Establishes the New York child data protection act to protect minors from having their personal data accessed; provides exceptions in certain circumstances.
NEW YORK STATE ASSEMBLY MEMORANDUM IN SUPPORT OF LEGISLATION submitted in accordance with Assembly Rule III, Sec 1(f)
 
BILL NUMBER: A8149
SPONSOR: Rozic
 
TITLE OF BILL:
An act to amend the general business law, in relation to establishing
the New York child data protection act
 
PURPOSE:
The purpose of this bill is to protect the privacy of children and young
adults by restricting digital services from collecting or using the
personal data of users they know are under the age of 18 without
consent, and prohibiting or requiring safeguards for the sale or disclo-
sure of the personal data of users they know are under the age of 18.
 
SUMMARY OF SPECIFIC PROVISIONS:
Section 1 creates a new article 39-FF titled The New York Child Data
Protection Act. The article prohibits online sites from collecting,
using, sharing, or otherwise processing any personal data of individuals
under the age of 18 without informed consent. It also prohibits disclos-
ing any data of minors to third parties unless there is a written bind-
ing agreement.
This act covers conduct that occurs wholly or partly in New York State
and authorizes the Attorney General to bring proceedings or special
actions when online platforms violate this law.
Section 2 provides a severability clause.
Section 3 provides the effective date.
 
JUSTIFICATION:
Children now live much of their lives online. They learn online, social-
ize online, and shop online. They make mistakes online, and they discov-
er who they are online. Right now, there's nothing stopping websites or
other digital services from monitoring every minute detail of our chil-
dren's online lives, creating profiles of every decision our children
make or avoid. This information can be used against our children's
interests, including by precisely crafting and targeting advertisements
children are uniquely ill-suited to resist, or by haunting children with
records of teenage experiences as they move from childhood to adulthood.
Children should be able to freely experience the online world without
concern of omnipresent monitoring and recording. They should be free to
be children, without needing to second guess the longterm consequences
of every decision. This bill will help children in New York to have that
experience again, through two main provisions:
First, this bill will require privacy be the rule, not the exception.
If a digital service knows a user is a minor or the service is primarily
directed to minors, it will default to only being able to use that
child's data in ways that are strictly necessary to provide the service.
It won't be able to sell that data, or use it in ways that the user-or
user's parents, for children under thirteen-don't affirmatively say that
they want.
Second, once information has seeped into the larger ecosystem it can be
almost impossible to track down and remove, so this bill will require
that digital services that use third-party service providers contractu-
ally restrict those third parties from using the personal data of minors
except for specified purposes, with accompanying safeguards to ensure
compliance.
This bill ensures that while children's privacy is protected, it does
not require age verification. It requires, however, digital services to
respect browser or device signals that a user is a minor, which will
help parents and teens browse the internet without restrictions while
preserving their privacy.
 
PRIOR LEGISLATIVE HISTORY:
This is a new bill.
 
FISCAL IMPACTS:
This bill has minimal fiscal impacts on the State or localities.
 
EFFECTIVE DATE:
Effective one year after the bill is signed into law.
STATE OF NEW YORK
________________________________________________________________________
8149
2023-2024 Regular Sessions
IN ASSEMBLY
October 13, 2023
___________
Introduced by M. of A. ROZIC -- read once and referred to the Committee
on Science and Technology
AN ACT to amend the general business law, in relation to establishing
the New York child data protection act
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 39-FF to read as follows:
3 ARTICLE 39-FF
4 NEW YORK CHILD DATA PROTECTION ACT
5 Section 899-ee. Definitions.
6 899-ff. Privacy protection by default.
7 899-gg. Third parties.
8 899-hh. Ongoing safeguards.
9 899-ii. Respecting user-provided age flags.
10 899-jj. Protections for third-party operators.
11 899-kk. Rulemaking authority.
12 899-ll. Scope.
13 899-mm. Remedies.
14 § 899-ee. Definitions. For purposes of this article, the following
15 terms shall have the following meanings:
16 1. "Covered user" shall mean a user of a website, online service,
17 online application, mobile application, or connected device, or portion
18 thereof, in the state of New York who is:
19 (a) actually known by the operator of such website, online service,
20 online application, mobile application, or connected device to be a
21 minor; or
22 (b) a user of a website, online service, online application, mobile
23 application, or connected device primarily directed to minors.
24 2. "Minor" shall mean a natural person under the age of eighteen.
25 3. "Operator" shall mean any person:
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD13150-04-3
A. 8149 2
1 (a) who operates or provides a website on the internet, online
2 service, online application, mobile application, or connected device;
3 and
4 (b) who:
5 (i) collects or maintains, either directly or through another person,
6 personal data from or about the users of such website, service, applica-
7 tion, or connected device;
8 (ii) integrates with another website, service, application, or
9 connected device and directly collects personal data from the users of
10 such website, service, application, or connected device;
11 (iii) allows another person to collect personal data directly from
12 users of such website, service, application, or connected device; or
13 (iv) allows users of such website, service, application, or connected
14 device to publicly disclose personal data.
15 4. "Personal data" shall mean any data that identifies or could
16 reasonably be linked, directly or indirectly, with a specific natural
17 person or device.
18 5. "Process" or "processing" shall mean an operation or set of oper-
19 ations performed on personal data, including but not limited to the
20 collection, use, access, sharing, sale, monetization, analysis,
21 retention, creation, generation, derivation, recording, organization,
22 structuring, storage, disclosure, transmission, disposal, licensing,
23 destruction, deletion, modification, or deidentification of personal
24 data.
25 6. "Primarily directed to minors" shall mean a website, online
26 service, online application, mobile application, or connected device, or
27 a portion thereof, that is targeted to minors. A website, online
28 service, online application, mobile application, or connected device, or
29 portion thereof, shall not be deemed directed primarily to minors solely
30 because such website, online service, online application, mobile appli-
31 cation, or connected device, or portion thereof refers or links to any
32 other website, online service, online application, mobile application,
33 or connected device directed to minors by using information location
34 tools, including a directory, index, reference, pointer, or hypertext
35 link. A website, online service, online application, mobile application,
36 or connected device, or portion thereof, shall be deemed directed to
37 minors when it has actual knowledge that it is collecting personal data
38 of users directly from users of another website, online service, online
39 application, mobile application, or connected device primarily directed
40 to minors.
41 7. "Sell" shall mean to share personal data for monetary or other
42 valuable consideration. "Selling" shall not include the sharing of
43 personal data for monetary or other valuable consideration to another
44 person as an asset that is part of a merger, acquisition, bankruptcy, or
45 other transaction in which that person assumes control of all or part of
46 the operator's assets.
47 8. "Third party" shall mean any person who is not any of the follow-
48 ing:
49 (a) the operator with whom the user intentionally interacts and who
50 collects personal data from the user as part of the user's current
51 interaction with the operator;
52 (b) the user whose personal data the operator processes; or
53 (c) the parent or legal guardian of a user under thirteen years old
54 whose personal data the operator processes.
55 § 899-ff. Privacy protection by default. 1. Except as provided for in
56 subdivision six of this section and section eight hundred ninety-nine-jj
A. 8149 3
1 of this article, an operator shall not process, or allow a third party
2 to process, the personal data of a covered user collected through the
3 use of a website, online service, online application, mobile applica-
4 tion, or connected device unless and to the extent:
5 (a) the covered user is twelve years of age or younger and processing
6 is permitted under 15 U.S.C. § 6502 and its implementing regulations; or
7 (b) the covered user is thirteen years of age or older and processing
8 is strictly necessary for an activity set forth in subdivision two of
9 this section, or informed consent has been obtained as set forth in
10 subdivision three of this section.
11 2. For the purposes of paragraph (b) of subdivision one of this
12 section, the processing of personal data of a covered user is permissi-
13 ble where it is strictly necessary for the following activities:
14 (a) providing or maintaining a specific product or service requested
15 by the covered user;
16 (b) conducting the operator's internal business operations. For
17 purposes of this paragraph, such internal business operations shall not
18 include any activities related to marketing, advertising, or providing
19 products or services to third parties, or prompting covered users to use
20 the website, online service, online application, mobile application, or
21 connected device when it is not in use;
22 (c) identifying and repairing technical errors that impair existing or
23 intended functionality;
24 (d) protecting against malicious, fraudulent, or illegal activity;
25 (e) investigating, establishing, exercising, preparing for, or defend-
26 ing legal claims;
27 (f) complying with federal, state, or local laws, rules, or regu-
28 lations;
29 (g) complying with a civil, criminal, or regulatory inquiry, investi-
30 gation, subpoena, or summons by federal, state, local, or other govern-
31 mental authorities;
32 (h) detecting, responding to, or preventing security incidents or
33 threats; or
34 (i) protecting the vital interests of a natural person.
35 3. (a) For the purposes of paragraph (b) of subdivision one of this
36 section, to process personal data of a covered user where such process-
37 ing is not strictly necessary under subdivision two of this section,
38 informed consent must be obtained from the covered user either through a
39 device communication or signal pursuant to the provisions of subdivision
40 two of section eight hundred ninety-nine-ii of this article or through a
41 request. Requests for such informed consent shall:
42 (i) be made separately from any other transaction or part of a trans-
43 action;
44 (ii) be made in the absence of any mechanism that has the purpose or
45 substantial effect of obscuring, subverting, or impairing a covered
46 user's decision-making regarding authorization for the processing;
47 (iii) if requesting informed consent for multiple types of processing,
48 allow the covered user to provide or withhold consent separately for
49 each type of processing;
50 (iv) clearly and conspicuously state that the processing is optional,
51 and that the covered user may decline without preventing continued use
52 of the website, online service, online application, mobile application,
53 or connected device; and
54 (v) clearly present an option to refuse to provide consent as the most
55 prominent option.
A. 8149 4
1 (b) Such informed consent, once given, shall be freely revocable at
2 any time, and shall be at least as easy to revoke as it was to provide.
3 (c) If a covered user declines to provide or revokes informed consent
4 for processing, another request may not be made for such processing for
5 the following calendar year.
6 (d) If a covered user's device communicates or signals that the
7 covered user declines to provide informed consent for processing pursu-
8 ant to the provisions of subdivision two of section eight hundred nine-
9 ty-nine-ii of this article, an operator shall not request informed
10 consent for such processing.
11 4. Except where processing is strictly necessary to provide a product,
12 service, or feature, an operator may not withhold, degrade, lower the
13 quality, or increase the price of any product, service, or feature to a
14 covered user due to the operator not obtaining verifiable parental
15 consent under 15 U.S.C. § 6502 and its implementing regulations or
16 informed consent under subdivision three of this section.
17 5. Except as provided for in section eight hundred ninety-nine-jj of
18 this article, an operator shall not purchase or sell, or allow a third
19 party to purchase or sell, the personal data of a covered user.
20 6. Within fourteen days of determining that a user is a covered user,
21 an operator shall:
22 (a) dispose of, destroy, or delete all personal data of such covered
23 user that it maintains, unless processing such personal data is permit-
24 ted under 15 U.S.C. § 6502 and its implementing regulations, is strictly
25 necessary for an activity listed in subdivision two of this section, or
26 informed consent is obtained as set forth in subdivision three of this
27 section; and
28 (b) notify any third parties to whom it disclosed the personal data,
29 and any third parties it allowed to process the personal data, that the
30 user is a covered user.
31 § 899-gg. Third parties. 1. Except as provided for in section eight
32 hundred ninety-nine-jj of this article, no operator shall disclose the
33 personal data of a covered user to a third party, or allow the process-
34 ing of the personal data of a covered user by a third party, without a
35 written, binding agreement governing such disclosure or processing. Such
36 agreement shall clearly set forth instructions for the nature and
37 purpose of the third-party's processing of the personal data,
38 instructions for using or further disclosing the personal data, and the
39 rights and obligations of both parties.
40 2. Except as provided for in section eight hundred ninety-nine-jj of
41 this article, prior to disclosing personal data to a third party, the
42 operator shall inform the third party if such data is the personal data
43 of a covered user.
44 3. An agreement pursuant to subdivision one of this section shall
45 require that the third party:
46 (a) process the personal data of covered users only when and to the
47 extent strictly necessary for an activity listed pursuant to subdivision
48 two of section eight hundred ninety-nine-ff of this article, or where
49 informed consent was obtained pursuant to subdivision three of section
50 eight hundred ninety-nine-ff of this article;
51 (b) delete or return to the operator all personal data of covered
52 users at the end of its provision of services, unless retention of the
53 personal data is required by law;
54 (c) upon reasonable request of the operator, make available to the
55 operator all data in its possession necessary to demonstrate the third-
56 party's compliance with the obligations in this section;
A. 8149 5
1 (d) allow, and cooperate with, reasonable assessments by the operator
2 or the operator's designated assessor for purposes of evaluating compli-
3 ance with the obligations of this article. Alternatively, the third
4 party may arrange for a qualified and independent assessor to conduct an
5 assessment of the third-party's policies and technical and organiza-
6 tional measures in support of the obligations under this article using
7 an appropriate and accepted control standard or framework and assessment
8 procedure for such assessments. The third party shall provide a report
9 of such assessment to the operator upon request; and
10 (e) notify the operator a reasonable time in advance before disclosing
11 or transferring the personal data of covered users to any further third
12 parties, which may be in the form of a regularly updated list of further
13 third parties that may access personal data of covered users.
14 § 899-hh. Ongoing safeguards. Upon learning that a user is no longer a
15 covered user, an operator may not process the personal data of such
16 person in a manner not previously permitted unless and until it receives
17 informed consent pursuant to subdivision three of section eight hundred
18 ninety-nine-ff of this article.
19 § 899-ii. Respecting user-provided age flags. 1. For the purposes of
20 this article, an operator shall treat a user as a covered user if the
21 user's device communicates or signals that the user is or shall be
22 treated as a minor, including through a browser plug-in or privacy
23 setting, device setting, or other mechanism.
24 2. For the purposes of subdivision three of section eight hundred
25 ninety-nine-ff of this article, an operator shall adhere to any clear
26 and unambiguous communications or signals from a covered user's device,
27 including through a browser plug-in or privacy setting, device setting,
28 or other mechanism, concerning processing that the covered user consents
29 to or declines to consent to. An operator shall not adhere to unclear or
30 ambiguous communications or signals from a covered user's device, and
31 shall instead request informed consent pursuant to the provisions of
32 paragraph a of subdivision three of section eight hundred ninety-nine-ff
33 of this article.
34 § 899-jj. Protections for third-party operators. Sections eight
35 hundred ninety-nine-ff and eight hundred ninety-nine-gg of this article
36 shall not apply to an operator processing the personal data of a covered
37 user of another website, online service, online application, mobile
38 application, or connected device, or portion thereof, where the operator
39 received reasonable written representations that the covered user
40 provided informed consent for such processing, or:
41 1. the operator does not have actual knowledge that the covered user
42 is a minor; and
43 2. the operator does not have actual knowledge that the other website,
44 online service, online application, mobile application, or connected
45 device, or portion thereof, is primarily directed to minors.
46 § 899-kk. Rulemaking authority. The attorney general may promulgate
47 such rules and regulations as are necessary to effectuate and enforce
48 the provisions of this article.
49 § 899-ll. Scope. 1. This article shall apply to conduct that occurs in
50 whole or in part in the state of New York. For purposes of this article,
51 commercial conduct takes place wholly outside of the state of New York
52 if the business collected such information while the covered user was
53 outside of the state of New York, no part of the use of the covered
54 user's personal data occurred in the state of New York, and no personal
55 data collected while the covered user was in the state of New York is
56 used.
A. 8149 6
1 2. Nothing in this article shall be construed to prohibit an operator
2 from storing a covered user's personal data that was collected pursuant
3 to section eight hundred ninety-nine-ff of this article when such
4 covered user is in the state.
5 3. Nothing in this article shall be construed to impose liability for
6 commercial activities or actions by operators subject to 15 U.S.C. 6501
7 that is inconsistent with the treatment of such activities or actions
8 under 15 U.S.C. 6502.
9 § 899-mm. Remedies. 1. Whenever it appears to the attorney general,
10 either upon complaint or otherwise, that any person, within or outside
11 the state, has engaged in or is about to engage in any of the acts or
12 practices stated to be unlawful in this article, the attorney general
13 may bring an action or special proceeding in the name and on behalf of
14 the people of the state of New York to enjoin any violation of this
15 article, to obtain restitution of any moneys or property obtained
16 directly or indirectly by any such violation, to obtain disgorgement of
17 any profits or gains obtained directly or indirectly by any such
18 violation, including but not limited to the destruction of unlawfully
19 obtained data and algorithms trained on such data, to obtain damages
20 caused directly or indirectly by any such violation, to obtain civil
21 penalties of up to five thousand dollars per violation, and to obtain
22 any such other and further relief as the court may deem proper, includ-
23 ing preliminary relief.
24 2. Any covered user who has been injured by a violation of section
25 eight hundred ninety-nine-ff of this article, or the parent or legal
26 guardian of a covered minor who has been injured by a violation of
27 section eight hundred ninety-nine-ff of this article, may bring an
28 action to obtain:
29 (a) Damages of up to five thousand dollars per covered user per inci-
30 dent or actual damages, whichever is greater;
31 (b) Injunctive or declaratory relief; and/or
32 (c) Any other relief the court deems proper.
33 3. Actions pursuant to this section may be brought on a class-wide
34 basis.
35 4. The court may award reasonable attorneys' fees to a prevailing
36 plaintiff.
37 5. Prior to bringing any action for violations of this article pursu-
38 ant to subdivision two of this section, a covered user shall provide the
39 operator thirty days' written notice identifying the specific provisions
40 of this article the covered user alleges have been or are being
41 violated. In the event a cure is possible, if within the thirty days the
42 operator actually cures the noticed violation and provides the covered
43 user an express written statement that the violations have been cured
44 and that no further violations shall occur, no action for individual
45 statutory damages or class-wide statutory damages may be initiated
46 against the operator. No notice shall be required prior to an individual
47 consumer initiating an action solely for actual pecuniary damages
48 suffered as a result of the alleged violations of this title. If a busi-
49 ness continues to violate this article in breach of the express written
50 statement provided to the covered user under this section, the covered
51 user may initiate an action against the business to enforce the written
52 statement and may pursue statutory damages for each breach of the
53 express written statement, as well as any other violation of the article
54 that postdates such written statement.
55 § 2. Severability. If any clause, sentence, paragraph, subdivision,
56 section or part of this act shall be adjudged by any court of competent
A. 8149 7
1 jurisdiction to be invalid, such judgment shall not affect, impair, or
2 invalidate the remainder thereof, but shall be confined in its operation
3 to the clause, sentence, paragraph, subdivision, section or part thereof
4 directly involved in the controversy in which such judgment shall have
5 been rendered. It is hereby declared to be the intent of the legislature
6 that this act would have been enacted even if such invalid provisions
7 had not been included herein.
8 § 3. This act shall take effect one year after it shall have become a
9 law. Effective immediately, the addition, amendment and/or repeal of any
10 rule or regulation necessary for the implementation of this act on its
11 effective date are authorized to be made and completed on or before such
12 effective date.