may be morally opposed to our work and perhaps object to our right to speech, we could have — at the very least — helped you draft a technologically sound law. The offer stands.
Thank you for your time and consideration.
Sincerely,
Alison Boden
Executive Director
Free Speech Coalition