On June 7, 2024, the New York legislature passed the New York Child Data Protection Act (S.B. S7695B). Governor Hochul Once celebrated its passage in a recent press release and is expected to sign the Act. Once signed, it will go into effect one year later.
The Act is intended to protect the privacy of minors by significantly restricting online service operators from collecting or processing personal data of users they know are minors, or on products and services “primarily directed to minors.” The Act was passed alongside the Stop Addictive Feeds Exploitation for Kids Act (SAFE Act), which regulates certain features of social media platforms.
Who is impacted?
The NY Child Data Protection Act imposes obligations on operators of websites, mobile applications, connected devices, and other online services that collect or process personal data of people under the age of 18.
My products collect or process personal data of people under the age of 18, what new obligations do I have?
The obligations of the Act differ significantly from those in the current federal COPPA (though the Act permits processing of data from children under 13 to the extent processing complies with COPPA) and from the California Age-Appropriate Design Code Act. Therefore, those impacted by the Act should take care to learn and comply with these new obligations.
Significantly limit use of personal data. Under the Act, online service operators would be required to limit their use of personal data of teens between 13 and 17 years old to only what is “strictly necessary” to provide a requested product/service or for limited exceptions. Strictly necessary uses do not include marketing, advertising, research and development, providing products/services to third parties, or prompting teens to use the website/app/service. Operators who seek to process children’s and teens’ data for more uses must obtain informed consent from those children and teens (or parents, in some cases).
Obtain informed consent for processing that isn’t strictly necessary. Under the Act, informed consent:
would be requested separately from any other transaction (such that it could not be buried in terms of service),
must not be made with mechanisms that obscure or mislead users,
must clearly and conspicuously describe the processing for which the consent is requested and that the user can decline and still use the online service, and
clearly provide an option to refuse consent as the most prominent option.
The Act would prohibit informed consent from being required to access the products/services. Furthermore, if informed consent is withheld or revoked (or parental consent for users under the age of 13 is not obtained) those products/services must be provided at the same quality and price. If informed consent is declined or revoked, operators must refrain from requesting informed consent for one year after the consent is declined or revoked. Operators are allowed to make available a mechanism that the user can use unprompted and at the user’s discretion to provide informed consent.
Stop and prevent purchases and "sales" of a minor's personal data. Under this Act operators are prohibited from purchasing or selling a minor's personal data, where “sale” is a disclosure for “monetary or other valuable consideration.” Furthermore, an operator may not allow a processor or third-party operator to purchase or sell a minor's personal data.
Delete minors’ personal data. The Act would require operators to have processes in place to destroy personal data and direct all vendors/processors to destroy personal data within thirty days after learning that a user is a minor.
Notify third parties of minor users. Before sharing personal data, operators must inform third parties that obtain personal data in connection with the website/app/service/device (e.g. pixel and SDK providers that assist with online advertising) which users are minors or that the website/app/service/device is primarily directed to minors.
Impose contractual limits on processors. The Act also sets out specific contract requirements for all processors that will process minor personal data, and has additional obligations on processors (regardless of contract terms). These terms include use limitations and auditing provisions.
Browser or device-sent signals. The Act would also require that operators detect and act on browser or device-sent signals indicating that the user is or should be treated as a minor.
What enforcement actions may be taken if I fail to comply with the Act?
The Attorney General is empowered to enforce the Act, and is expressly allowed to seek injunctions, restitution, profit and data disgorgement, and civil penalties of $5,000 per violation. The AG can also issue regulations.
Companies that determine they are in scope should determine which minor personal data processing meets the “strictly necessary” standard, and establish a compliance plan that addresses the requirements in the law.
Sam Castic is a Partner with Hintze Law with 15 years of global privacy and cybersecurity experience.
Charlotte Lunday is a Senior Associate at Hintze Law. Charlotte has significant in-house experience having seconded at Fortune 100 social media companies and as a former legal intern at Amazon.
Clara De Abreu E Souza is Hintze Law’s current summer associate and a J.D. Candidate at Seattle University School of Law
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global AI & data protection. Its attorneys and privacy consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of AI, privacy & data security.