On August 1, 2024, the Office of the New York State Attorney General (OAG) released two Advanced Notices of Proposed Rulemaking (ANPRM) for the SAFE for Kids Act and the NY Child Data Protection Act. These ANPRMs solicit input that will help the OAG promulgate regulations in three areas: (1) identifying “commercially reasonable and technically feasible methods” to determine if a user is a minor; (2) identifying methods of obtaining verifiable parental consent; and (3) promulgating any needed language access regulations.

The two laws forming the basis for the rulemaking were enacted on June 20, 2024. The Stop Addictive Feeds Exploitation (SAFE) For Kids Act and the New York Child Data Protection Act contain broad requirements applicable to some companies offering services to children, as explained further below.

Stop Addictive Feeds Exploitation (SAFE) For Kids Act

Scope. This law governs “addictive social media platforms,” which are defined as websites, online services, and applications that offer an “addictive feed” as a significant portion of their services. The law prohibits covered operators from providing an “addictive feed” to users unless they have used commercially reasonable measures to determine that the user is not a minor or they have obtained verifiable parental consent to provide an addictive feed.

“Addictive Feed.” An “addictive feed” is defined to mean a website or online service in which multiple pieces of media generated or shared by users are recommended or prioritized for display to a user based on information associated with that user or their device. However, there are several exceptions to this definition, including if the user expressly requested that a specific type of media be prioritized for display, if the media is recommended in response to a search by the user, if the prioritization is based on user-selected privacy or accessibility settings, if the media prioritized is next in a pre-existing sequence from the same creator or source, if the prioritization is necessary to comply with the law, or if the prioritization is based on information that is not associated with the user or their previous interactions with media on the service. Direct and private communications are also excluded from the definition.

Nighttime Notifications. The law also prohibits regulated entities from sending certain notifications to a minor between the hours of 12 AM to 6 AM ET, unless the platform obtains verifiable parental consent.

Enforcement. The New York Attorney General has the authority to enforce the law and promulgate regulations identifying commercially reasonable methods to conduct age verification. 

New York Child Data Protection Act

Requirements for Minor Data. The New York Child Data Protection Act prohibits operators from processing the personal data of users between the ages of 13 and 18 unless strictly necessary for certain specified purposes or unless the user provides informed consent. It also prohibits operators from processing the personal data of users under the age of 13 other than in compliance with the Children’s Online Privacy Protection Act (COPPA). If an operator discovers that a user is a minor, it shall delete the user’s personal data unless processing of the data complies with COPPA, is strictly necessary for a permitted purpose, or if the operator obtains informed consent.

Permitted Processing Purposes. Purposes for which the data of minor users may be processed include providing a specific product or service requested by the user, conducting internal business operations, repairing technical errors, and complying with relevant law.

Informed Consent. If an operator wishes to process information of a teen other than for such purposes, it must solicit informed consent.  A request for such consent must be made separately from any other transaction, must be free of mechanisms that would subvert or impair the user’s decision-making, and clearly present a method to refuse consent as the most prominent option. If the user declines or revokes their consent, another request may not be made for the following calendar year (but the operator may make available a mechanism through which the covered user can provide consent).

Required Actions Upon Learning User Age. The law also requires that if an operator learns that a certain user is a minor, it shall delete their data within 30 days unless processing is strictly necessary for a permitted purpose or it obtains informed consent. Additionally, once a user turns 18, the operator shall not process that user’s personal data until they receive informed consent for such processing and shall provide notice to the user that they may no longer be afforded the protections of this law.

Device Flags. The law contains various requirements related to device flags. Operators must treat users as minors if a user’s device signals that the user is or shall be treated as a minor. Additionally, if a minor’s device signals that they decline to provide informed consent, an operator shall not request such consent (though they may make available a mechanism through which the covered user can provide consent).

Disclosure to Third Parties.The law requires operators to disclose to third parties when data collected through their website or service is collected from a minor or when their website or service is primarily directed to minors.

Purchase/Sale Prohibition. Finally, the law prohibits operators and third parties from purchasing or selling the data of minors. Enforcement. The New York Attorney General has the authority to enforce the law and promulgate related regulations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Priya Leeds Priya Leeds

Priya Sundaresan Leeds is an associate in the firm’s San Francisco office. She is a member of the Privacy and Cybersecurity Practice Group. She also maintains an active pro bono practice with a focus on gun control and criminal justice.