On June 7, 2023, the New York legislature passed the Stop Addictive Feeds Exploitation (SAFE) for Kids Act (SAFE Act or the Act) and the New York Child Data Protection Act (CDPA), both aimed at protecting children online. The SAFE Act prohibits covered social media companies from providing individuals under 18 (minors) with “addictive feeds” (as defined in the SAFE Act) and overnight notifications, absent parental consent. The CDPA is intended to complement the SAFE Act by limiting the extent to which providers of internet websites, online and mobile applications, and connected devices (service) can collect, use, share, and sell minors’ personal data. If signed into law by Governor Hochul, the SAFE Act and CDPA would create new, onerous requirements for entities doing business in New York. The key provisions of each act are highlighted below.
SAFE Act
The SAFE Act reflects the New York legislature’s intent to shield children and teens from potentially negative effects of extended social media use, which it believes is especially harmful in the evening. The Act defines covered operators as providers of online services or mobile applications that offer an “addictive feed” as a significant part of their service; and the Act prohibits covered operators from providing an “addictive feed” to their New York users unless the covered operator has determined that the user is not a minor or has obtained verified parental consent (VPC) to provide the “addictive feed.”
Addictive Feeds. Addictive feeds are defined as an online service or mobile application in which “media generated or shared by users” is “recommended, selected, or prioritized for display to a user based, in whole or in part,” on the user’s information or device. The Act lays out several exemptions to this broad definition for the display of media:
- that is not based on the user’s past interactions with other media on the service, the user’s information, or the user’s device;
- that is based on user privacy or accessibility settings, or technical information related to the user’s device;
- that the user expressly requests to be displayed or blocked;
- media that is a direct and private communication;
- media that is provided in response to a user’s search inquiry; and
- media displayed in chronological order.
Duty to Determine Age. Providing an “addictive feed” to a user is barred unless the covered operator has used “commercially reasonable and technically feasible methods” to determine the user is not a minor. This requirement effectively imposes a duty on covered operators to determine the age of all users to whom it wishes to provide an “addictive feed.” The New York legislature notes that the commercially reasonable standard is flexible and will be determined by the totality of circumstances, factoring in the covered operator’s size, financial resources, technical capabilities, and other relevant factors.
The New York Attorney General (AG) is tasked with promulgating rules that identify multiple commercially reasonable and technically feasible age determination methods, including the level of accuracy required. Among the methods to be provided by the AG must be an option that either: 1) does not solely rely on government issued identification or 2) allows for user anonymity. Covered operators who determine a user is not a minor by using the AG’s methods are permitted to presume that the user is not covered under the SAFE Act, unless the covered operator obtains actual knowledge that the user is a minor.
Duty to Obtain Verified Parental Consent for Minors. If the covered operator determines that a user is a minor, it must obtain VPC to provide an addictive feed to that minor. Prospective AG rules will identify appropriate methods of obtaining VPC, including outlining which languages the consent must be offered in.
Information used to determine a user’s age or obtain verified parental consent must only be used for those purposes and must be deleted immediately after use, unless another law requires retention.
Overnight Notifications. The SAFE Act also prohibits covered operators from sending notifications related to an “addictive feed” to a minor from 12 a.m. to 6 a.m. ET, unless the covered operator has obtained VPC.
Attorney General Rulemaking Authority. In addition to the rules mentioned above, the AG has authority to make any other rules necessary to effectuate and enforce the Act. Language in the Act also signals that the AG may have the authority to require covered operators to respect automated browser signals that communicate a user is a minor.
Penalty for Violations. The AG may bring an action to enjoin violations, obtain restitution, disgorge any ill-gotten profits or gains (including the destruction of unlawfully obtained data), obtain monetary damages, obtain civil penalties up to $5,000 per violation, and obtain other court-granted relief. The Act does not provide a private right of action.
Effective. The Act takes effect 180 days after the AG promulgates rules to effectuate the Act.
CDPA
As the CDPA’s terminology and scope differ from the SAFE Act, this section will cover a few key definitions before diving into the substance of the CDPA.
Key Definitions. The CDPA governs the processing of covered users’ personal data by operators, third-party operators, and processors. Entities that act as both an operator and a processor are subject to the obligations of each role.
- Under the CDPA, covered users are either users of an online service, mobile application, or connected device that are known to be minors; or users of an online service, mobile application, or connected device that is primarily directed to minors.
- Operators are defined as any person who operates or provides an online service, mobile application, or connected device who, alone or jointly with others, controls the purposes and means of processing personal data.
- Third-party operators are operators who: are not the operator with whom the user intentionally and directly interacts; or are not the operator that collects personal data from direct and current interactions with the user.
- Processors are defined as any person who processes data on behalf of the operator.
- And finally, the terms “process” and “processing” cover a broad range of activities performed on personal data, including “collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, and de-identification.”
Processing Covered Users’ Personal Data Is Prohibited with Certain Exceptions. The CDPA prohibits operators from processing, or allowing its processors to process, the personal data of a covered user collected through its service. Operators must also not allow a third-party operator to collect covered users’ personal data through the operators’ service.
There are exemptions to this broad prohibition for minors 12 and under where processing is permitted under the Children’s Online Privacy Protection Act1 (COPPA); and for minors 13 and older when the processing is strictly necessary (for purposes specified below) or informed consent has been obtained.
- Strictly Necessary Purposes for Processing Data. Such permissible purposes include:
- providing or maintaining a specific product or service requested by the minor;
- conducting the operator's internal business operations (marketing, advertising, research and development, providing products or services to third parties, or prompting covered users to use the service are all not considered internal business);
- identifying and repairing technical errors that impair existing or intended functionality;
- protecting against malicious, fraudulent, or illegal activity;
- investigating, establishing, exercising, preparing for, or defending legal claims;
- complying with applicable laws and legal process;
- detecting, responding to, or preventing security incidents or threats; or
- protecting the vital interests of a natural person.
- Informed Consent. For processing that is not considered strictly necessary per the above criteria, operators must obtain informed consent from the covered user either through a device communication or signal or via a request to the covered user. Once provided, consent must be freely revocable. Notably, even if an operator learns that a user is no longer a covered user (i.e., a user turns 18), the operator still may not process their personal data unless it receives informed consent and informs the user that they may no longer be covered under CDPA.
- Device signals. Operators must respect clear and unambiguous device signals that a user is or shall be treated as a minor. While the CDPA does not detail how signals are generated or communicated, it provides examples such as browser plug-in or privacy settings or device settings, and it notes that the AG may promulgate rules that provide further detail on compliant mechanisms. In the event that a device signal is unclear or ambiguous, operators must follow the request process below.
- Requests. Operators’ requests for informed consent must be made separate from any other transaction; be unobscured; clearly and conspicuously state that the processing is not strictly necessary, and that the user may decline to provide informed consent while retaining access to the service; and include an option to refuse to provide consent as the most prominent option.
- Requirements for Operators That Have Improperly Collected a Covered User’s Personal Data. Unless COPPA allows for processing the covered user’s personal data or the operator obtains informed consent:
- the operator must dispose of the covered user’s personal data and mandate that its processors do the same; and
- the operator must notify any third-party operators to whom it disclosed the personal data of a covered user.
Processing Agreement Between Operators and Processors Is Required. Neither operators nor processors may share personal data of a covered user to a third party without a binding written agreement that sets forth the nature and purpose of the processing, instructions for using or further disclosing personal data, and the rights and obligations of both parties.
The agreement must also require processors to only process personal data of covered users in accordance with the agreement; assist the operator in complying with the CDPA; demonstrate its compliance with the CDPA; coordinate reasonable assessments with the operator to evaluate compliance; and notify the operator before disclosing the personal data of covered users to further processors. Under the Act, processors must process data only by the terms of the operator-processor agreement.
Processors must also respect an operator’s request to delete personal data and notify sub processors to do the same. Processors must provide evidence of deletion to the operator within 30 days of the request.
Third-Party Operator Protections. The CDPA exempts third-party operators from its requirements when processing the personal data of covered users of a separate entity’s service, as long as: the third-party operator was provided “reasonable representations” that the covered user gave informed consent for the processing; or the third-party operator does not have actual knowledge that the covered user is a minor and does not have actual knowledge that the separate entity’s service is primarily directed to minors.
Attorney General Rulemaking Authority. In addition to the rules mentioned above, the AG has authority to make any other rules necessary to effectuate and enforce the CDPA.
Penalty for Violations. Like the SAFE Act, the AG may bring an action to enjoin violations, obtain restitution, disgorge any ill-gotten profits or gains—including but not limited to the destruction of unlawfully obtained data, obtain monetary damages, obtain civil penalties of up to $5,000 per violation, and other court-granted relief. There is no private right of action.
Effective. The CDPA will take effect one year after it becomes law.
Both the SAFE Act and CDPA expressly state that nothing in them should be construed to impose liability that is inconsistent with COPPA. This is likely intended to mitigate preemption arguments.
Wilson Sonsini Goodrich & Rosati routinely advises companies on federal and state laws related to children’s online privacy. For additional guidance, please contact Maneesha Mithal, Chris Olsen, Boniface Echols, or another member of the firm’s privacy and cybersecurity practice.
