Utah’s one-of-a-kind law creating new data portability and interoperability requirements for social media companies is set to usher a broad set of US platforms into a costly and complex era of compliance.
The law that allows individuals to transfer their data between social media sites has sparked interest from a half-dozen other states and signals a paradigm shift in control of personal information once it’s posted online, bill sponsor Utah state Rep. Doug Fiefia (R) said. Spreading the model, however, will be an uphill battle, based on opposition from industry trade groups representing companies such as
“It’s precedent setting,” said James R. Molen, partner at Greenberg Glusker Fields Claman & Machtinger LLP. “It’s the first state law that explicitly requires social media companies to actually build tools that let users transfer their personal data to other services.”
Utah Gov. Spencer J. Cox on March 27 signed into law the data sharing bill (H.B. 418), which allows consumers to pull their information from social platforms and transmit it to another service. Companies will have to implement interoperability interfaces—with little guidance yet on how to do so—while preparing for risks that could emerge during the exchange of data to third parties.
“It’s going to require an actual going into the guts of these platforms and making changes in order to comply,” Molen said.
‘Unique’ Law
The law targets social media companies, defined as entities that operate a public website or application that displays content primarily generated by account holders and that allows users to interact with each other.
It seeks to give users more control over their data, particularly from social media companies that have “demonstrated a pattern of restricting” users’ ability to share information across different platforms.
“That’s kind of the paradigm shift is, this is no longer social media platforms’ data and information once we post it. It’s truly ours as the user, and we can control it and manage and move it how we please,” Fiefia, a former Google sales employee, said.
Many state privacy laws already include data portability requirements allowing users to take back their data. Utah’s interoperability principles, which focus on data transfers between platforms, are unique, privacy attorneys said.
Social media companies will be required to implement a transparent interface that allows users to share a common set of personal data between social platforms and allows third parties to access content created by the user. Platforms will also be required to secure the data obtained through the interface.
Fiefia said the bill avoided a mandate on protocols to use to give tech companies flexibility. “You can bake a cookie 1,000 ways, and we didn’t want to give the actual recipe and say this is how you do it,” he said.
The law raises significant technical and legal challenges for companies, attorneys said. Organizations will have to ensure that data is encrypted in transit, for instance, and vet and monitor third-party recipients of the data.
“It’s this mixed operational, technical, legal question,” said Philip N. Yannella, partner and co-chair of the privacy, security, and data protection practice at Blank Rome LLP.
Industry Concerns
Tech industry groups lobbied against the bill, arguing companies will face burdensome compliance challenges and privacy vulnerabilities. TechNet, a trade group whose members include Google and Meta, said in written testimony that the provisions could open the door to bad actors that trick users into sharing their personal information.
The Computer and Communications Industry Association, with members such as X and
“That’s a huge privacy concern for us and something that we really feel needs to be looked further into,” Megan Stokes, the group’s state policy director, said.
The law’s current definition of social media companies also casts a wide net, putting many organizations that may not traditionally identify as social platforms in scope.
Many websites “might very well display content that’s generated by account holders,” as defined in the law, which could “cover any number of smaller sites that are at the community level, for example,” said Rita Heimes, senior counsel at Crowell & Moring LLP and former general counsel and chief privacy officer at the International Association of Privacy Professionals.
A New Model?
Utah’s novel approach to regulating social media may catch on. Yet, even shy of spreading, the law will already have national implications given social media companies operate across states, Molen said.
“It’s going to create a major shift in the market, and you’re probably going to see other states following suit,” he said.
Fiefia told Bloomberg Law that six other states have followed the bill’s journey closely, though he declined to specify. Fiefia said he plans to meet with additional states this year.
“We’re actually hoping that this becomes model legislation for other states across the country,” he said.
Organizations may get an opportunity to clarify some of their obligations ahead of the July 1, 2026, implementation date. The Division of Consumer Protection, which will enforce the law, has the authority to issue rulemaking and may identify open protocols that meet the law’s requirements.
Utah’s foray into new regulatory territory is proof that “states are taking consumer privacy very seriously right now,” Heimes said. “This is a sign that some states are willing to take new positions and cover new ground.”
To contact the reporters on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.