The New York legislature passed two bills on June 7, 2024 directed at children’s use of online technologies – the Stop Addictive Feeds Exploitation (SAFE) for Kids Act (S7694) that restricts access to addictive algorithmic feeds and the New York Child Data Protection Act (S7695) that bans sites from collecting, using, sharing or selling personal data of anyone under the age of 18 without consent. Governor Kathy Hochul has already issued a news release in support of both bills which are outlined below.
Stop Addictive Feeds Exploitation (SAFE) for Kids Act
The New York SAFE for Kids Act requires social media companies to restrict addictive feeds on their platforms for users under 18 unless parental consent is granted.
The bill also requires the establishment of acceptable age verification and parent consent methods to be determined by the Office of the Attorney General (OAG) as part of a rulemaking process once the legislation is enacted.
The act applies to “covered operators” which it defines as “any person, business, or other legal entity, who operates or provides an addictive social media platform.” It defines a “addictive social media platform” as a website, online service, online application, or mobile application, that offers or provides users an addictive feed as a significant part of its services.
The definition for “addictive feed” is almost 400 words long along with several exceptions. But in brief, an “addictive feed” is defined as an online website or application in which “multiple pieces of media generated or shared by users… that either concurrently or sequentially, are recommended, selected, or prioritized for display to a user based, in whole or in part, on information associated with the user or the user’s device.”
If enacted into law and surviving what is likely to be several court challenges, social media platforms such as TikTok, Snapchat and Instagram, will no longer be able to serve content to users under the age of 18 based on their recommendation algorithms. Instead, they will have to provide a reverse-chronological feed for younger users.
The legislation will authorize the OAG to bring an action to enjoin violations of the new law, as well as seek civil penalties of up to $5,000 per violation. The SAFE Kid Act goes into effect 180 days regulations are promulgated by Attorney General.
Child Data Protection Act (CDPA)
Conversely. New York’s CDPA bans sites from collecting, using, sharing or selling personal data of anyone under the age of 18 without consent. It has broader applicability for “operators” of online services that collect personal data of a “covered user” who is a New York user of a website, online service, or app that (1) the operator actually knows to be a minor (defined as under 18 years of age), or (2) where the website, online service, or app is primarily directed or targeted to minors.
The existing federal Children’s Online Privacy Protection Act (COPPA) compliments the NYCDPA requiring parental consent for kids under 13, which is why most social networks don’t allow people to sign up if they’re under the age of 13. There is an effort at the FTC currently to update COPPA to address the increased use of mobile devices and social networking.
“Operator” is defined as “any person who operates or provides a website on the internet, online service, online application, mobile application, or connected device, and who, alone or jointly with others, controls the purposes and means of processing personal data.” Operators must follow the same rules before allowing third-party operators to collect covered user personal data.
The New York CDPA has six requirements that apply the covered users.
Processing Restrictions
Operators cannot process (or allow a processor to process) the personal data of a covered user unless: (1) for users under 13, the operator obtains COPPA parental consent or (2) for users ages 13 to 17, the processing is either (a) strictly necessary for certain specified activities or (b) the operator obtains informed consent.
The NYCDPA identifies eight processing activities that are strictly necessary, including:
(1) providing or maintaining a specific product or service requested by the covered user:
(2) conducting internal business operations (defined to exclude, among other things, marketing and advertising);
(3) protecting against fraud; and
(4) complying with law.
And if the processing is not strictly necessary, an operator must obtain “informed consent” from the covered user through:
(5) a request made separately from any other transaction;
(6) a request without the use of dark patterns;
(7) stating that the processing is not strictly necessary and that a user may decline; and
(8) presenting an option to refuse consent.
While the CDPA specifies the process by which informed consent must be obtained, it does not address what information an operator must provide to a user to ensure that the consent is “informed.” This may be further specified in regulation by the OAG.
Purchasing and Selling Covered User Data
Operators are prohibited from purchasing, selling, or allowing a processor or third-party operator to purchase or sell, the personal data of covered users.
Age Flags
Operators are required to treat users as covered users if a user’s device communicates or signals that the user is or shall be treated as a minor through a browser plug-in or privacy setting, device setting, or other mechanism that complies with Attorney General regulations.
Data Deletion – After Learning User is a Covered User
If an operator learns that a user is a covered user, it has 30 days to delete the covered user’s data unless the operator’s processing either complies with COPPA, is strictly necessary, or the operator obtains informed consent. It also must inform third-party operators of a covered user that it allowed personal data to be processed.
Data Processing Agreements
Operators and processors must enter into data processing agreements with third parties prior to disclosing the personal data of covered users to such third parties. Operators also must enter into data processing agreements with processors.
Notice to Third-Party Operators
If the website, online service, or app is primarily directed to minors or the personal data concerns a covered user. operators must provide notice to third-party operators that collect or process covered user personal data.
The Attorney General is also authorized to bring an action to enjoin violations of the NYCDPA – as well as seek civil penalties of up to $5,000 per violation – and promulgate regulations. The NYCDPA will go into effect one year after becoming law.
For questions or further information on state privacy laws, please contact Jim Potter, CHC Executive Director.