United States - Privacy Protection (2024)

To print this article, all you need is to be registered or login on Mondaq.com.

On June 7, 2024, the New York Legislature passed two bills toprotect children online. The Stop Addictive Feeds Exploitation (SAFE) for KidsAct, S7694A, prohibits social media platforms from providingdefined "addictive feeds" to minors under the age of 18without verifiable parental consent. The New York Child Data Protection Act (CDPA),S7695B, bars online operators from collecting, using, sharing, andselling personal data of minors ages 13 to 17 without theirinformed consent unless strictly necessary and requires parentalconsent to process the data of minors 12 years of age andyounger.

Governor Kathy Hochul signed both bills into law on June 20,2024. The SAFE Act will go into effect 180 days after the New Yorkattorney general finalizes regulations necessary forimplementation, and the CDPA will go into effect June 20, 2025.Both bills provide for enforcement solely by the attorney general,who can bring actions to enjoin violations, recover damages, andobtain civil penalties up to $5,000 per violation.

But technology industry trade groups, such as NetChoice, have condemned both bills as unconstitutional.NetChoice signaled its intent to challenge the legislation akin toits successful challenge of the California Age-Appropriate Design Code Act(CAADCA), which bars the use of children's (users under 18years of age) personal information in ways known to be"materially detrimental" to their physical health, mentalhealth, or well-being.¹ In 2023, the U.S. District Courtfor the Northern District of California subjected the CAADCA toheightened First Amendment scrutiny and preliminarily enjoined itin its entirety.² The decision rested in part onCAADCA's requirement that businesses estimate the age of childusers or implement default privacy settings, thus blocking childrenand adults from some content.³

Stop Addictive Feeds Exploitation (SAFE) for Kids Act

Applicability and Scope

The SAFE Act creates new obligations for coveredoperators—i.e., those that operate or provide an"addictive social media platform," which are onlineservices that offer or provide "addictive feeds" as a"significant part" of their services. Specifically, itprohibits "addictive social media platforms" fromproviding "addictive feeds" to minors under age 18without parental consent. Aimed at algorithms that increase orprolong social media usage, the SAFE Act defines "addictivefeeds" that may not be provided to minors without parentalconsent as any website, online service, or application—orportion thereof—in which "multiple pieces of mediagenerated or shared by users" are "recommended, selectedor prioritized for display based—in whole or in part—oninformation associated" with a user or the user's device,unless one of the following conditions is met:

the recommendation, prioritization, or selection is based oninformation that is not persistently associated with the user oruser's device, and does not concern the user's previousinteractions with media generated or shared by other users;
the recommendation, prioritization, or selection is based onuser-selected privacy or accessibility settings, or technicalinformation concerning the user's device;
the user expressly and unambiguously requested the specificmedia; media by the author, creator, or poster of media the userhas subscribed to; or media shared by users to a page or group theuser has subscribed to, provided that the media is not recommended,selected, or prioritized for display based, in whole or in part, onother information associated with the user or the user's devicethat is not otherwise permissible;
the user expressly and unambiguously requested that specificmedia; media by a specified author, creator, or poster of media theuser has subscribed to; or media shared by users to a page or groupthe user has subscribed to, be blocked, prioritized ordeprioritized for display, provided that the media is notrecommended, selected, or prioritized for display based, in wholeor in part, on other information associated with the user or theuser's device that is not otherwise permissible;
the media are direct and private communications;
the media are recommended, selected, or prioritized only inresponse to a specific search inquiry by the user;
the media recommended, selected, or prioritized for display isexclusively next in a pre-existing sequence from the same author,creator, poster, or source; or
the recommendation, prioritization, or selection is necessaryto comply with the provisions of the SAFE Act and its incumbentrulemaking.

The SAFE Act applies to conduct that occurs in whole or in partin New York. Conduct takes place wholly outside of New York if theaddictive social media platform is accessed by a user who isphysically located outside of New York.

Prohibition on Addictive Feeds

Covered operators must implement an age verification mechanismto determine the age of users. They may provide addictive feeds tousers if they have: (1) used commercially reasonable andtechnically feasible methods to determine that a user is not aminor; or (2) obtained verifiable parental consent to provide theaddictive feed, in the event that the user is a minor.

Prohibition on Overnight Notifications

The SAFE Act prohibits covered operators from sendingnotifications concerning an addictive feed to a minor between thehours of 12 AM and 6 AM Eastern Time unless the covered operatorhas obtained verifiable parental consent to send such nighttimenotifications.

Attorney General Rulemaking and Enforcement

The New York attorney general has sole enforcement authority andis required to promulgate rules and regulations to effectuate andenforce the SAFE Act. In particular, the attorney general mustissue regulations:

identifying multiple commercially reasonable and technicallyfeasible methods for operators to determine if a user is a minor,including,
- at least one method that either does not rely solely ongovernment-issued identification or that allows a covered user tomaintain anonymity as to the covered operator of the addictivesocial media platform, and
- identifying appropriate levels of accuracy, and
identifying methods of obtaining verifiable parentalconsent.

No earlier than 180 days after the effective date of the SAFEAct, the New York attorney general may bring an action or specialproceeding to enjoin any violation of the SAFE Act, to obtainrestitution of any moneys or property obtained directly orindirectly by any such violation; disgorgement of any profits orgains obtained directly or indirectly by any such violation,including but not limited to the destruction of unlawfully obtaineddata; damages caused directly or indirectly by any such violation;civil penalties of up to $5,000 per violation; and any such otherand further relief as the court may deem proper, includingpreliminary relief.

Language Access

Instructions to parents on how to provide verifiable parentalconsent must be made available in at least the twelve most commonlyspoken languages in New York state and as further defined byregulations promulgated by the attorney general.

Nondiscrimination

Operators must not withhold, degrade, lower the quality, orincrease the price of any product, service, or feature to a userdue to the operator not being permitted to provide an addictivefeed to such user.

New York Child Data Protection Act

Applicability and Scope

The CDPA applies to operators of online services that collectpersonal data of covered users. An "operator" is"any person who operates or provides a website on theinternet, online service, online application, mobile application,or connected device, and who, alone or jointly with others,controls the purposes and means of processing personal data."A "covered user" is any "user of a website, onlineservice, online application, mobile application, or connecteddevice, or portion thereof, in the state of New York" who is(a) "actually known" by the operator to be a minor; or(b) using a website, online service, application, or connecteddevice that is "primarily directed to minors."

A website, online service, application, or connected device is"primarily directed to minors" if it—or a portionthereof—is "targeted to minors"or if the operator has actual knowledge that it iscollecting personal data directly from users of another website,online service, application, or connected device that is primarilydirected to minors. However, a website, online service,application, or connected device will not be considered primarilydirected to minors simply because it refers or links to any otherwebsite, service, application, or device primarily directed tominors by using information location tools, including a directory,index, reference, pointer, or hypertext link.

The CDPA applies to conduct that occurs in whole or in part inthe state of New York. Conduct that takes place wholly outside ofthe state of New York is exempt from the CDPA if: (1) the operatorcollected a user's personal data while the covered user wasoutside of the state of New York; (2) no part of the use of thecovered user's personal data occurred in the state of New York;and (3) no personal data collected while the covered user was inthe state of New York is used.

Restrictions on Processing

The CDPA prohibits operators from processing—or allowing aprocessor to process or a third-party operator to collect—thepersonal data of a covered user collected through theoperator's website, online service, application, or connecteddevice unless the covered user is:

12 years of age or younger and processing is permitted underthe Children's Online Privacy Protection Act (COPPA) and itsimplementing regulations, or
13 years of age or older and processing is strictly necessaryfor certain processing activities enumerated under the CDPA or theoperator has obtained informed consent from the minor.

Operators may process information of minors 13 or older withouttheir informed consent only if such processing is strictlynecessary for one of the following eight activities:

Providing or maintaining a specific product or servicerequested by the covered user;
Conducting the operator's internal business operations (notincluding any activities related to marketing, advertising,research and development, providing products or services to thirdparties, or prompting covered users to use the website, onlineservice, application, or connected device when it is not inuse);
Identifying and repairing technical errors that impair existingor intended functionality;
Protecting against malicious, fraudulent, or illegalactivity;
Investigating, establishing, exercising, preparing for, ordefending legal claims;
Complying with federal, state, or local laws, rules, orregulations;
Complying with a civil, criminal, or regulatory inquiry,investigation, subpoena, or summons by federal, state, local, orother governmental authorities;
Detecting, responding to, or preventing security incidents orthreats, or
Protecting the vital interests of a natural person.

An operator relying on informed consent of minors 13 or oldermust obtain such consent from the covered user either through adevice communication or signal or through a request.

Requests for informed consent must:

Be made separately from any other transaction or part of atransaction;
Be made in the absence of any mechanism that has the purpose orsubstantial effect of obscuring, subverting, or impairing a covereduser's decision-making regarding authorization for theprocessing (i.e., dark pattern);
Clearly and conspicuously state that the processing for whichthe consent is requested is not strictly necessary and that thecovered user may decline without preventing continued use of thewebsite, online service, application, or connected device; and
Clearly present an option to refuse to provide consent as themost prominent option.

Informed consent, once given, must be freely revocable at anytime, and must be at least as easy to revoke as it was to provide.If a covered user declines to provide or revokes informed consentfor processing, another request may not be made for such processingfor the following calendar year; however, an operator may makeavailable a mechanism that a covered user can use unprompted and atthe user's discretion to provide informed consent. If a covereduser's device communicates or signals that the covered userdeclines to provide informed consent for processing, an operatormay not request informed consent for such processing. However, asexplained above, the operator may still make available a mechanismthat a covered user can use unprompted and at the user'sdiscretion to provide informed consent.

Restrictions on Sale

The CDPA prohibits operators from purchasing or selling—orallowing a processor or third-party operator to purchase orsell—the personal data of a covered user. "Selling"means sharing personal data for monetary or other valuableconsideration unless it is an asset that is part of a merger,acquisition, or other change in corporate control.

Data Deletion and Third-Party Notification Requirements

Within 30 days of determining or being informed that a user is acovered user, an operator must:

Dispose of, destroy, or delete and direct all of its processorsto dispose of, destroy, or delete all personal data of such covereduser that it maintains, unless: (1) processing such personal datais permitted under COPPA, (2) processing is strictly necessary foran approved processing activity; or (3) the operator has obtainedinformed consent; and
Notify any third-party operators to whom it knows it disclosedpersonal data of that covered user, and any third-party operatorsit knows it allowed to process the personal data that may includethe personal data of that user, that the user is a covereduser.

Before disclosing personal data to a third-party operator orpermitting a third-party operator to collect personal data from theoperator's website, online service, application, connecteddevice, or portion thereof, the operator must disclose to thethird-party operator:

When their website, online service, application, connecteddevice, or portion thereof, is primarily directed to minors;or
When the personal data concerns a covered user.

Processor Contracting Requirements

The CDPA prohibits operators or processors from disclosingpersonal data of a covered user to a third party (or allow theprocessing of the personal data of a covered user by a third party)without a written, binding agreement governing such disclosure orprocessing. This agreement must require that the processor:

Process the personal data of covered users only pursuant to theinstructions of the operator, unless otherwise required byapplicable law.
Assist the operator in meeting the operator's obligationsunder the CDPA.
Upon reasonable request of the operator, make available to theoperator all information in its possession necessary to demonstratethe processor's compliance with the CDPA.
Allow and cooperate with reasonable assessments by the operatoror the operator's designated assessor for purposes ofevaluating compliance with the CDPA. Alternatively, the processormay arrange for a qualified and independent assessor to conduct anassessment of the processor's policies and technical andorganizational measures using an appropriate and accepted controlstandard or framework and assessment procedure for suchassessments. The processor shall provide a report of suchassessment to the operator upon request.
Notify the operator within a reasonable amount of time beforedisclosing or transferring the personal data of covered users toany further processors, which may be in the form of a regularlyupdated list of further processors that may access personal data ofcovered users.

Coverage of Users Who Age Out

Upon learning that a user is no longer a covered user, anoperator must:

Not process the personal data of the covered user who wouldotherwise be subject to the CDPA until it receives informedconsent, and
Provide notice to such user that they may no longer be entitledto all of the protections and rights provided under the CDPA.

Respecting User-Provided Age Flags

An operator must treat a user as a covered user if theuser's device communicates or signals that the user is or mustbe treated as a minor, including through a browser plug-in orprivacy setting, device setting, or other mechanism that complieswith regulations promulgated by the attorney general.

Similarly, an operator must adhere to any clear and unambiguouscommunications or signals from a covered user's device,including through a browser plug-in or privacy setting, devicesetting, or other mechanism, concerning processing for which thecovered user consents or declines consent. An operator must notadhere to unclear or ambiguous communications or signals from acovered user's device and must instead request informedconsent.

Safe Harbor for Third-Party Operators

Third-party operators that process the personal data of acovered user of another website, online service,application, or connected device are not subject to the obligationsabove, provided that:

The third-party operator received reasonable writtenrepresentations that the covered user provided informed consent forsuch processing, or
The third-party operator does not have actual knowledge thatthe covered user is a minor or that the other website, onlineservice, application, or connected device, or portion thereof, isprimarily directed to minors.

Enforcement and Rulemaking

The New York attorney general has sole enforcement authority andmay—but is not required to—promulgate rules andregulations to implement and enforce the CDPA.

The attorney general may bring an action or special proceedingto enjoin any violation of the CDPA, to obtain restitution, toobtain disgorgement of any profits or gains obtained directly orindirectly by any such violation (including but not limited to thedestruction of unlawfully obtained data), to obtain damages causeddirectly or indirectly by any such violation, to obtain civilpenalties of up to $5,000 per violation, and to obtain any suchother and further relief as a court may deem proper, includingpreliminary relief.

It remains to be seen whether the attorney general will use thisdisgorgement authority to seek destruction of algorithms, models,or other AI-related work product trained on or derived from covereduser data processed without informed or parental consent, such asin the FTC's order against Kurbo.

Effective Date

The CDPA will take effect June 20, 2025.

Familiar Privacy Protections, but a New Approach toAlgorithms

While the CDPA's opt-in requirements for personal dataprocessing are similar to other state child privacy laws, such asVirginia's amendment to its Consumer DataProtection Act, the SAFE Act's specific approach to combatpotentially harmful effects of algorithms is the first of its kind.Other states have taken different approaches to protectingminors' safety, however. For instance, the California Age-Appropriate Design Code Act(CAADCA) bars the use of children's (users under 18 years ofa*ge) personal information in ways known to be "materiallydetrimental" to their physical health, mental health, orwell-being.⁴ In 2023, the U.S. District Court for theNorthern District of California subjected the CAADCA to heightenedFirst Amendment scrutiny and preliminarily enjoined it in itsentirety.⁵ The decision rested in part on CAADCA'srequirement that businesses estimate the age of child users orimplement default privacy settings, thus blocking children andadults from some content.⁶

The SAFE Act takes a different approach, finding "childrenare particularly susceptible to addictive feeds because theyprovide a non-stop drip of dopamine with each new piece of mediaand because children are less capable of exercising the impulsecontrol necessary to mitigate these negative effects." LikeCAADCA, the SAFE Act implements content restrictions based on auser's age, but the policy mechanisms it employs—parentalconsent and age verification requirements—are more like othersocial media safety laws passed in states like Arkansas and Tennessee. Observers will continue to monitorhow courts interpret the connection between children's data,restrictions on content availability, and the First Amendment.

DWT's privacy and security team regularly counselsclients on how their business practices can comply with stateprivacy laws. We will continue to monitor the rapid development ofother state and new federal privacy laws and regulations. Forassistance with state privacy laws, please contact the author ofthis alert or the Davis Wright Tremaine attorney with whom youwork.

*Joshua Peck is a law student at GeorgetownUniversity Law Center and currently a summer associate at DavisWright Tremaine.

Footnotes

1 Age-Appropriate Design Code Act, Cal. Civ. Code. §1798.99.31(b)(1).

2 NetChoice, LLC v. Bonta, No. 22-CV-08861-BLF, 2023 WL6135551 (N.D. Cal. Sept. 18, 2023). The California attorney generalappealed to the 9th Circuit (No. 23-2969). Briefing is complete andoral argument is currently scheduled for July 17, 2024, in SanFrancisco.

3 See id., 2023 WL 6135551 at *14.

4 Age-Appropriate Design Code Act, Cal. Civ. Code. §1798.99.31(b)(1).

5 NetChoice, LLC v. Bonta, No. 22-CV-08861-BLF, 2023 WL6135551 (N.D. Cal. Sept. 18, 2023).

6 See id. at *14.

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circ*mstances.