A new Mississippi law, known as the Walker Montgomery Protecting Children Online Act, has prompted several companies to block Mississippi IP addresses from accessing their platforms. In fact, social media company Bluesky posted a response to the enactment of the law on its website. Bluesky explained the decision to make their app unavailable to Mississippi residents, stating:
Mississippi’s HB1126 requires platforms to implement age verification for all users before they can access services like Bluesky. That means, under the law, we would need to verify every user’s age and obtain parental consent for anyone under 18. The potential penalties for non-compliance are substantial — up to $10,000 per user. Building the required verification systems, parental consent workflows, and compliance infrastructure would require significant resources that our small team is currently unable to spare as we invest in developing safety tools and features for our global community, particularly given the law’s broad scope and privacy implications.
Bluesky’s decision to block certain users came after the U.S. Supreme Court permitted the Mississippi act to take effect while First Amendment challenges to the law are pending. The Mississippi act requires any website or app that allows users to post content, create a profile, and interact with other users to verify the age of each user, no matter the type of content. The law provides hefty penalties up to $10,000 per user for failure to comply and permits parents and guardians to bring legal actions.
In its company statement explaining its decision, Bluesky highlighted the substantial financial burdens required to comply with broad age-verification laws. Bluesky specifically cited the “substantial infrastructure and developer time investments, complex privacy protections and ongoing compliance monitoring” required by such laws, noting that these costs can easily push smaller providers out of the market. The same is true for small companies that never intended to be social media platforms but nonetheless fall within the coverage of the statute.
The uncertainty about what verification efforts qualify as “commercially reasonable” further complicates compliance. The statute specifically requires the platform or application provider to verify the age of every user “with a level of certainty appropriate to the risks that arise from the information management practices” of the provider. Are companies required to store state-issued IDs or use fingerprint or facial recognition? Is use of AI permissible to determine age? What is clear is that whichever method is utilized, the costs and risks associated with storing users’ private information will increase.
While the Mississippi act continues to face legal challenges, the push to protect children online, including more stringent parental consent and age-gating is not going away. State legislatures around the country are enacting similar laws, and the U.S. Supreme Court has signaled that it will not stand in the way of enforcement while legal challenges are pending.
For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog, Online and On Point, or reach out to one of our authors.