Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

An Overview of New York Child Data Protection Act

Published August 4, 2025
Author

Aamina Shekha

Associate Data Privacy Analyst at Securiti

I. Introduction

On June 20, 2024, the New York State Legislature passed the New York Child Data Protection Act (NYCDPA). While the NYCDPA adheres to the parental consent requirements of the Children's Online Privacy Protection Act (COPPA) for children under 13 years of age, it lays down the informed consent requirements for minors aged 13 years and above. The NYCDPA took effect on June 20, 2025.

II. Definitions of Key Terms

A. Covered User 

A covered user refers to a user on a website, online service, online application, mobile application, or connected device (or any part of one) in the state of New York, who is either:

  • Actually known by the operator to be a minor; or
  • A user of a website, online service, online application, mobile application, or connected device primarily directed to minors.

B. Minor

A natural person under the age of eighteen

C. Operator

An operator is any person or entity that manages or provides an internet website, online service, online application, mobile application, or connected device, while meeting any of the following criteria:

  • Collects or maintains personal data of a covered user;
  • Integrates with another website, service, or online application and directly collects personal data from covered users;
  • Allows another person to directly collect personal data from a covered user; or
  • Allows covered users to publicly disclose their personal data.

D. Personal Data

Personal data refers to all classes of data that identify or could reasonably be linked, directly or indirectly, with a specific natural person or device.

E. Processing

Processing (or process) encompasses any operation or series of operations performed on personal data. This includes, but is not limited to, the collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, or deidentification of personal data.

F. Primarily Directed to Minors

“Primarily directed to minors” means a website, online service, online application, or a connected device, or a portion thereof, which is targeted to minors.

However, the above are not considered primarily directed to minors solely on the basis that they refer or link to any other website or device directed to minors. This criterion is triggered when a service provider knowingly collects personal data directly from users of another website or device that is primarily directed to minors.

G. Sell

To sell means to share personal data for monetary or other valuable consideration.

This definition specifically excludes sharing personal data as an asset within or as a consequence of a merger, acquisition, bankruptcy, or similar transaction where the recipient assumes control of all or part of the operator's assets

H. Third Party 

A third party is any person or entity who is not:

  • The operator with whom the covered user intentionally interacts and who collects personal data as part of the current interaction; or
  • The covered user whose personal data the operator processes; or
  • The parent or legal guardian of a covered user whose personal data the operator processes.

The NYCDPA mandates that the operators may  only process the personal data of covered users on the following basis:

  1. If the covered user is below the age of 13, personal data may be processed in accordance with COPPA.
  2. If the covered user is above the age of 13, processing is permitted only if it is strictly necessary for purposes listed in NYCDPA, or if informed consent from the covered user has been obtained.

Now, it is pertinent to mention what these purposes and activities are for which processing is strictly necessary, and for which the consent of the covered users may not be required. Here is a list:

  • Providing or maintaining a specific product or service requested by the covered user.
  • Conducting the operator's internal business operations, which are defined as the operator's core administrative and functional activities. These activities are explicitly exclusive of marketing, advertising, offering products or services to external parties, or engaging inactive covered users on the website, online service, application, or connected device.
  • Identifying and resolving technical errors that hinder existing or intended functionality.
  • Protecting against malicious, fraudulent, or illegal activity.
  • Investigating, establishing, exercising, preparing for, or defending legal claims.
  • Compliance with the federal,  state,  or local legislative and/or regulatory framework.
  • Fulfilling obligations related to valid requests, investigations, or legal mandates from federal, state, local, or other governmental authorities (e.g., civil inquiries, criminal investigations, subpoenas, or summonses).
  • Identifying and managing security incidents through active response or preventative measures.
  • Safeguarding the vital interests of a natural person.

Now, let’s imagine that the operator is not processing personal data of the covered user for the aforesaid strictly necessary purposes and the covered user is above the age of 13. In this scenario, the operator would need to obtain the informed consent of the covered user. The law prescribes the following methods for how informed consent can be obtained:

The informed consent must be obtained from the covered user via a device communication or signal, or through a direct request made to the covered user. 

a. A Device Communication or Signal 

A device's communication or signal must clearly and unambiguously indicate:

  1. The user is a minor; and
  2. They have either provided or declined to provide informed consent for data processing.

These signals may come from mechanisms like browser plug-ins, privacy settings, or device settings. Furthermore, if the nature of informed consent is not clear or unambiguous, the operator organization must not proceed with the processing of data. Although an operator cannot subsequently request informed consent if a user's device signals a decline, they reserve the right to provide an optional mechanism for the user to provide voluntary consent in the future. 

b. Requests to Covered Users

Organizations may issue requests to their covered users to seek informed consent. However, these requests must adhere to the following requirements:

  • The request must be made separately from any other transaction or part of a transaction.
  • The request must be presented to a covered user without any mechanism that intends to obscure, subvert, or impair a covered user's decision-making capacity regarding authorization for the processing.
  • The request must explicitly emphasise that the purposes of processing for which the consent is requested do not fall under the “strictly necessary” category.
  • The request must clearly state that a decision to decline the request shall not prevent continued use of the website, online service, online application, mobile application,  or connected device.
  • The request must conspicuously present an option to refuse to provide consent as the most prominent option.

c. Decline or Revocation of Consent

  • In instances where a covered user has declined to provide or revoked previously provided informed consent for data processing, the operator cannot re-request that specific consent within the subsequent calendar year.
  • The operator must not discriminate between covered users who have provided informed consent and those who have not, and should thus make the same quality and quantity of services available to all. The only exception is when such processing is strictly necessary to deliver a specific product, service, or feature. In essence, an organization cannot withhold, degrade, lower the quality, or increase the price of any offering solely due to the absence of the required consent

IV. Sale of Personal Data to Third Parties

Operators are strictly prohibited from purchasing or selling a covered user’s personal data, or from enabling a third party to engage in such transactions. This must be emphasized in data processing agreements entered into with third parties.

A. Disposal/Deletion of Personal Data

Operators are obligated to act within 14 days of becoming aware that a user of their services is a covered user. Once such actual knowledge has been obtained, the organisation must:

  • Erase or destroy all personal data associated with the covered user; and
  • Inform all associated third parties to whom the personal data was disclosed or processed of the user’s status as a covered user under the NYCDPA.

B. Notice Requirements

Operators have a duty to inform users when they cease to be “covered users”, thereby clarifying that these users are no longer subject to the specific protections and rights afforded by the NYCDPA.

V. Sharing Personal Data with Third Parties

When it comes to handling personal data—especially data belonging to covered users (like minors)—operators must follow strict rules before sharing it with third parties.

1. Written Agreement Required

Operators cannot share or allow third parties to process the personal data of covered users unless there’s a written and binding agreement in place. This agreement must:

  • Clearly explain the purpose and nature of the third party's data use.
  • Include specific instructions about how the data can be used or further shared.
  • Define the rights and responsibilities of both the operator and the third party.

2. Notification Requirement

Before sharing any personal data with a third party, operators must communicate to the third party that the data belongs to a covered user.

3. Obligations for Third Parties

The agreement must also ensure that the third party does the following:

  • Uses the data only when truly necessary, either for a specific permitted activity or when valid, informed consent has been obtained.
  • Deletes or returns the personal data once they’re done providing their services, unless the law requires them to keep it.
  • Provides access to relevant data if the operator needs it to check compliance.
  • Cooperates with audits or assessments to evaluate their compliance. This can be done either:
    • By allowing the operator (or someone they appoint) to conduct an assessment, or
    • By hiring a qualified, independent assessor to review their data protection practices and provide a report to the operator upon request.
  • Notifies the operator in advance before sharing personal data with any additional third parties. This notice can be given through a regularly updated list of those additional parties.

VI. Regulatory Authority

The Office of the Attorney General of the State of New York is the designated rulemaking authority for the enforcement of the NYCDPA.

VII. Penalties for Non-Compliance

When it appears to the Attorney General that, whether from a complaint or other findings, that any individual or entity, within or outside New York, has engaged in or is expected to engage in activities that are unlawful to the NYCDPA, the Attorney General is empowered to initiate an action or special proceeding in the name and on behalf of the people of the State of New York, to obtain the following:

  • To seek restitution of any money or property obtained directly or indirectly through such a violation.
  • To pursue disgorgement of any profits or gains acquired, directly or indirectly, by the violation, including but not limited to the destruction of unlawfully obtained data and algorithms trained on such data.
  • To obtain damages caused directly or indirectly by the violation.
  • To impose civil penalties of up to $ 5000 for each instance of a violation.
  • To grant any other opportunities for further relief as the court may deem appropriate,  including preliminary relief.

VIII. How Can Organizations Operationalize the NYCDPA

To follow the NYCDPA, organizations may implement the following:

  • Integrate robust age identification mechanisms into their platforms that honor device signals but also ensure that the consent received is clear and unambiguous.
  • Design consent request interfaces that are accessible, ensure clarity in language and presentation, and are easy for minors to navigate. These requests should also be accompanied by prominent refusal options.
  • Establish easily accessible and clear consent revocation mechanisms while making it clear to the covered users that they are entitled to revoke consent at any stage of data processing.
  • Implement systems to prevent the re-requesting of declined or revoked consent within a one-year period

Get a demo or visit securti.ai to get compliant with data privacy laws.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures View More
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures
The U.S. M&A landscape is back in full swing. May witnessed a significant rebound in deal activity, especially for transactions exceeding $100 million, signaling...
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
New York Child Data Protection Act View More
An Overview of New York Child Data Protection Act
Gain insights into the New York Child Data Protection Act (NYCDPA). Discover key definitions, consent requirements, sale and sharing of personal data to third...
What Is HITRUST? Importance, Benefits, Compliance & More View More
What Is HITRUST? Importance, Benefits, Compliance & More
Discover what HITRUST is, what HITRUST CSF Certification entails, the benefits of HITRUST Certification, and how Securiti helps.
View More
Is Your Business Ready for the EU AI Act August 2025 Deadline?
Download the whitepaper to learn where your business is ready for the EU AI Act. Discover who is impacted, prepare for compliance, and learn...
View More
Getting Ready for the EU AI Act: What You Should Know For Effective Compliance
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI.
A 12-Step Roadmap for Secure & Compliant LLMs View More
A 12-Step Roadmap for Secure & Compliant LLMs
Discover a 12-step roadmap to ensure your large language models (LLMs) are secure, compliant, and ready for enterprise deployment. Stay ahead of risks and...
EU AI Act Compliance: What You Need to Know for August 2, 2025 View More
EU AI Act Compliance: What You Need to Know for August 2, 2025
Download the infographic to learn about the EU AI Act compliance requirements before it takes effect on 2 August 2025. Avoid noncompliance penalties.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New