Privacy & Information Security Law Blog

On August 1, 2024, the Office of the New York State Attorney General (“OAG”) released two Advanced Notices of Proposed Rulemaking (“ANPRM”) for the SAFE for Kids Act and the Child Data Protection Act (the “Acts”). The OAG began the rulemaking pursuant to a mandate from the New York legislature to issue regulations before the Acts go into effect.  The OAG noted that these ANPRMs, while not part of the formal rulemaking process mandated by the NYS Administrative Procedures Act, are a crucial step in gathering information from stakeholders before proposing formal rules.

The ANPRMs feature a series of questions designed to collect vital insights from a diverse group of stakeholders. Attorney General Letitia James has called upon parents, children, advocates, and tech industry professionals to submit comments and information over the next 60 days to help shape these rules.

The Stop Addictive Feeds Exploitation (“SAFE”) for Kids Act prohibits covered operators from providing addictive feeds to minors (persons under age 18) unless they use commercially reasonable and technically feasible methods to verify that the user is not a minor or obtain verified parental consent. Without verified parental consent, the Act also prohibits these covered operators from sending overnight push notifications to minors. Citing a public health crisis caused by extensive social media use, the Act's ANPRM seeks public comments on several key areas, including: analyzing commercially reasonable and technically feasible age determination methods; defining "verifiable parental consent"; identifying factors to categorize addictive social media platforms and their feeds; determining the scope of addictive feeds; and ensuring language access for parental consent.

The Child Data Protection Act (“CDPA”) protects minors (under 18), distinguishing rules for minors under 13 and minors over 13.  CDPA prohibits online sites from collecting, using, sharing, selling or otherwise processing the personal information of minors 13 and under, unless such processing is permitted under the Children’s Online Privacy Protection Act (“COPPA”) and its implementing regulations. For minors 13 and older, the law prohibits online sites from processing their personal information unless the operator has obtained “informed consent,” or the processing is “strictly necessary” for a number of specified purposes.  The CDPA primarily applies to operators of online sites where the operator actually knows the site is processing a minor user’s data or is primarily directed to minors.

The CDPA’s ANPRM focuses on several critical questions: determining the factors to consider when assessing whether a website is primarily directed at minors; evaluating the regulatory approach to anonymized or de-identified data that could potentially still be relinked to a specific individual; assessing the definition of "sale;" defining what constitutes processing that is strictly necessary to be permissible without requiring specific consent; and exploring methods for obtaining informed consent (from minors 13 – 17) and parental consent.

After the 60-day comment period, the Attorney General’s office will initiate the formal rulemaking process, which will include an additional public comment period once the proposed rules are published in the State Register. Stakeholders can submit their comments to protectnykidsonline@ag.ny.gov for the SAFE for Kids Act and childdataprotection@ag.ny.gov for the Child Data Protection Act by September 30, 2024.

The OAG issued the ANPRMs within days of publishing website tracking guidance, further confirming the NY AG’s focus on data privacy and consumer protection in the absence of U.S. or New York comprehensive privacy legislation.  New York joins the ranks of a number of states that have proposed or enacted laws to protect minors’ and children’s privacy.