On August 1, 2024, the Office of the New York State Attorney General (OAG) released two Advanced Notices of Proposed Rulemaking (ANPRM) for the SAFE for Kids Act and the NY Child Data Protection Act. These ANPRMs solicit input that will help the OAG promulgate regulations in three areas: (1) identifying “commercially reasonable and technically feasible methods” to determine if a user is a minor; (2) identifying methods of obtaining verifiable parental consent; and (3) promulgating any needed language access regulations.
The two laws forming the basis for the rulemaking were enacted on June 20, 2024. The Stop Addictive Feeds Exploitation (SAFE) For Kids Act and the New York Child Data Protection Act contain broad requirements applicable to some companies offering services to children, as explained further below.
Stop Addictive Feeds Exploitation (SAFE) For Kids Act
Scope. This law governs “addictive social media platforms,” which are defined as websites, online services, and applications that offer an “addictive feed” as a significant portion of their services. The law prohibits covered operators from providing an “addictive feed” to users unless they have used commercially reasonable measures to determine that the user is not a minor or they have obtained verifiable parental consent to provide an addictive feed.
“Addictive Feed.” An “addictive feed” is defined to mean a website or online service in which multiple pieces of media generated or shared by users are recommended or prioritized for display to a user based on information associated with that user or their device. However, there are several exceptions to this definition, including if the user expressly requested that a specific type of media be prioritized for display, if the media is recommended in response to a search by the user, if the prioritization is based on user-selected privacy or accessibility settings, if the media prioritized is next in a pre-existing sequence from the same creator or source, if the prioritization is necessary to comply with the law, or if the prioritization is based on information that is not associated with the user or their previous interactions with media on the service. Direct and private communications are also excluded from the definition.
Nighttime Notifications. The law also prohibits regulated entities from sending certain notifications to a minor between the hours of 12 AM to 6 AM ET, unless the platform obtains verifiable parental consent.
Enforcement. The New York Attorney General has the authority to enforce the law and promulgate regulations identifying commercially reasonable methods to conduct age verification.
New York Child Data Protection Act
Requirements for Minor Data. The New York Child Data Protection Act prohibits operators from processing the personal data of users between the ages of 13 and 18 unless strictly necessary for certain specified purposes or unless the user provides informed consent. It also prohibits operators from processing the personal data of users under the age of 13 other than in compliance with the Children’s Online Privacy Protection Act (COPPA). If an operator discovers that a user is a minor, it shall delete the user’s personal data unless processing of the data complies with COPPA, is strictly necessary for a permitted purpose, or if the operator obtains informed consent.
Permitted Processing Purposes. Purposes for which the data of minor users may be processed include providing a specific product or service requested by the user, conducting internal business operations, repairing technical errors, and complying with relevant law.
Informed Consent. If an operator wishes to process information of a teen other than for such purposes, it must solicit informed consent. A request for such consent must be made separately from any other transaction, must be free of mechanisms that would subvert or impair the user’s decision-making, and clearly present a method to refuse consent as the most prominent option. If the user declines or revokes their consent, another request may not be made for the following calendar year (but the operator may make available a mechanism through which the covered user can provide consent).
Required Actions Upon Learning User Age. The law also requires that if an operator learns that a certain user is a minor, it shall delete their data within 30 days unless processing is strictly necessary for a permitted purpose or it obtains informed consent. Additionally, once a user turns 18, the operator shall not process that user’s personal data until they receive informed consent for such processing and shall provide notice to the user that they may no longer be afforded the protections of this law.
Device Flags. The law contains various requirements related to device flags. Operators must treat users as minors if a user’s device signals that the user is or shall be treated as a minor. Additionally, if a minor’s device signals that they decline to provide informed consent, an operator shall not request such consent (though they may make available a mechanism through which the covered user can provide consent).
Disclosure to Third Parties.The law requires operators to disclose to third parties when data collected through their website or service is collected from a minor or when their website or service is primarily directed to minors.
Purchase/Sale Prohibition. Finally, the law prohibits operators and third parties from purchasing or selling the data of minors. Enforcement. The New York Attorney General has the authority to enforce the law and promulgate related regulations.