Once again, California is setting trends in the world of privacy laws. On September 15, 2022, California’s Governor signed the first comprehensive state law to protect children’s online safety. A week later, on September 23, 2022, the New York Senate introduced a similar bill.

New York’s newly introduced Bill, S9563, the Child Data Privacy and Protection Act (“Bill”), largely mirrors the newly passed California law but has some added protections and procedures that online products targeting children must follow if the law is enacted.

Both the newly enacted California law and the New York bill include expansive protections for children using online products, offering more protections than the Children Online Privacy Protection Act (COPPA) provides. One of the added protections is the age of the covered children. While COPPA aims to protect children under the age of 13, both the California law and the New York Bill extend the age and cover all children under the age of 18.

Specifically, the newly introduced New York Bill, S9563, governs all online products, defined as any online services, features, or platforms, targeted or directed at children under the age of 18. In addition, the Bill requires all online products and services directed at children to follow specific procedures, a few of which are highlighted below.

Data Protection Impact Assessment

Online products must provide the New York Attorney General’s Bureau of Internet and Technology data protection impact assessments before releasing the product. These assessments analyze the ways children will interact with the product and include information on the following:

  • the type of data collected from child users and the reasoning for the collection;
  • the impact the product will have on children;
  • whether parents and guardians will have the capability to access children’s activities;
  • any possible exposure of harmful content to children;
  • procedures parents and guardians can utilize to intervene for the safety of their child; and
  • any other factors the Bureau of Internet and Technology deems necessary.

Banning Data Collection and Digital Advertising 

Online products may not store, process, retain, or sell children’s data unless necessary to provide the service and must provide the Attorney General’s office with a compelling reason to do so. Additionally, online entities may not digitally advertise to a child without first obtaining consent from the child’s parent or guardian. Online products that are purely educational may not collect, retain, process, or sell the personal data of child users.

Privacy by Default

All online products targeted toward children must enable privacy settings by default.

Deceased Children

Parents or guardians of deceased children may request access to their deceased child’s account on the product and their user history and metadata.

Law Enforcement 

Any civil or criminal subpoenas or warrants regarding children harmed or victims of a crime relating to the product must be expedited and prioritized by the entities controlling online products directed at children.

Terms of Service 

Terms of Service to use the online product must be signed and agreed to by both the parent and child.

Notification of Emergency

All online products directed toward children must have visible procedures in place for children, parents, and guardians to notify the entity of a possible issue with the product in case of an emergent situation.

If this expansive Bill protecting child’s safety online is signed into law, the New York Attorney General will have enforcement powers. The Attorney General must notify violators and provide them with a period to cure any violation. In addition, intentional and or reckless violations may face penalties of up to twenty thousand per violation. The Bill also allows plaintiffs to file a private right of action on behalf of a deceased child based on alleged harm from a breach of the Act.

If signed into law, the Bill will change the landscape of privacy laws in terms of protections online products and services must offer to child users that may prompt a domino effect for states across the nation.

Taft will continue to monitor any changes to New York Senate Bill 9563 and keep you updated and advise on such developments right here on Taft’s Privacy & Data Security Insights blog. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.