New York may pass the Children’s Privacy and Data Protection Act | Media Pyro

On September 23, 2022, New York State Senator Andrew Gunardes introduced S9563, also known as the New York Children’s Privacy and Data Protection Act. The bill, which resembles California’s recently passed Age-Responsible Design Act, bans certain data collection and targeted advertising and requires data controllers to evaluate the impact of their products on children, among other obligations.

The bill imposes obligations and restrictions related to the processing of “personal data,” which generally includes “information that identifies, relates to, describes, or is reasonably associated with a specific child user.” A “child user” is defined as a consumer under the age of 18 who accesses an online product using a device. It is noteworthy that the bill will not exclude pseudonymous data from its requirements. The main requirements of the draft law include the following:

• Organizations that offer an online product targeting child users in New York (“Covered Entities”) will be required to complete and submit to the New York Bureau of Internet and Technology (“Bureau”) a Data Protection Impact Assessment. before the product may be available to the public. Following initial approval for an online product, covered entities will be required to submit a data impact assessment to the Bureau annually.

• Affected organizations will be prohibited from:

  • collection, storage, processing or sale of personal data of child users, unless (1) the collection, storage, processing or sale is not necessary to provide the online product, and the collection, processing, storage or sale is limited to that purpose; or (2) the covered entity can demonstrate to the Bureau that it has compelling reasons for the collection, processing, storage, or sale that are in the best interests of the child.

  • collection, storage, processing or sale of personal data of child users, if the online product is intended primarily for educational purposes.

• Covered organizations must use “privacy by default,” meaning that they design an online product to apply the strictest online privacy settings without any manual input from the user and retain the child user’s personal data for as long as necessary. to provide the product to the user.

• Covered organizations will be required to develop and activate a feature that proactively warns child users, in a manner understandable to a child of the age range targeted by the online product, when their personal data is collected and for how long gathering.

• Covered organizations will be required to prominently post privacy policies and terms of service that clearly and succinctly convey warnings of potential harm to child users, using language that is understandable to a person in the age range at which the product is targeted. In addition, both the parent and child user must agree to Protected Entities’ privacy policy and terms of service.

Under the bill, the Bureau could also prohibit autoplay, push notifications, prompts, in-app purchases, or any other feature in an online product targeted at child users that the Bureau believes is “designed to inappropriately enhance the level of engagement a child has with such a product”. The New York attorney general would be empowered to enforce the bill and would be required to give businesses a 90-day correction period before filing an enforcement action. Companies that knowingly or recklessly violate the bill could be subject to civil penalties of up to $20,000 per violation, capped at $250 million.