Recently, Texas Attorney General Ken Paxton announced an investigation into several digital platforms, including Rumble, Quora, and WeChat, as part of a broader initiative to ensure compliance with state laws aimed at safeguarding children from online exploitation. The inclusion of these platforms surprised some privacy experts, who typically expect social media giants to be scrutinized more closely. Josh Golin, the executive director of Fairplay, a nonprofit advocating for children’s digital safety, noted that concerns over certain platforms often emerge only after tragic events, citing a case involving a British teen who suffered fatal consequences related to content viewed on Pinterest.
Paxton characterized the investigation as “a critical step toward ensuring that social media and AI companies comply with our laws designed to protect children from exploitation and harm.” This comes at a time when the U.S. Congress has not enacted a comprehensive privacy law, leaving states to take the lead in regulating online safety. In particular, Paxton’s inquiry is focused on compliance with the Securing Children Online through Parental Empowerment (SCOPE) Act, which was implemented in September. This legislation applies to any online service that includes social media features and that registers users under 18. It substantially expands the scope of federal regulations, which only cover platforms aimed at children under 13.
Under the SCOPE Act, companies are mandated to verify users’ ages and grant parents or guardians control over their children’s account settings and data usage. They are also prohibited from selling information about minors without explicit parental consent. Notably, Paxton previously filed a lawsuit against TikTok for allegedly failing to meet these requirements, particularly concerning inadequate parental controls and improper data disclosure—a claim that TikTok has denied.
The recent investigation has also invoked the Texas Data Privacy and Security Act (TDPSA), which took effect in July and stipulates that parental consent is required for processing the personal data of users under 13. Companies under scrutiny have been asked to clarify their adherence to both the SCOPE Act and the TDPSA, as indicated by legal demands released through public records.
As part of the investigation, companies must respond to eight specific questions, including details about the number of Texas minors using their platforms and what measures they have implemented to prevent registration using false birthdates. Additionally, they are required to disclose to whom minors’ data is sold or shared. While it remains unclear if any companies have already complied with these requirements, the pressure is mounting.
The SCOPE Act has not gone unchallenged; industry lobbying groups are contesting its constitutionality in court. They achieved a partial legal victory recently when a federal judge ruled that one provision—mandating companies take steps to limit minors’ exposure to harmful content—was too imprecise. Nevertheless, even if the legislation were overturned, similar laws are anticipated in states like Maryland and New York, which could lead to a patchwork of regulations reinforcing the need for compliance nationwide.
With data protection becoming increasingly critical, state attorneys general may resort to existing laws targeting deceptive business practices to address non-compliance. Ariel Fox Johnson, an attorney specializing in digital policy, emphasized that many companies may unwittingly share or sell information in ways families do not anticipate or understand. As obligations for online safety become more formalized, it has become increasingly apparent that compliance varies significantly across the industry.
In the context of these developments, various adversary tactics from the MITRE ATT&CK framework could inform potential vulnerabilities in these platforms, including initial access techniques such as phishing or exploitation of misconfigured permissions, as well as data manipulation resulting from inadequate security controls. Such incidents underscore the importance of robust cybersecurity measures in protecting personal information, particularly that of minors in the digital landscape.
