Adult sites are starting to geo-block Utah. While there are many issues at stake here, one of the biggest is the near impossibility of compliance with the law as written. FSC Executive Director Alison Boden has sent a letter to Sen. Todd Weiler, the architect of the law, detailing the issues and requesting clarification.

The Honorable Todd D. Weiler 1248 W 1900 South Woods Cross, UT 84087 Subject: Compliance with SB287 Dear Senator Weiler, I am writing to express my concerns about the bill you sponsored, SB287, which takes effect on May 3. As the Executive Director of the Free Speech Coalition, the trade organization for the adult industry, I am tasked with interpreting your bill to create guidance for our members when the law goes into effect. Unfortunately, despite consulting over a dozen lawyers, I must admit I'm stumped. The law is so vague — and the requirements for compliance so contradictory — I cannot figure out how FSC members can follow this law. SB287 gives three options for complying with the law, none of which we understand, despite being intimately familiar with existing age-verification protocols: First, a "digitized information card … available through a state-approved application". Unlike Louisiana (which crafted the legislation SB287 is based on), Utah does not have a system for verifying a Mobile Driver's License online. Second, verification through a database that is "regularly used by government agencies and businesses for the purpose of age verification." We are unaware of how to determine whether a database meets this criterion and would appreciate it if you could provide direction on this point. Third, "any commercially reasonable method that relies on public or private transactional data to verify the age of the person attempting to access the material." This language seems to imply that age verification providers must contract with data brokers — an option with significant privacy issues for Utahns. This is especially so since the law does not require providers to meet any of the security standards used by reputable age verification services (for example, ISO/IEC 27001, SOC 2, or BSI PAS 1296:2018). There are many other methods of age verification in use that are not specifically authorized by the law. For example: Non-digitized identification documents Mobile phone records Biometric analysis Open banking and credit card data We are concerned that because the bill is unclear on which approaches are approved, it is possible that different courts could interpret the law in different ways. Without unambiguous guidance, we fear that even sites that make a good-faith effort to comply risk being sued, even if they are using more aggressive methods of age verification. Beyond the method of compliance, the fundamental question of which sites are required to institute age verification is entirely unclear. SB287 specifies that sites containing more than 33 ⅓ percent material "harmful to minors" must institute age-verification protocols. How is that percentage calculated? The volume of data? The number of posts? What is the proper metric to measure? Gigabytes? Character count? The number of images? Video runtime? Does the law apply to social media platforms, like Twitter and Reddit, which host substantial amounts of content that the law designates harmful to minors? Further, SB287 specifies that the commercial entity which posts the content to the internet from a site with a substantial portion of such material is liable. In this case, who is responsible — the website on which such content is posted, the entity that posted the content, or both? You may recall that we wrote to you while the legislature was considering this bill, requesting a dialogue about these issues. While we understand that you may be morally opposed to our work and perhaps object to our right to speech, we could have — at the very least — helped you draft a technologically sound law. The offer stands. Thank you for your time and consideration.

You can follow the FSC on Twitter at @fscarmy.