On August 1, 2024, New York Attorney General (“AG”) Letitia James issued two advanced notices of proposed rulemaking (“ANPRs”) for the Stop Addictive Feeds Exploitation (SAFE) for Kids Act (the “SAFE Act”) and the Child Data Protection Act (the “CDPA”), both of which New York Governor Kathy Hochul signed into law on June 20, 2024. The ANPRs invite interested parties to submit comments on the rules that AG James plans to promulgate for the SAFE Act and the CDPA.
The SAFE Act and the CDPA seek to protect the online safety and privacy of New York residents under the age of eighteen (“minors”) by restricting addictive social media features and businesses’ use of minors’ personal data, respectively. The SAFE Act includes an express legislative intent to address the “dramatic negative effect” that certain “media feeds personalized to each user” have on minors by “causing young users to spend more time on social media than they otherwise would, which has been tied to significantly higher rates of youth depression, anxiety, suicidal ideation, and self-harm.” And the ANPR for the CDPA explains that the New York legislature passed the CDPA to “ensure the privacy and safety of the personal data of New Yorkers under the age of 18.”
Stop Addictive Feeds Exploitation (SAFE) for Kids Act
The SAFE Act applies to an operator of a website, online service or application, or mobile application that provides an “addictive feed” as a significant part of its services. An addictive feed refers to a feature that recommends, selects, or prioritizes user-generated or user-shared media to a user based on data associated with the user or the user’s device. The SAFE Act imposes requirements on covered operators such as to:
- Provide an addictive feed to a user only after using “commercially reasonable and technically feasible methods” to determine the user is not a known minor or obtaining verifiable parental consent (“VPC”) for the addictive feed.
- Obtain VPC before sending notifications about an addictive feed to a known minor between midnight and 6 a.m. ET.
- Maintain the same quality and pricing for any product, service, or feature, other than as necessary to comply with the SAFE Act.
- Ensure parental instructions on how to provide VPC are in at least twelve most commonly spoken languages in New York.
The ANPR for the SAFE Act encourages the public to comment on the following topics:
- Age determination methods, including whether, how, and why businesses currently attempt to determine user ages, and the benefits and risks of age determination methods that are available or likely to be soon available, such as their accuracy, cost, security, privacy, bias, and ease of use.
- Parental consent, including how businesses determine whether an individual is the parent or legal guardian of a user, and how to ensure VPC mechanisms under the SAFE Act are effective, secure, privacy-protective, transparent, understandable, and easy to use.
- Scope of addictive social media platforms, including how to determine whether an addictive feed is a significant part of the services provided by a covered operator’s platform.
- User-selected settings, on whether there are specific user-selected privacy or accessibility settings or technical information for media recommendation, selection, or prioritization that should be expressly exempt from the SAFE Act’s restrictions on addictive feeds.
- Language access for VPC instructions, on what regulations, if any, the AG should promulgate about the requirement to provide VPC instructions in at least twelve of the most commonly spoken languages in New York, and what dialects of languages, if any, in which VPC instructions should be made.
- General comments, on the harms of addictive feeds to minors and safeguards to prevent those harms.
The CDPA applies to an operator of a website, online service or application, mobile application, or connected device (“Online Service”) that controls the purposes and means of processing personal data. The CDPA includes restrictions on covered operators that collect personal data about a user that the operator knows to be a minor or a user of an Online Service that is “primarily directed to minors” (“covered user”). For example, the CDPA prohibits covered operators from:
- Processing a covered user’s personal data unless: (1) for covered users under the age of thirteen, the processing is pursuant to the federal Children’s Online Privacy Protection Act; or (2) for covered users who are at least thirteen years of age but under the age of eighteen, either the processing is strictly necessary for one of the nine enumerated permitted purposes or covered users have provided informed consent for the processing upon covered operators’ request that meets certain requirements or through a communication or signal from their device.
- Purchasing or selling a covered user’s personal data for monetary or other valuable consideration.
- Disclosing a covered user’s personal data to a third party without a written, binding agreement that includes certain processing restriction and data protection provisions.
The ANPR for the CDPA invites the public to comment on the following topics:
- Meaning of “primarily directed to minors,” including how to determine whether an Online Service is primarily directed to minors, how the regulations can ensure an Online Service directed to adults are not deemed “primarily directed to minors” based on overlapping interests of older teens, and surveys of the current research on marketing, development psychology, or other fields that suggests the types of content or experiences that particularly attract minors.
- Scope of personal data, on how the regulations’ definition of personal data should account for anonymized or deidentified data that may be re-linkable to a specific individual.
- Scope of sale, on whether there are examples of personal data disclosures that do not constitute sales of personal data that the regulations should explicitly note.
- Permitted purposes, including how to determine the scope of processing that is strictly necessary for permitted purposes.
- Informed consent, including how to ensure consent mechanisms under the CDPA are informed, effective, understandable, and easy to use, and the standards for acceptable device signals or communications that may constitute informed consent.
- Parental consent, including how businesses currently determine whether an individual is the parent or legal guardian of a user, and how to ensure parental consent mechanisms under the CDPA are effective, secure, privacy-protective, transparent, understandable, and easy to use.
Interested parties may submit comments to ProtectKidsOnline@ag.ny.gov for the SAFE Act and ChildDataProtection@ag.ny.gov for the CDPA until September 30, 2024. Following the comment period for the ANPRs, the AG’s office will begin the formal rulemaking process by publishing the proposed rules and commencing another public comment period that will last for at least 60 days.
The SAFE Act takes effect 180 days after the office of the AG promulgates regulations, and the CDPA takes effect on June 20, 2025. Businesses that violate either law may be subject to maximum civil penalties of $5,000 per violation or actual damages and be required to destroy any unlawfully obtained data and algorithms trained on such data.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments around the SAFE Act, the CDPA, and other laws and regulations involving online safety and privacy of individuals under the age of eighteen. Please contact us if you have any questions.