Empire State of Minding the Minors: New York Laws Aim To Ensure Children's Privacy and Online Safety

On June 7, 2024, the New York Legislature passed two bills to protect children online. The Stop Addictive Feeds Exploitation (SAFE) for Kids Act, S7694A, prohibits social media platforms from providing defined "addictive feeds" to minors under the age of 18 without verifiable parental consent. The New York Child Data Protection Act (CDPA), S7695B, bars online operators from collecting, using, sharing, and selling personal data of minors ages 13 to 17 without their informed consent unless strictly necessary and requires parental consent to process the data of minors 12 years of age and younger.

Governor Kathy Hochul signed both bills into law on June 20, 2024. The SAFE Act will go into effect 180 days after the New York attorney general finalizes regulations necessary for implementation, and the CDPA will go into effect June 20, 2025. Both bills provide for enforcement solely by the attorney general, who can bring actions to enjoin violations, recover damages, and obtain civil penalties up to $5,000 per violation.

But technology industry trade groups, such as NetChoice, have condemned both bills as unconstitutional. NetChoice signaled its intent to challenge the legislation akin to its successful challenge of the California Age-Appropriate Design Code Act (CAADCA), which bars the use of children's (users under 18 years of age) personal information in ways known to be "materially detrimental" to their physical health, mental health, or well-being.[1] In 2023, the U.S. District Court for the Northern District of California subjected the CAADCA to heightened First Amendment scrutiny and preliminarily enjoined it in its entirety.[2] The decision rested in part on CAADCA's requirement that businesses estimate the age of child users or implement default privacy settings, thus blocking children and adults from some content.[3]

Stop Addictive Feeds Exploitation (SAFE) for Kids Act

Applicability and Scope

The SAFE Act creates new obligations for covered operators—i.e., those that operate or provide an "addictive social media platform," which are online services that offer or provide "addictive feeds" as a "significant part" of their services. Specifically, it prohibits "addictive social media platforms" from providing "addictive feeds" to minors under age 18 without parental consent. Aimed at algorithms that increase or prolong social media usage, the SAFE Act defines "addictive feeds" that may not be provided to minors without parental consent as any website, online service, or application—or portion thereof—in which "multiple pieces of media generated or shared by users" are "recommended, selected or prioritized for display based—in whole or in part—on information associated" with a user or the user's device, unless one of the following conditions is met:

• the recommendation, prioritization, or selection is based on information that is not persistently associated with the user or user's device, and does not concern the user's previous interactions with media generated or shared by other users;
• the recommendation, prioritization, or selection is based on user-selected privacy or accessibility settings, or technical information concerning the user's device;
• the user expressly and unambiguously requested the specific media; media by the author, creator, or poster of media the user has subscribed to; or media shared by users to a page or group the user has subscribed to, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible;
• the user expressly and unambiguously requested that specific media; media by a specified author, creator, or poster of media the user has subscribed to; or media shared by users to a page or group the user has subscribed to, be blocked, prioritized or deprioritized for display, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the user or the user's device that is not otherwise permissible;
• the media are direct and private communications;
• the media are recommended, selected, or prioritized only in response to a specific search inquiry by the user;
• the media recommended, selected, or prioritized for display is exclusively next in a pre-existing sequence from the same author, creator, poster, or source; or
• the recommendation, prioritization, or selection is necessary to comply with the provisions of the SAFE Act and its incumbent rulemaking.

The SAFE Act applies to conduct that occurs in whole or in part in New York. Conduct takes place wholly outside of New York if the addictive social media platform is accessed by a user who is physically located outside of New York.

Prohibition on Addictive Feeds

Covered operators must implement an age verification mechanism to determine the age of users. They may provide addictive feeds to users if they have: (1) used commercially reasonable and technically feasible methods to determine that a user is not a minor; or (2) obtained verifiable parental consent to provide the addictive feed, in the event that the user is a minor.

Prohibition on Overnight Notifications

The SAFE Act prohibits covered operators from sending notifications concerning an addictive feed to a minor between the hours of 12 AM and 6 AM Eastern Time unless the covered operator has obtained verifiable parental consent to send such nighttime notifications.

Attorney General Rulemaking and Enforcement

The New York attorney general has sole enforcement authority and is required to promulgate rules and regulations to effectuate and enforce the SAFE Act. In particular, the attorney general must issue regulations:

1. identifying multiple commercially reasonable and technically feasible methods for operators to determine if a user is a minor, including,
   
   
   • at least one method that either does not rely solely on government-issued identification or that allows a covered user to maintain anonymity as to the covered operator of the addictive social media platform, and
   • identifying appropriate levels of accuracy, and
     
     
2. identifying methods of obtaining verifiable parental consent.

No earlier than 180 days after the effective date of the SAFE Act, the New York attorney general may bring an action or special proceeding to enjoin any violation of the SAFE Act, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation; disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data; damages caused directly or indirectly by any such violation; civil penalties of up to $5,000 per violation; and any such other and further relief as the court may deem proper, including preliminary relief.

The New York attorney general must maintain a website to receive complaints, information or referrals from the public concerning an operator's or social media platform's alleged compliance or non-compliance with the SAFE Act.

Language Access

Instructions to parents on how to provide verifiable parental consent must be made available in at least the twelve most commonly spoken languages in New York state and as further defined by regulations promulgated by the attorney general.

Nondiscrimination

Operators must not withhold, degrade, lower the quality, or increase the price of any product, service, or feature to a user due to the operator not being permitted to provide an addictive feed to such user.

New York Child Data Protection Act

Applicability and Scope

The CDPA applies to operators of online services that collect personal data of covered users. An "operator" is "any person who operates or provides a website on the internet, online service, online application, mobile application, or connected device, and who, alone or jointly with others, controls the purposes and means of processing personal data." A "covered user" is any "user of a website, online service, online application, mobile application, or connected device, or portion thereof, in the state of New York" who is (a) "actually known" by the operator to be a minor; or (b) using a website, online service, application, or connected device that is "primarily directed to minors."

A website, online service, application, or connected device is "primarily directed to minors" if it—or a portion thereof—is "targeted to minors" or if the operator has actual knowledge that it is collecting personal data directly from users of another website, online service, application, or connected device that is primarily directed to minors. However, a website, online service, application, or connected device will not be considered primarily directed to minors simply because it refers or links to any other website, service, application, or device primarily directed to minors by using information location tools, including a directory, index, reference, pointer, or hypertext link.

The CDPA applies to conduct that occurs in whole or in part in the state of New York. Conduct that takes place wholly outside of the state of New York is exempt from the CDPA if: (1) the operator collected a user's personal data while the covered user was outside of the state of New York; (2) no part of the use of the covered user's personal data occurred in the state of New York; and (3) no personal data collected while the covered user was in the state of New York is used.

Restrictions on Processing

The CDPA prohibits operators from processing—or allowing a processor to process or a third-party operator to collect—the personal data of a covered user collected through the operator's website, online service, application, or connected device unless the covered user is:

• 12 years of age or younger and processing is permitted under the Children's Online Privacy Protection Act (COPPA) and its implementing regulations, or
• 13 years of age or older and processing is strictly necessary for certain processing activities enumerated under the CDPA or the operator has obtained informed consent from the minor.

Operators may process information of minors 13 or older without their informed consent only if such processing is strictly necessary for one of the following eight activities:

1. Providing or maintaining a specific product or service requested by the covered user;
2. Conducting the operator's internal business operations (not including any activities related to marketing, advertising, research and development, providing products or services to third parties, or prompting covered users to use the website, online service, application, or connected device when it is not in use);
3. Identifying and repairing technical errors that impair existing or intended functionality;
4. Protecting against malicious, fraudulent, or illegal activity;
5. Investigating, establishing, exercising, preparing for, or defending legal claims;
6. Complying with federal, state, or local laws, rules, or regulations;
7. Complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
8. Detecting, responding to, or preventing security incidents or threats, or
9. Protecting the vital interests of a natural person.

An operator relying on informed consent of minors 13 or older must obtain such consent from the covered user either through a device communication or signal or through a request.

Requests for informed consent must:

• Be made separately from any other transaction or part of a transaction;
• Be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing (i.e., dark pattern);
• Clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary and that the covered user may decline without preventing continued use of the website, online service, application, or connected device; and
• Clearly present an option to refuse to provide consent as the most prominent option.

Informed consent, once given, must be freely revocable at any time, and must be at least as easy to revoke as it was to provide. If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year; however, an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent. If a covered user's device communicates or signals that the covered user declines to provide informed consent for processing, an operator may not request informed consent for such processing. However, as explained above, the operator may still make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent.

Restrictions on Sale

The CDPA prohibits operators from purchasing or selling—or allowing a processor or third-party operator to purchase or sell—the personal data of a covered user. "Selling" means sharing personal data for monetary or other valuable consideration unless it is an asset that is part of a merger, acquisition, or other change in corporate control.

Data Deletion and Third-Party Notification Requirements

Within 30 days of determining or being informed that a user is a covered user, an operator must:

• Dispose of, destroy, or delete and direct all of its processors to dispose of, destroy, or delete all personal data of such covered user that it maintains, unless: (1) processing such personal data is permitted under COPPA, (2) processing is strictly necessary for an approved processing activity; or (3) the operator has obtained informed consent; and
• Notify any third-party operators to whom it knows it disclosed personal data of that covered user, and any third-party operators it knows it allowed to process the personal data that may include the personal data of that user, that the user is a covered user.

Before disclosing personal data to a third-party operator or permitting a third-party operator to collect personal data from the operator's website, online service, application, connected device, or portion thereof, the operator must disclose to the third-party operator:

• When their website, online service, application, connected device, or portion thereof, is primarily directed to minors; or
• When the personal data concerns a covered user.

Processor Contracting Requirements

The CDPA prohibits operators or processors from disclosing personal data of a covered user to a third party (or allow the processing of the personal data of a covered user by a third party) without a written, binding agreement governing such disclosure or processing. This agreement must require that the processor:

• Process the personal data of covered users only pursuant to the instructions of the operator, unless otherwise required by applicable law.
• Assist the operator in meeting the operator's obligations under the CDPA.
• Upon reasonable request of the operator, make available to the operator all information in its possession necessary to demonstrate the processor's compliance with the CDPA.
• Allow and cooperate with reasonable assessments by the operator or the operator's designated assessor for purposes of evaluating compliance with the CDPA. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the operator upon request.
• Notify the operator within a reasonable amount of time before disclosing or transferring the personal data of covered users to any further processors, which may be in the form of a regularly updated list of further processors that may access personal data of covered users.

Coverage of Users Who Age Out

Upon learning that a user is no longer a covered user, an operator must:

• Not process the personal data of the covered user who would otherwise be subject to the CDPA until it receives informed consent, and
• Provide notice to such user that they may no longer be entitled to all of the protections and rights provided under the CDPA.

Respecting User-Provided Age Flags

An operator must treat a user as a covered user if the user's device communicates or signals that the user is or must be treated as a minor, including through a browser plug-in or privacy setting, device setting, or other mechanism that complies with regulations promulgated by the attorney general.

Similarly, an operator must adhere to any clear and unambiguous communications or signals from a covered user's device, including through a browser plug-in or privacy setting, device setting, or other mechanism, concerning processing for which the covered user consents or declines consent. An operator must not adhere to unclear or ambiguous communications or signals from a covered user's device and must instead request informed consent.

Safe Harbor for Third-Party Operators

Third-party operators that process the personal data of a covered user of another website, online service, application, or connected device are not subject to the obligations above, provided that:

• The third-party operator received reasonable written representations that the covered user provided informed consent for such processing, or
• The third-party operator does not have actual knowledge that the covered user is a minor or that the other website, online service, application, or connected device, or portion thereof, is primarily directed to minors.

Enforcement and Rulemaking

The New York attorney general has sole enforcement authority and may—but is not required to—promulgate rules and regulations to implement and enforce the CDPA.

The attorney general may bring an action or special proceeding to enjoin any violation of the CDPA, to obtain restitution, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation (including but not limited to the destruction of unlawfully obtained data), to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to $5,000 per violation, and to obtain any such other and further relief as a court may deem proper, including preliminary relief.

It remains to be seen whether the attorney general will use this disgorgement authority to seek destruction of algorithms, models, or other AI-related work product trained on or derived from covered user data processed without informed or parental consent, such as in the FTC's order against Kurbo.

Effective Date

The CDPA will take effect June 20, 2025.

Familiar Privacy Protections, but a New Approach to Algorithms

While the CDPA's opt-in requirements for personal data processing are similar to other state child privacy laws, such as Virginia's amendment to its Consumer Data Protection Act, the SAFE Act's specific approach to combat potentially harmful effects of algorithms is the first of its kind. Other states have taken different approaches to protecting minors' safety, however. For instance, the California Age-Appropriate Design Code Act (CAADCA) bars the use of children's (users under 18 years of age) personal information in ways known to be "materially detrimental" to their physical health, mental health, or well-being.[4] In 2023, the U.S. District Court for the Northern District of California subjected the CAADCA to heightened First Amendment scrutiny and preliminarily enjoined it in its entirety.[5] The decision rested in part on CAADCA's requirement that businesses estimate the age of child users or implement default privacy settings, thus blocking children and adults from some content.[6]

The SAFE Act takes a different approach, finding "children are particularly susceptible to addictive feeds because they provide a non-stop drip of dopamine with each new piece of media and because children are less capable of exercising the impulse control necessary to mitigate these negative effects." Like CAADCA, the SAFE Act implements content restrictions based on a user's age, but the policy mechanisms it employs—parental consent and age verification requirements—are more like other social media safety laws passed in states like Arkansas and Tennessee. Observers will continue to monitor how courts interpret the connection between children's data, restrictions on content availability, and the First Amendment.

DWT's privacy and security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations. For assistance with state privacy laws, please contact the author of this alert or the Davis Wright Tremaine attorney with whom you work.

*Joshua Peck is a law student at Georgetown University Law Center and currently a summer associate at Davis Wright Tremaine.