In June 2024, New York enacted two laws that will impose extensive new requirements on companies operating in the state to enhance online protections for children. The first is the New York Child Data Protection Act (“NYCDPA”), which imposes data minimization, consent and data processor agreement obligations on online services operators that actually know they collect minors’ personal information or target their services at minors. The second is the Stop Addictive Feeds Exploitation (SAFE) for Kids Act, which prohibits online services operators from providing minors with “addictive feeds” absent parental consent. Both the NYCDPA and SAFE for Kids Act are intended to protect minors who are 17 or under in New York. These laws form part of the growing trend in the U.S. and around the world to enact laws intended to strengthen minors’ online privacy protections and combat perceived online threats to their health and safety. Some other key laws that make up this trend in the U.S. include the Florida Digital Bill of Rights (which takes effect on July 1, 2024), Connecticut’s Online Privacy, Data and Safety Protections (whose minors’ protections take effect July 1, 2024), the Texas SCOPE Act (which takes effect on September 1, 2024), the California Age-Appropriate Design Code Act (which was enjoined from taking effect but is the subject of an appeal that may overturn the injunction), and the Maryland Kids Code (which takes effect on October 1, 2024).

This article focuses on New York’s minors’ online protection laws, but any company that operates online services and may receive the personal information of minors should carefully assess what regulations apply and consider taking the following steps: (i) assess to what extent you know that minors are using your services; (ii) assess what online risks may result from minors using your services; (iii) implement measures to mitigate against these risks, which may include parental consent mechanisms, parental control tools, moderation efforts and other protections; (iv) avoid using minors’ personal information for marketing or other purposes outside of providing them with the services they have requested unless applicable laws permit you to do so; and (v) using technical and organization measures to secure minors’ personal information and flow through to your service providers the same regulatory obligations that apply to you.

New York Child Data Protection Act

The NYCDPA aims to protect the personal data of minors in New York where the minor is using a website, online service, online application, mobile application, or connected device (collectively, “online service”), and either: (i) the operator of the online service has actual knowledge that the user is a minor; or (ii) the online service is targeted to minors. The statute does not define “targeted to minors” however.

Operators will be generally prohibited from processing the personal information of covered users who are between the ages of 13 and 17 unless they have the user’s prior, informed and specific consent or the processing is for one or more of the following purposes:

  • providing or maintaining a specific product or service requested by the user;
  • conducting the operator’s internal business operations, which do not include any activities related to marketing, advertising, research and development, providing products or services to third parties, or prompting covered users to use the online service when it is not in use;
  • identifying and repairing technical errors that impair existing or intended functionality;
  • protecting against malicious, fraudulent, or illegal activity;
  • investigating, establishing, exercising, preparing for, or defending legal claims;
  • complying with federal, state, or local laws, rules, or regulations;
  • complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • detecting, responding to, or preventing security incidents or threats; or
  • protecting the vital interests of a natural person.

The NYCDPA also prohibits operators from selling the personal data of covered users where “selling” means disclosure of personal data for monetary or other valuable consideration, and requires operators to impose certain obligations on processors and onward recipients of covered users’ personal information. The NYCDPA comes into effect 1 year after the Governor signs it into law, and will be enforced by the New York Attorney General.

SAFE for Kids Act

This law applies to operators of “addictive social media platforms”, which the statute defines as an online service that offers or provides users an “addictive feed” as a significant part of the online service. The SAFE for Kids Act essentially defines an “addictive feed” as a feature in which multiple pieces of media (including text, images or videos) shared by users are recommended, selected, or prioritized for display to a user based on information associated with the user or their device, unless an exception applies. These exceptions include where:

  • the recommendation, prioritization, or selection is based on information that is not persistently associated with the user or their device, and does not concern the user’s previous interactions with media generated or shared by other users;
  • the recommendation, prioritization, or selection is based on user-selected privacy or accessibility settings, or technical information concerning the user’s device;
  • the user expressly and unambiguously requested the specific media, media by the author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to, provided that the media is not recommended, selected, or prioritized based on other information associated with the user or their device;
  • the user expressly and unambiguously requested that specific media, media by a specified author, creator, or poster of media the user has subscribed to, or media shared by users to a page or group the user has subscribed to, be blocked, prioritized or deprioritized for display, provided that the media is not recommended, selected, or prioritized based on other information associated with the user or their device;
  • the media are direct and private communications;
  • the media are recommended, selected, or prioritized only in response to a specific search inquiry by the user;
  • the media recommended, selected, or prioritized is exclusively next in a pre-existing sequence from the same author, creator, poster, or source; or
  • the recommendation, prioritization, or selection is necessary to comply with the Safe for Kids Act or its regulations.

The SAFE for Kids Act prohibits an operator of an addictive social media platform from providing an addictive feed to users in New York unless: (a) the covered operator has used commercially reasonable and technically feasible methods to determine that the user is not a minor; or (b) the operator has obtained verifiable parental consent to provide an addictive feed to the minor. The statute requires the New York Attorney General to promulgate regulations identifying commercially reasonable and technically feasible methods for operators to determine if users are minors, and sets out various factors that the Attorney General must take into account when drafting these provisions, including the size and capabilities of companies and what is considered a prevalent practice in the industry. The Attorney General must also identify at least one such method that either does not rely solely on government-issued ID or that allows a covered user to maintain anonymity as to the operator of the platform.

The Attorney General must also promulgate regulations specifying how “verifiable parental consent” is to be obtained for the purposes of the statute. Data used to verify a user’s status as a minor or non-minor cannot be used for any purpose other than to comply with the statute, including to seek verifiable parental consent. The statute also prohibits operators from providing addictive feeds to minors between 12 a.m. and 6 a.m. (Eastern Time) without verifiable parental consent. This is an interesting requirement because it is very uncommon for U.S. regulations to impose time-of-day requirements on providers of online services. The SAFE for Kids Act comes into effect 6 months after the Governor signs it into law, and will be enforced by the New York Attorney General. The statute does not establish a private right of action but does not include language expressly precluding private actions either.

Author

Cynthia is an Intellectual Property Partner in Baker McKenzie's Palo Alto office. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields.

Author

Jonathan Tam is a partner in the San Francisco office focused on global privacy, advertising, intellectual property, content moderation and consumer protection laws. He is a qualified attorney in Canada and the U.S. passionate about helping clients achieve their commercial objectives while managing legal risks. He is well versed in the legal considerations that apply to many of the world’s cutting-edge technologies, including AI-driven solutions, wearables, connected cars, Web3, DAOs, NFTs, VR/AR, crypto, metaverses and the internet of everything.