Keypoint: Assuming the bills become law and go into effect, operators of websites and online services that collect the personal data of minors and are subject to the bills will need to undertake several compliance activities.

On June 7, 2024, the New York legislature passed two bills directed at kids’ use of online technologies – the New York Child Data Protection Act (S7695) and the Stop Addictive Feeds Exploitation (SAFE) for Kids Act (S7694). The bills will next move to New York Governor Kathy Hochul for consideration. The Governor already issued a press release in support of the bills.

Conversely, NetChoice – a trade association for Internet companies – issued a press release and wrote a Daily News’ op-ed calling the bills unconstitutional. NetChoice previously challenged the constitutionality of California’s Age-Appropriate Design Code Act. NetChoice won at the trial level and the case is on appeal.

In the below article, we provide a brief summary of the two bills.

New York Child Data Protection Act

Applicability

As between the two bills, the New York Child Data Protection Act has broader applicability.

In general, the act applies to “operators” of online services that collect personal data of “covered users.”

“Operator” is defined as “any person who operates or provides a website on the internet, online service, online application, mobile application, or connected device, and who, alone or jointly with others, controls the purposes and means of processing personal data.”

A “covered user” is a New York user of a website, online service, etc. (1) that the operator actually knows to be a minor (defined as under 18 years of age) or (2) where the website, online service, etc. is “primarily directed to minors.” A website, online service, etc. is primarily directed to minors if it is “targeted to minors.”

Requirements

1. Processing Restrictions

Operators cannot process (or allow a processor to process) the personal data of a covered user unless: (1) for users under 13, the operator obtains COPPA parental consent or (2) for users ages 13 to 17, the processing is either (a) strictly necessary for certain specified activities or (b) the operator obtains informed consent.

The act identifies eight processing activities that are strictly necessary, including, for example, (1) providing or maintaining a specific product or service requested by the covered user, (2) conducting internal business operations (defined to exclude, among other things, marketing and advertising); (3) protecting against fraud, and (4) complying with law.

As noted, if the processing is not strictly necessary, an operator must obtain “informed consent” from the covered user. The act specifies that informed consent must be obtained (1) through a request made separately from any other transaction, (2) without the use of dark patterns, (3) by stating that the processing is not strictly necessary and that a user may decline and (4) by presenting an option to refuse consent. Operators also must respect consent signals sent from a user’s device. Notably, while the act specifies the process by which informed consent must be obtained, it does not address what information an operator must provide to a user to ensure that the consent is “informed.”

Operators must follow the same rules before allowing third-party operators to collect covered user personal data. Third-party operators are operators that are not the operator with whom the user intentionally and directly interacts or that collects personal data from the direct and current interactions with the user.

2. Purchasing and Selling Covered User Data

Operators are prohibited from purchasing or selling, or allowing a processor or third-party operator to purchase or sell, the personal data of covered users.

3. Age Flags

Operators are required to treat users as covered users if a user’s device communicates or signals that the user is or shall be treated as a minor through a browser plug-in or privacy setting, device setting, or other mechanism that complies with Attorney General regulations.

4. Data Deletion After Learning User is a Covered User

If an operator learns that a user is a covered user, it has thirty days to delete the covered user’s data unless the operator’s processing, as applicable, complies with COPPA, is strictly necessary, or the operator obtains informed consent. It also must inform third-party operators it knows it allowed to process the personal data that that user is a covered user.

5. Data Processing Agreements

Operators and processors must enter into data processing agreements with third parties prior to disclosing the personal data of covered users to such third parties. Operators also must enter into data processing agreements with processors.

6. Notice to Third-Party Operators

Operators must provide notice to third-party operators that collect or process covered user personal data on the operator’s website, online service, etc. if the website, online service, etc. is primarily directed to minors or the personal data concerns a covered user.

Enforceability

The act is enforceable by the New York Attorney General.

Rulemaking

The Attorney General is authorized (but not required) to promulgate rules and regulations to effectuate and enforce the act.

Effective Date

The act will go into effect one year after it becomes law.

Stop Addictive Feeds Exploitation (SAFE) for Kids Act

Applicability

The act applies to “covered operators” which it defines as “any person, business, or other legal entity, who operates or provides an addictive social media platform.” An “addictive social media platform” is a website, online service, online application, or mobile application, that offers or provides users an addictive feed as a significant part of” its services.

The act’s definition of “addictive feed” is nearly four hundred words long. In short, subject to numerous exceptions, an addictive feed is an online website or application in which “multiple pieces of media generated or shared by users” of that website or application, “either concurrently or sequentially, are recommended, selected, or prioritized for display to a user based, in whole or in part, on information associated with the user or the user’s device.”

Requirements

1. Addictive Feeds

The act makes it unlawful for a covered operator to provide an addictive feed to a covered user unless (1) the covered operator has used commercially reasonable and technically feasible methods to determine that the covered user is not a minor (i.e., under 18 years of age) or (2) the covered operator has obtained verified parental consent.

    The Attorney General is charged with promulgating regulations for what constitutes commercially reasonable and technically feasible methods and the methods for obtaining verified parental consent.

    2. Overnight Notifications

    Absent verified parental consent, the act prohibits covered operators of addictive social media platforms from sending notifications to covered minors between 12 am eastern and 6 am eastern.

    Enforcement

    The act is enforceable by the New York Attorney General.

    Effective Date

    The act goes into effect 180 days after the Attorney General promulgates the rules and regulations necessary to effectuate the act’s provisions.