I. Introduction
On June 20, 2024, the New York State Legislature passed the New York Child Data Protection Act (NYCDPA). While the NYCDPA adheres to the parental consent requirements of the Children's Online Privacy Protection Act (COPPA) for children under 13 years of age, it lays down the informed consent requirements for minors aged 13 years and above. The NYCDPA took effect on June 20, 2025.
II. Definitions of Key Terms
A. Covered User
A covered user refers to a user on a website, online service, online application, mobile application, or connected device (or any part of one) in the state of New York, who is either:
- Actually known by the operator to be a minor; or
- A user of a website, online service, online application, mobile application, or connected device primarily directed to minors.
B. Minor
A natural person under the age of eighteen
C. Operator
An operator is any person or entity that manages or provides an internet website, online service, online application, mobile application, or connected device, while meeting any of the following criteria:
- Collects or maintains personal data of a covered user;
- Integrates with another website, service, or online application and directly collects personal data from covered users;
- Allows another person to directly collect personal data from a covered user; or
- Allows covered users to publicly disclose their personal data.
D. Personal Data
Personal data refers to all classes of data that identify or could reasonably be linked, directly or indirectly, with a specific natural person or device.
E. Processing
Processing (or process) encompasses any operation or series of operations performed on personal data. This includes, but is not limited to, the collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, or deidentification of personal data.
F. Primarily Directed to Minors
“Primarily directed to minors” means a website, online service, online application, or a connected device, or a portion thereof, which is targeted to minors.
However, the above are not considered primarily directed to minors solely on the basis that they refer or link to any other website or device directed to minors. This criterion is triggered when a service provider knowingly collects personal data directly from users of another website or device that is primarily directed to minors.
G. Sell
To sell means to share personal data for monetary or other valuable consideration.
This definition specifically excludes sharing personal data as an asset within or as a consequence of a merger, acquisition, bankruptcy, or similar transaction where the recipient assumes control of all or part of the operator's assets
H. Third Party
A third party is any person or entity who is not:
- The operator with whom the covered user intentionally interacts and who collects personal data as part of the current interaction; or
- The covered user whose personal data the operator processes; or
- The parent or legal guardian of a covered user whose personal data the operator processes.
III. Consent Requirements under NYCDPA
The NYCDPA mandates that the operators may only process the personal data of covered users on the following basis:
- If the covered user is below the age of 13, personal data may be processed in accordance with COPPA.
- If the covered user is above the age of 13, processing is permitted only if it is strictly necessary for purposes listed in NYCDPA, or if informed consent from the covered user has been obtained.
Strictly Necessary Purposes and Exception for Consent Requirement
Now, it is pertinent to mention what these purposes and activities are for which processing is strictly necessary, and for which the consent of the covered users may not be required. Here is a list:
- Providing or maintaining a specific product or service requested by the covered user.
- Conducting the operator's internal business operations, which are defined as the operator's core administrative and functional activities. These activities are explicitly exclusive of marketing, advertising, offering products or services to external parties, or engaging inactive covered users on the website, online service, application, or connected device.
- Identifying and resolving technical errors that hinder existing or intended functionality.
- Protecting against malicious, fraudulent, or illegal activity.
- Investigating, establishing, exercising, preparing for, or defending legal claims.
- Compliance with the federal, state, or local legislative and/or regulatory framework.
- Fulfilling obligations related to valid requests, investigations, or legal mandates from federal, state, local, or other governmental authorities (e.g., civil inquiries, criminal investigations, subpoenas, or summonses).
- Identifying and managing security incidents through active response or preventative measures.
- Safeguarding the vital interests of a natural person.
Now, let’s imagine that the operator is not processing personal data of the covered user for the aforesaid strictly necessary purposes and the covered user is above the age of 13. In this scenario, the operator would need to obtain the informed consent of the covered user. The law prescribes the following methods for how informed consent can be obtained:
The informed consent must be obtained from the covered user via a device communication or signal, or through a direct request made to the covered user.
a. A Device Communication or Signal
A device's communication or signal must clearly and unambiguously indicate:
- The user is a minor; and
- They have either provided or declined to provide informed consent for data processing.
These signals may come from mechanisms like browser plug-ins, privacy settings, or device settings. Furthermore, if the nature of informed consent is not clear or unambiguous, the operator organization must not proceed with the processing of data. Although an operator cannot subsequently request informed consent if a user's device signals a decline, they reserve the right to provide an optional mechanism for the user to provide voluntary consent in the future.
b. Requests to Covered Users
Organizations may issue requests to their covered users to seek informed consent. However, these requests must adhere to the following requirements:
- The request must be made separately from any other transaction or part of a transaction.
- The request must be presented to a covered user without any mechanism that intends to obscure, subvert, or impair a covered user's decision-making capacity regarding authorization for the processing.
- The request must explicitly emphasise that the purposes of processing for which the consent is requested do not fall under the “strictly necessary” category.
- The request must clearly state that a decision to decline the request shall not prevent continued use of the website, online service, online application, mobile application, or connected device.
- The request must conspicuously present an option to refuse to provide consent as the most prominent option.
c. Decline or Revocation of Consent
- In instances where a covered user has declined to provide or revoked previously provided informed consent for data processing, the operator cannot re-request that specific consent within the subsequent calendar year.
- The operator must not discriminate between covered users who have provided informed consent and those who have not, and should thus make the same quality and quantity of services available to all. The only exception is when such processing is strictly necessary to deliver a specific product, service, or feature. In essence, an organization cannot withhold, degrade, lower the quality, or increase the price of any offering solely due to the absence of the required consent
IV. Sale of Personal Data to Third Parties
Operators are strictly prohibited from purchasing or selling a covered user’s personal data, or from enabling a third party to engage in such transactions. This must be emphasized in data processing agreements entered into with third parties.
A. Disposal/Deletion of Personal Data
Operators are obligated to act within 14 days of becoming aware that a user of their services is a covered user. Once such actual knowledge has been obtained, the organisation must:
- Erase or destroy all personal data associated with the covered user; and
- Inform all associated third parties to whom the personal data was disclosed or processed of the user’s status as a covered user under the NYCDPA.
B. Notice Requirements
Operators have a duty to inform users when they cease to be “covered users”, thereby clarifying that these users are no longer subject to the specific protections and rights afforded by the NYCDPA.
V. Sharing Personal Data with Third Parties
When it comes to handling personal data—especially data belonging to covered users (like minors)—operators must follow strict rules before sharing it with third parties.
1. Written Agreement Required
Operators cannot share or allow third parties to process the personal data of covered users unless there’s a written and binding agreement in place. This agreement must:
- Clearly explain the purpose and nature of the third party's data use.
- Include specific instructions about how the data can be used or further shared.
- Define the rights and responsibilities of both the operator and the third party.
2. Notification Requirement
Before sharing any personal data with a third party, operators must communicate to the third party that the data belongs to a covered user.
3. Obligations for Third Parties
The agreement must also ensure that the third party does the following:
- Uses the data only when truly necessary, either for a specific permitted activity or when valid, informed consent has been obtained.
- Deletes or returns the personal data once they’re done providing their services, unless the law requires them to keep it.
- Provides access to relevant data if the operator needs it to check compliance.
- Cooperates with audits or assessments to evaluate their compliance. This can be done either:
- By allowing the operator (or someone they appoint) to conduct an assessment, or
- By hiring a qualified, independent assessor to review their data protection practices and provide a report to the operator upon request.
- Notifies the operator in advance before sharing personal data with any additional third parties. This notice can be given through a regularly updated list of those additional parties.
VI. Regulatory Authority
The Office of the Attorney General of the State of New York is the designated rulemaking authority for the enforcement of the NYCDPA.
VII. Penalties for Non-Compliance
When it appears to the Attorney General that, whether from a complaint or other findings, that any individual or entity, within or outside New York, has engaged in or is expected to engage in activities that are unlawful to the NYCDPA, the Attorney General is empowered to initiate an action or special proceeding in the name and on behalf of the people of the State of New York, to obtain the following:
- To seek restitution of any money or property obtained directly or indirectly through such a violation.
- To pursue disgorgement of any profits or gains acquired, directly or indirectly, by the violation, including but not limited to the destruction of unlawfully obtained data and algorithms trained on such data.
- To obtain damages caused directly or indirectly by the violation.
- To impose civil penalties of up to $ 5000 for each instance of a violation.
- To grant any other opportunities for further relief as the court may deem appropriate, including preliminary relief.
VIII. How Can Organizations Operationalize the NYCDPA
To follow the NYCDPA, organizations may implement the following:
- Integrate robust age identification mechanisms into their platforms that honor device signals but also ensure that the consent received is clear and unambiguous.
- Design consent request interfaces that are accessible, ensure clarity in language and presentation, and are easy for minors to navigate. These requests should also be accompanied by prominent refusal options.
- Establish easily accessible and clear consent revocation mechanisms while making it clear to the covered users that they are entitled to revoke consent at any stage of data processing.
- Implement systems to prevent the re-requesting of declined or revoked consent within a one-year period
Get a demo or visit securti.ai to get compliant with data privacy laws.