On September 23, 2022, New York State Senator Andrew Gounardes introduced S9563, also known as the “New York Child Data Privacy and Protection Act.” The bill, which resembles the recently passed California Age-Appropriate Design Code Act, bans certain data collection and targeted advertising and requires data controllers to, among other obligations, assess the impact of their products on children.
The bill would impose obligations and restrictions related to the processing of “personal data,” which broadly includes “information that identifies, relates to, describes or is reasonably linked to a particular child user.” “Child user” is defined as a consumer under 18 years of age that accesses an online product with a device. Notably, the bill would not exclude pseudonymized data from its requirements. Key bill requirements include the following:
- Entities offering an online product targeted to child users in New York (“Covered Entities”) would be required to complete and submit to the New York Bureau of Internet and Technology (“Bureau”) a data protection impact assessment before the product could be made available to the public. After receiving initial approval for the online product, Covered Entities would be required to submit annual data impact assessments to the Bureau.
- Covered Entities would be prohibited from:
- collecting, retaining, processing or selling personal data of child users unless (1) the collection, retention, processing or sale is necessary to provide the online product, and the collection, processing, retention or sale is limited to that purpose; or (2) the Covered Entity can demonstrate to the Bureau that it has a compelling reason for the collection, processing, retention or sale that furthers the interest of the child.
- using digital advertising on the online product to target child users unless they obtain parental consent and can demonstrate to the Bureau that they have a compelling reason for offering the advertising that furthers the interest of the child.
- collecting, retaining, processing or selling personal data of child users where the online product is intended primarily for educational purposes.
- Covered Entities would be required to utilize “privacy by default,” i.e., designing the online product to apply the strictest online privacy settings without any manual input required from the user, and to retain personal data from a child user for the duration of time necessary to provide the product to the user.
- Covered Entities would be required to design and activate a feature which proactively alerts child users, in a manner likely to be understood by a child in the age range targeted by the online product, when their personal data is being collected and the duration of time the collection occurs.
Under the bill, the Bureau also could ban auto-play, push notifications, prompts, in-app purchases or any other feature in an online product targeted toward child users that the Bureau deemed to be “designed to inappropriately amplify the level of engagement a child user has with such product.” The New York Attorney General would be authorized to enforce the bill and would be required to provide businesses a 90-day cure period before bringing an enforcement action. Businesses that knowingly or recklessly violate the bill could be subject to a civil penalty of up to $20,000 per violation with a cap of $250 million.