What Could New York’s Two Child Privacy Protection Bills Mean for Businesses?

June 17, 2024
Privacy, Cyber & AI Decoded

On June 7, 2024, the New York state legislature passed two bills aimed at increasing the protection of children in an ever-changing digital world. Titled the New York Child Data Protection Act (CDPA) and the Stop Addictive Feeds Exploitation (SAFE) for Kids Act, these bills seek to protect children by restricting the selling of their data and limiting their access to predatory and addictive technology platforms seeking to exploit them.

Governor Hochul has pledged to sign the bills into law, so covered entities should be aware of the following key provisions and be prepared to comply. 

New York Child Data Protection Act Provisions

1. Scope Restrictions

The CDPA prohibits “operators” (i.e., any person who operates or provides a website on the internet, mobile app, or connected device that collects or maintains personal data from the users of the site) from processing the personal data of covered users unless it is strictly necessary for the platform, or “informed consent” has been received.

While a “covered user” is defined as a user under 18 years of age, if the minor is younger than 13 years old, the operator must obtain parental consent in a manner that complies with the Children’s Online Privacy Protection Act (COPPA).

The Act states that the processing of personal data is permissible if it is strictly necessary for a series of outlined specific purposes. These include providing or maintaining a requested product or service, conducting internal business operations (excluding marketing, advertising, R&D, or third-party services), identifying and repairing technical errors, and complying with laws/preventing security threats. 

Furthermore, to receive “informed consent,” the Child Data Protection Act highlights such requirements as:

(i) the request is made separately from any other transaction or part of a transaction;

(ii) be made absent any mechanism whose purpose is to impair a covered user’s decision-making regarding authorizing the processing; or

(iii) shows that processing is optional, and the covered user may decline without any hindrance to using the platform.

Operators must inform third parties that data is from a covered user. In that case, the law prohibits the third party from disclosing the data or processing it without a written and binding agreement governing such disclosure and processing. At the end of the contract, the third party must delete or return all the data of the covered user to the operator. 

2. Data Requirements

Another key restriction in this Act prohibits operators from purchasing, selling, or allowing a third-party operator to purchase or sell personal data from covered users. “Selling” is defined broadly as the sharing of personal data for “monetary or other valuable consideration.”

Moreover, the Act includes stringent requirements highlighting the need to treat users as covered users if their activity within the device indicates that they are a minor–whether through the use of a browser plug-in, privacy or device settings, or other mechanisms outlined within the Act.

3. Enforcement

The law will become effective one year after it is signed into law. The Attorney General will enforce it whenever it appears that any person, “within or without the state,” has violated the Act.  

Stop Addictive Feeds Exploitation (SAFE) Act Provisions

1. Scope Restrictions

The SAFE Act is more targeted than the Child Data Protection Act, applying to “covered operators,” which is any entity that operates or provides an “addictive social media platform.” These platforms are websites, online services, or mobile applications that offer users an addictive feed as a significant part of their service.

Despite numerous exceptions, an “addictive feed” is a platform where multiple pieces of media generated or shared by users are recommended, selected, or prioritized based on user-related information.

It is important to note that the restrictions under the SAFE Act on “addictive feeds” are inapplicable if the service has determined that a user is not a minor under the age of 18 (covered user) or if the service has obtained parental consent for a minor to be provided said feed.

2. Enforcement

Once signed into law, the SAFE Act will go into effect 180 days after the Attorney General publishes a final set of rules and regulations that it will then enforce. The Attorney General has also been tasked with setting up a website for complaints. Those found to violate the law will face penalties of up to $5,000 per violation. 

Law clerk Spencer Hofmann contributed to this post. He is not currently admitted to practice law.