New York Enacts the New York Child Data Protection Act (NYCDPA)

On June 20, 2024, the Governor of New York enacted the New York Child Data Protection Act (NYCDPA). This bill represents a significant step toward protecting the personal data of minors using online services within the state of New York, as it places clear restrictions and consent requirements on businesses that collect the personal data of minors.

‍

‍

Applicability and Definitions

The NYCDPA applies to any “operator” that collects the personal data of a “covered user”.

The term “operator” is defined as any individual or entity that “operates or provides a website on the internet, online service, online application, mobile application, or connected device (“Online Services”), and who, alone or jointly with others, controls the purposes and means of processing personal data.”

‍

A “covered user” under the NYCDPA refers to any New York resident under 18 years old who uses the Online Service of an operator where (i) such resident is actually known by the operator to be a minor, or (ii) such Online Service is “primarily directed to minors”. With respect to determining the age of a user of their Online Services, operators must respect signals from users’ devices indicating their age status through device settings or plug-ins.

Of particular note here is that the NYCDPA does not provide clarity as to when an Online Service will be determined to be “primarily directed to minors.” This could result in a number of businesses that may not believe they are targeting minors with their Online Services being subject to the NYCDPA by virtue of interpretation of their services and the NYCDPA by enforcement authorities.

‍

‍

Key Requirements

Restrictions on Processing:

Operators are prohibited from processing personal data of (i) covered users under age 13 without parental consent (as mandated by the federal Children’s Online Privacy Protection Act (COPPA)), or (ii) covered users ages 13 to 17 unless certain conditions are met; specifically, processing must either be “strictly necessary” as defined by the NYCDPA, or, alternatively, operators must obtain informed consent from the minor or their parent/guardian, ensuring transparency and clarity in the consent process.

The NYCDPA states that processing of personal data is “strictly necessary” where such processing is necessary for the operator as a part of:

a) providing or maintaining a specific product or service requested by the user;

b) conducting the operator’s internal business operations, which operations shall not include any activities related to marketing, advertising, research and development, providing products or services to third parties, or prompting covered users to use the applicable Online Service when it is not in use;

c) identifying and repairing technical errors that impair existing or intended functionality;

d) protecting against malicious, fraudulent, or illegal activity;

e) investigating, establishing, exercising, preparing for, or defending legal claims;

f) complying with federal, state, or local laws, rules, or regulations;

g) complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

h) detecting, responding to, or preventing security incidents or threats; or

i) protecting the vital interests of a natural person.

Where an operator wishes to obtain “informed consent” from a covered user for the processing of personal data that is not “strictly necessary” under the NYCDPA, such informed consent must be obtained (i) through a request made separately from any other transaction, (ii) without the use of “dark patterns” (i.e. deceptive sales practices such as burying important terms in large bodies of text) , (iii) by stating that the processing is not strictly necessary and that a user may decline and (iv) by presenting an option to refuse consent. Consent signals sent from a user’s device (such as via the Global Privacy Control) must be respected regarding any obtaining of user consent under the NYCDPA. It is also worth noting that the NYCDPA does not provide specific information that an operator must provide a covered user to ensure that such covered user’s consent constitutes “informed consent”, leaving this question open to case-by-case interpretation.

Prohibition on Selling, Processing or Transferring of Data:

The NYCDPA prohibits operators from selling covered users’ personal data, where “selling” includes disclosing data in exchange for monetary or other valuable considerations. Operators must also have written agreements with any third-party processors of such personal data clearly setting forth instructions regarding its processing and disclosure, and restricting such processors from engaging in any processing activity or transfers regarding such personal data that are outside of the scope of such instructions.

Data Handling:

Upon discovering a user qualifies as a covered user, operators have thirty days to delete their data unless processing of such data complies with the COPPA, or unless such processing is “strictly necessary” or has been obtained pursuant to informed consent of such covered user.

‍

Enforcement and Compliance

The NYCDPA is enforceable by the New York Attorney General, who has the authority to investigate violations and impose penalties for non-compliance. Operators must adhere to the Act’s requirements within one year of its enactment, ensuring timely adjustments to their data handling practices.

‍

‍

Conclusion

The NYCDPA establishes new legal policies for safeguarding minors’ online privacy rights within the state. Operators must adapt their practices to comply with these regulations, which may require revisions to existing contracts, modifications to or suspension of Online Service operations, and establishment of internal policies and procedures that are compliant with the NYCDPA, to name only a few potentially necessary responsive actions. Given that the countdown to enforcement has begun for businesses covered by the NYCDPA, which includes both New York-based businesses and businesses directing activity within New York, covered businesses should begin their compliance efforts as soon as possible.

‍