New York Enacts the Child Data Protection Act Governing the Collection and Use of Personal Data from Minors
June 27, 2024New York Governor Kathy Hochul has signed into law the New York Child Data Protection Act (the “Act”), which generally prohibits online sites from collecting, using, sharing, or selling personal data of anyone in New York under the age of 18, unless doing so is strictly necessary for the purpose of the website or the operator of the site receives informed consent from the covered user. The Act, which adds Article 39-FF to New York’s General Business Law, is effective on June 20, 2025.
I. The Act
The stated purpose of the Act is to protect the privacy of children and young adults by restricting digital services from collecting or using the personal data of users they know are under the age of 18 without consent, and prohibiting, or requiring safeguards for, the sale or disclosure of the personal data of users that operators of sites know are under the age of 18.
A. Applicability
In general, the Act governs the processing of covered users’ personal data by operators, third-party operators, and processors. Entities that act as both an operator and a processor are subject to the obligations of each role.
- A covered user is defined as a user of a website, online service, online application, mobile application, or connected device, or portion thereof, in the state of New York who is (a) actually known by the operator of such website, online service, online application, mobile application, or connected device to be a minor (defined as under 18 years of age); or (b) using a website, online service, online application, mobile application, or connected device primarily directed to minors.
- An operator is defined as any person who operates or provides a website on the internet, online service, online application, mobile application, or connected device, and who, alone or jointly with others, controls the purposes and means of processing personal data.
- A third-party operator is defined as an operator who is not the operator (a) with whom the user intentionally and directly interacts; or (b) that collects personal data from the direct and current interactions with the user.
- A processor is defined as any person who processes data on behalf of the operator.
- The terms process and processing cover a broad range of activities performed on personal data, including the collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, and deidentification of personal data.
- Personal data is defined as any data that identifies or could reasonably be linked, directly or indirectly, with a specific natural person or device.
Please note that the Act states that it applies to conduct that occurs in whole or in part within the state of New York. The applicability of these new rules is explained by illustrating when the Act will not apply: For purposes of the Act, commercial conduct takes place wholly outside of the state of New York if the business collected such information while the covered user was outside of the state of New York, no part of the use of the covered user's personal data occurred in the state of New York, and no personal data collected while the covered user was in the state of New York is used. Although the Act gives the New York Attorney General authority to issue regulations and such regulations may clarify this issue, it is not known if any regulations will be issued.
B. Requirements
Processing Restrictions
The Act prohibits operators from processing, or allowing their processors to process, the personal data of a covered user unless:
- The covered user is 12 years of age or younger and processing is permitted under the federal law known as the Children’s Online Privacy Protection Rule (“COPPA”);[1] or
- The covered user is 13 years of age or older and processing is strictly necessary for certain specified activities, or informed consent has been obtained.
The Act identifies the following as processing activities that are strictly necessary:
- Providing or maintaining a specific product or service requested by the covered user;
- Conducting internal business operations, excluding activities related to marketing, advertising, research and development, providing products or services to third parties, or prompting the user to engage with the operator's website, online service, online or mobile app, or connected device when it is not in use;
- Identifying and resolving technical errors that impair existing or intended functionality;
- Protecting against malicious, fraudulent, or illegal activities;
- Investigating, establishing, exercising, preparing for, or defending legal claims;
- Complying with federal, state, or local laws, rules, or regulations;
- Complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other government authorities;
- Detecting, responding to, or preventing security incidents or threats; or
- Protecting the vital interests of a natural person.
As noted, if the processing is not strictly necessary, an operator must obtain informed consent from the covered user. The Act specifies that requests for informed consent shall:
- Be made separately from any other transaction or part of a transaction;
- Be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing;
- Clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and
- Clearly present an option to refuse to provide consent as the most prominent option.
The Act also limits when and how operators may make further consent requests. Operators must notify users they know have aged out of being a covered user and obtain informed consent to continue processing their data. The notification must inform users that they may no longer be entitled to the Act’s rights and protections.
Purchasing and Selling Covered User Data
Operators are prohibited from purchasing or selling or allowing a processor or third-party operator to purchase or sell, the personal data of covered users.
Data Deletion After Learning User is a Covered User
If an operator learns that a user is a covered user, the operator has 30 days to delete the covered user’s data unless the operator’s processing, as applicable, complies with COPPA, is strictly necessary, or the operator obtains the covered user’s informed consent. The operator must also inform any third-party operators to whom the operator knows it disclosed personal data of a covered user and any third-party operators it knows was allowed to process the personal data, that the user is a covered user.
Notice to Third-Party Operators
Before disclosing personal data to third-party operators that collect or process data using the operator's product or service, operators must disclose to the third-party operator when either:
- Their website, online service, online application, mobile application, connected device, or portion thereof, is primarily directed at users under 18; or
- The personal data concerns a covered user.
Data Processing Agreements
Operators and processors must enter into data processing agreements with third parties prior to disclosing the personal data of covered users to such third parties. Operators also must enter into data processing agreements with processors.
Age Flags
Operators are required to treat users as covered users if a user’s device communicates or signals that the user is or shall be treated as a minor through a browser plug-in or privacy setting, device setting, or other mechanism that complies with regulations promulgated by the New York Attorney General.
C. Impact on COPPA
Please note that the Act explicitly states that nothing within it should be construed to impose liability that is inconsistent with COPPA. This is likely intended to mitigate preemption arguments.
D. Penalty for Violations
The Act provides the New York Attorney General with rulemaking and enforcement authority, including imposing civil penalties up to $5,000 per violation.
II. Effective Date
The Act takes effect June 20, 2025.
III. Conclusion
The Act highlights New York’s focus on protecting the privacy of children and young adults. If a business operates a website or online service primarily directed to or serving individuals under the age of 18 who may be in the state of New York, the business should take note of the Act’s requirements and start the process of complying with the Act by the June 20, 2025 effective date. It appears covered businesses will include, among others, financial institutions that market products and services to minors, and schools and colleges that market to prospective students who are minors.
This advisory is a general overview of the Act and is not intended as legal advice. The Act is very detailed and should be reviewed in its totality. If you have any questions about the Act, please feel free to contact Joseph D. Simon at (516) 357-3710 or via email at jsimon@cullenllp.com, Kevin Patterson at (516) 296-9196 or via email at kpatterson@cullenllp.com, Elizabeth A. Murphy at (516) 296-9154, or via email at emurphy@cullenllp.com, or Gabriela Morales at (516) 357-3850 or via email at gmorales@cullenllp.com.
Footnotes
[1] 15 U.S.C. § 6502.