New York’s unique Child Data Protection Act: Here’s everything you need to know

Lauren Godfrey
Constangy, Brooks, Smith & Prophete, LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Constangy, Brooks, Smith & Prophete, LLP

New York ‘s Child Data Protection Act, available here, took effect on June 20. This is a landmark piece of legislation designed to enhance the online privacy and safety of minors. As concerns over children’s digital footprints grow, New York’s approach is drawing national attention for its distinctive legal standards.

Unlike federal laws such as the Children’s Online Privacy Protection Act and state laws, New York’s CDPA introduces new obligations for organizations interacting with minors online and raises the bar for ethical data management.

Overview of the CDPA

The CDPA is designed to safeguard the personal data of individuals under the age of 18. It applies to websites, apps, and digital services that are likely to be accessed by minors in the state of New York. The law aims to curb exploitative data practices and ensure that children’s best interests are prioritized in digital environments.

The CDPA is enforced by the New York Attorney General’s Office, which has been tasked with developing regulations and overseeing compliance.

The core requirements of the CDPA are as follows:

  • Harmful data practices prohibited. Companies are barred from collecting, processing, or sharing a child’s personal data in ways that are not in the child’s best interests.
  • Restrictions on algorithms and profiling. Businesses must limit the use of algorithms and profiling techniques that could negatively affect children, such as those used for behavioral targeting.
  • Ban on data sales. Any sale of a minor’s personal data is prohibited.
  • Data minimization. Organizations may collect only the data that is necessary for the functionality of their services.
  • “Best Interests” standard. The law introduces a flexible, child-first standard, requiring businesses to consider the potential risks of their data practices.

Contrast between CDPA and other laws

The CDPA, which protects minors under age 18, is notably broader than the federal COPPA, which primarily protects children under age 13. The CDPA also does not rely solely on parental consent.

Additionally, in contrast to California’s Age-Appropriate Design Code Act, New York’s CDPA adopts a “best interests of the child” framework, focusing on the potential harm of data practices rather than design features alone. This approach is more aligned with data protection philosophies seen in Europe under the General Data Protection Regulation

Reactions and controversies

Privacy advocates have praised the CDPA for prioritizing children’s rights when it comes to digital regulation. However, industry groups have critiqued the law’s potentially ambiguous standards and the burden of implementation.

For example, the Software & Information Industry Association expressed concern over vague definitions (for example, "personal data" and "primarily directed to minors") and potential impacts on education tech platforms. The Association advocates clearer guidance modeled after federal COPPA. Other industry concerns include the disproportionate impact on vulnerable groups, constitutional rights, the economic implications of limiting algorithmic personalization, and advertising practices.

Although legal challenges may follow the implementation of the CDPA, it remains to be seen whether attempts at the federal level will have an impact on the law.

Enforcement

The New York Attorney General has been tasked with investigating violations, and bringing enforcement actions and assessing civil penalties against organizations that fail to comply with the law.

Practical tips for organizations

The New York CDPA sets a new precedent for minors’ digital privacy in the United States. Its sweeping protections, broad age range, and flexible standards could influence legislation nationwide.

As the law takes effect, organizations must act quickly to adapt their practices or risk legal and reputational consequences:

  • Reevaluate digital services and whether they are likely to be accessed by minors.
  • Eliminate non-essential data collection for users under age 18.
  • Prepare for increased scrutiny from regulators, parents, and privacy advocates.
  • Take a proactive approach to embedding “child-first” principles into product design and data governance.

To comply with the CDPA, businesses should do the following:

  • Conduct data audits and privacy impact assessments.
  • Review their use of algorithms and targeted advertising.
  • Implement or update age estimation and parental control tools.
  • Ensure that privacy policies reflect the requirements of the CDPA.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Constangy, Brooks, Smith & Prophete, LLP

Written by:

Constangy, Brooks, Smith & Prophete, LLP
Constangy, Brooks, Smith & Prophete, LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Constangy, Brooks, Smith & Prophete, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide