Comment 8: Laws. What Are They Good For?

Many states have created new laws in order to regulate a child’s ability to access social media accounts. There are a great number of reasons given for these laws but they all boil down to ‘protecting kids’. These laws are notoriously clunky and ill-defined. In Ohio, this is the Parental Notification by Social Media Operators Act which was codified in ORC 1349.09.  Below are a few highlights provided by Ohio’s Attorney General:

Who is considered a social media “operator” under this law?
An operator means anyone who operates an online website, service or product that allows users to do all of the following:

  1. Interact socially with other users on the website, service or product.
  2. Create a public or semipublic profile to sign into and use the website, service or product.
  3. Populate a list of other users with whom they share a connection within the website, service or product.
  4. Create or post content viewable by others – for example, on message boards, chat rooms, video channels, direct messages, or a main feed that contains content generated by others on the website, service or product.

Note that this law applies only to operators of an online website, service or product that targets children or is reasonably anticipated to be accessed by children. This law does not apply to e-commerce websites that allow for posting of reviews or to media outlets that report the news.

What does an operator need to do to comply with this law?
Before allowing a child to agree to the terms of service or otherwise register, sign up or create a unique account to access or use the website, service or product, an operator must:

  1. Obtain parental consent by doing at least one of the following:
    1. Require a parent or legal guardian to sign and return a form consenting to the child’s use or access via postal mail, fax or e-mail.
    2. If a monetary transaction is involved, require the parent to use a credit card, debit card or other payment system that provides notification for each separate transaction.
    3. Require a parent or legal guardian to call a toll-free telephone number to confirm the child’s use or access.
    4. Require a parent or legal guardian to connect via videoconference to confirm the child’s use or access.
    5. Verify a parent’s or legal guardian’s identity by checking a government-issued ID.
  2. Present a list of features offered by the operator’s website, service or product regarding censoring or content moderation, including any features that can be disabled for a user’s profile. The operator must also provide a link of where these features are listed on the respective website, service or product.

This is a poor approach to meeting its intended goal for a few different reasons. The two most problematic are that the bureaucracy created does little to actually ‘protect’ and that it potentially exposes adult’s Personal Identifiable Information (PII) unnecessarily. While the former problem is straightforward the latter could use some explanation.

Many of the methods required by companies to obtain consent create all new problems, the worst of which is identity verification by government-issued ID. Any of these methods of consent could be easily faked, which is its own issue, but having to give a company data that it really doesn’t need is actually the greatest sin here. Databases are broken into and data extricated on a far too regular basis: to the tune of millions upon millions of records stolen a year. The theft of PII can, and regularly does, end with people having their identities and their money stolen.

We’re left with a law that does little to protect kids (its intended purpose) and exposes others to potential crime which they may not otherwise be exposed. This problem is part of what led to enforcement of the law being presently blocked. The order, by District Judge Algenon Marbley states, “The approach is an untargeted one, as parents must only give one-time approval for the creation of an account, and parents and platforms are otherwise not required to protect against any of the specific dangers that social media might pose.”

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to