New York’s Child Data Protection Act (NYCDPA) has gone into effect, introducing sweeping new requirements for businesses that collect personal data from minors under 18. While New York has not yet joined the ranks of the nearly two dozen states that have enacted a general consumer privacy law, the NYCDPA serves the purpose of “protect[ing] the privacy of children and young adults by restricting digital services from collecting or using the personal data of users under the age of 18 without consent.”
Going beyond the narrower scope of teen privacy laws in other states, the NYCDPA:
- applies broadly to online sites, services, apps, and devices that process the personal data of young users in New York;
- requires businesses to obtain consent for certain processing activities and restricts the purposes for which minors’ data can be used;
- includes obligations for data deletion and requires contractual safeguards with service providers; and
- is enforced by the New York Attorney General, with potential penalties of up to $5,000 per violation.
Below is a summary of the law’s key provisions and takeaways for businesses operating within its broad reach.
Scope and Applicability
Unlike other recently enacted teen privacy laws that narrowly target social media, gaming platforms, and similar services, the NYCDPA takes a broader approach. It applies to all “operators,” defined as any person or entity that operates or provides a website, online service, online application, mobile application, or connected device—and that, either alone or jointly with others, determines the purposes and means of processing personal data.
However, the NYCDPA’s requirements are triggered when an operator processes the personal data of “covered users.” These are defined as New York users who are either: (i) known by the operator to be minors, or (ii) using a site, service, application, or device that is primarily directed[1] to minors. Importantly, the law requires operators to treat a user as a covered user if the user’s device indicates that the individual is a minor, such as through a browser plug-in, privacy setting, or any other mechanism that may be specified by the New York Attorney General.
Key Requirements
-
- Providing or maintaining a specific product or service requested by the covered user, where the processing is directly related to that product or service. Importantly, operators may not circumvent the NYCDPA’s consent requirement by marketing its core service as one that necessarily includes otherwise unnecessary processing activities (e.g., a budgeting app collecting personal data that is unrelated to monthly spending, such as a user’s precise geolocation).
- Conducting the operator’s internal business operations. Significantly, internal business operations do not include marketing, advertising, research and development, providing products or services to third parties, or prompting engagement by users when the operator’s service is not in use.
- Identifying and repairing technical errors.
- Protecting against malicious, fraudulent, or illegal activity.
- Investigating, establishing, exercising, preparing for, or defending legal claims.
- Complying with federal, state, or local laws, rules, or regulations.
- Complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities.
- Detecting, responding to, or preventing security incidents or threats.
- Protecting the vital interest of a natural person. This purpose includes processing that is associated with the operator’s trust, health, and safety policies.
- Elements of consent. Operators must honor unambiguous signals from a covered user’s device (such as through a browser plug-in, privacy setting, or other mechanism that may be specified by the New York Attorney General) that indicate that the user either consents or declines to consent for processing activities that are not “strictly necessary.” Absent such signals, operators can request consent, so long as such requests:
- Are presented separately from any other transaction or part of a transaction;
- Are made without any mechanisms that obscure, subvert, or impair the user’s ability to make an informed decision (e.g., dark patterns);
- Clearly disclose that the requested processing is not strictly necessary and that the user may decline consent without affecting their ability to continue using the service; and
- Prominently feature the option to decline consent as the most prominent choice.
Additionally, covered users must be able to revoke consent at any time. If a user either revokes consent or declines to provide it initially, the operator may not request consent for another year. Furthermore, operators may not withhold, degrade, lower the quality of, or increase the price of any service or feature if a covered user declines to provide consent.
- Purchase and sale prohibitions. Operators may not purchase or sell—or allow any processors or third-party operators to purchase or sell—covered users’ personal data. Like most privacy laws, the prohibition on selling personal data does not apply to the transfer of data as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction.
- Data deletion. Within 30 days of determining or being informed that a user qualifies as a covered user, an operator must delete—and instruct all subprocessors to delete—personal data related to that user, unless the data is being processed in compliance with the NYCDPA’s processing restrictions and consent requirements. The operator must also notify any third-party operators to whom the user’s personal data was disclosed that the individual is a covered user.
- Aging out notifications. Once an operator becomes aware that a user is no longer a covered user (e.g., the user turns 18), the operator must notify the user that the protections provided under the NYCDPA no longer apply. However, any personal data collected while the user was a covered user must continue to receive NYCDPA protections, unless the operator obtains the user’s consent for further processing.
- Processor agreements. Operators must enter into a written agreement with service providers that process covered user personal data on the operator’s behalf. Such agreements must require the processor to:
- Third-party operators. Before disclosing a covered user’s personal data to a third-party operator—or allowing that third party to collect such data directly through tools like pixels or APIs—the operator must inform the third party if the operator’s service is primarily directed to minors or if the data pertains to a covered user. Relatedly, third-party operators that receive covered user data are themselves subject to the NYCDPA’s consent requirements, unless: (i) they have received a written assurance from the disclosing operator that informed consent was obtained; or (ii) they lack actual knowledge that the user is a minor or that the originating service is primarily directed to minors.
While businesses may find certain of the NYCDPA’s requirements confusing or ambiguous, the New York Attorney General issued guidance providing clarification on various provisions of the law, which are reflected in this alert.
Relation to COPPA, FERPA, and New York Education Law
The New York Attorney General’s guidance affirms that the NYCDPA adopts COPPA as the governing standard for processing personal data of covered users under the age of 13.[2] It further clarifies that the NYCDPA does not displace existing protections under New York Education Law or the Family Educational Rights and Privacy Act (FERPA). Instead, the NYCDPA functions as a complementary overlay, filling gaps and addressing scenarios that fall outside the scope of those established legal frameworks.
Enforcement
The New York Attorney General may enjoin any violation of the NYCDPA as well as seek civil penalties of up to $5,000 per violation, among other remedies. The New York Attorney General indicated that it plans to exercise discretion when pursuing enforcement actions, indicating that it “will take into account an operator’s good-faith efforts” to comply with the law.
Compliance with the NYCDPA in Practice
Although New York has not enacted a general consumer privacy law, businesses can no longer overlook privacy obligations for minor users in the state. Compliance with the NYCDPA begins with a thorough assessment of whether businesses’ services are directed to, or used by, individuals under 18 in New York. Businesses must implement reliable methods for identifying minor users, consider limiting data processing activities by default, and establish clear consent mechanisms for any non-essential data uses. In addition, companies must ensure that all third parties handling minors’ data on their behalf are subject to appropriate contractual safeguards that meet the law’s requirements. Businesses should also pay careful attention to additional guidance and regulations promulgated by the New York Attorney General for further clarity regarding some of the more unambiguous provisions of the law.
Charlene Adimou, a summer associate at Morrison Foerster, contributed to this alert.
[1] Under the NYCDPA, a service is considered “primarily directed to minors” if it is targeted to minors. Simply linking to another site that is directed to minors does not make the service primarily directed to minors. However, a service is deemed primarily directed to minors when the operator has actual knowledge that it is collecting personal data directly from users of another service that is primarily directed to minors. The New York attorney general further clarified that “primarily directed” demands more than merely being of general interest to minors.
[2] Notably, state attorneys general separately have enforcement authority under COPPA. See 15 U.S.C. § 6504.
[View source.]
