New York State's ‘Unique’ Child Data Protection Act Takes Effect

Gov. Kathy Hochul (D) last year signed the NYCDPA, which aims to protect minors from having their personal data accessed. On May 19, the New York Office of Attorney General (OAG) released guidance ahead of the law going into effect (see 2408010011).

As of Friday, New York is the first state to provide “heightened protections" for "youth or minors related to privacy and data protection in the absence of a comprehensive or more broad consumer privacy law,” said Daniel Hales, policy fellow at the Future of Privacy Forum. “It’s going to be interesting to see how this more targeted approach" rolls out in New York, he added, since the state lacks the comprehensive privacy statutes that other states had on their books before they enacted such "heightened protections.”

Oliveri said the increase in the number of laws aimed at protecting kids online is a good thing. “We’re finally recognizing that perhaps big data collection on children is a form of child abuse ... akin to sending them into a coal mine without a canary,” he said. “There are so many kids in our country and beyond who don't really understand what data is being collected about them, how that data is being shared and used or even how the internet works." Children should receive education so they can "appreciate the benefits and risks before they go online and provide personal information about themselves.”

For Oliveri, the New York law's age flag stands out. “It's one of the first privacy laws to have a signal like that, and it's interesting because it adds a layer of transparency and, at least theoretically, empowers minors and their guardians to actively manage their privacy settings.” However, there may be a lag in the technology needed for compliance. As such, "covered parties should continue to monitor for additional guidance from" New York's attorney general.

An age flag, Oliveri said, is a signal that lets websites know "'I'm a minor, or should be treated as such, and I either do consent or don't consent to whatever you want to do with my data.' If the signal indicates that they do not consent, a website operator cannot ask for such consent but can provide a feature for the user to later consent.”

Oliveri contrasted that approach with age-verification laws from other states, which he said can be trickier to implement because “at least in practice, they equate to [having] actual knowledge of a user’s age." Recent age-verification laws "attempt to shift this standard to a more constructive approach by using phrases like ‘likely to be assessed by a child.’ This can be confusing, particular[ly] for operators of general-audience websites. Notably, the New York law does not explicitly require age verification.”

But even though the New York law handles the determination of age differently than other laws that have been challenged in court, Oliveri said he wouldn't be surprised if New York was also sued on First Amendment grounds.

Hales agreed that the age flag is unique. “There's a lot of ambiguity around what this mean[s] or how this work[s] as a technology concept that hasn't previously existed before it was incorporated as a requirement in this act,” he said.

Bailey Sanchez, deputy director of the Future of Privacy Forum’s U.S. legislation team, concurred. The language on it is "kind of quirky,” she said. “The law doesn't require that you use that technology. But what it requires is that if the technology is used by a user, a business has to accept it or make it work.”

“If you have these age signals that you're broadcasting around, it might impact a lot more businesses than what they think,” she added.

More Ages Covered Than in COPPA

Meanwhile, the New York law marks a major change from the federal Children’s Online Privacy Protection Act (COPPA) as it seeks to extend coverage from minors younger than 13 to those younger than 17, the experts noted.

Extending the COPPA protections to older minors "has been an ongoing conversation in many spaces,” said Hales. “For the processing of child data for under-13s, the [NYCDPA] and the recently released implementation guidance from the OAG say that compliance with COPPA is sufficient, but for 13-plus there are some differences whereby … teens can consent for themselves with informed consent,” for example.

Permissible processing purposes are “defined more narrowly and potentially stricter under the NYCDPA for permissible processing in the absence of consent than it is under COPPA,” he said. For Hales, "that means ... potentially there is a stricter view of permissible processing in the absence of consent for teens in New York than there is for minors under 13.”

Hales and Sanchez agreed that while the NYCDPA is unique in many ways, comparisons with other laws exist. For example, its data-minimization principle shares similarities with requirements in the Washington My Health My Data Act and Maryland Online Data Privacy Act, Hales said.

“States requiring more ... data minimization has been a broader trend,” Sanchez said. “This is an early example of those types of data-minimization requirements going into effect, and so, while this is specific to children, it'll be interesting for businesses to watch this law to see how New York interprets what types of processing are permissible or not.”

More Guidance Expected

NY's OAG has said it plans to issue rules providing more clarity and detail based on the Act, but they have not been finalized.

“That means I don't think you have to panic if your business is making a good-faith effort to comply with the law and making a record of that compliance effort,” Oliveri said.

Still, Oliveri conceded that compliance "can be tricky given the growing patchwork of state privacy laws," though it's not "impossible" to comply.

A May 28 blog from Covington lawyers highlighted some key elements of the guidance, including that it does not interfere with existing frameworks that rely on parental consent, contains explanations for when tracking is “strictly necessary” and only applies if a covered entity knows a user is younger than 18 or is a service “primarily directed to minors.”

In a June 17 blog post, Olgetree Deakins lawyers said “the NYCDPA represents a significant shift in how businesses must approach the privacy of minors’ data,” and that “businesses that operate online products or services accessible to New York minors may want to consider reviewing their data collection, processing, and consent practices to ensure compliance with this new law.”

Hales highlighted what the OAG guidance said about education exemptions. For instance, it made clear that the NYCDPA isn't meant to interfere with the "current system of technology procurement and consent within schools," but rather "is intended to supplement and exist outside of those bounds," he said. "So, as long as [educational technology] providers are complying with COPPA, and they're complying with the New York education law ... and the data in question is being processed solely for educational purposes, it would seem based on what the OAG has put out that they are complying with NYCDPA."

“However, if ... student data is being processed for anything that's not related to education, then the NYCDPA kicks in,” he said.

To ensure compliance, companies should conduct an “audit to identify the data they're collecting from minors and assess its purpose and its necessity," said Oliveri: And they should update "their privacy policies to make sure that they are clear and age-appropriate.”

“User interfaces have to be made intuitive and aligned with age-appropriate design principles," he added. "Implementing data-minimization practices is also super important,” as is “training your staff about the latest privacy practices and legal requirements."