Quick Hits

• The New York Child Data Protection Act adopts the standards of the federal Children’s Online Privacy Protection Act (COPPA) for the collection and processing of personal data of children under the age of thirteen and imposes new requirements regarding the personal data of children aged thirteen to seventeen.
• Among other terms, the guidance clarifies when an online device or service is “primarily directed” to minors and when consent to collect or process a minor’s data is not required because it is “strictly necessary” for a product or service.
• The New York Office of the Attorney General will exercise discretion in pursuing enforcement actions and will take good-faith compliance efforts into account while businesses await further rules.

The NYCDPA is designed to protect the personal data of New Yorkers under the age of eighteen and applies to operators of websites, online services, online applications, mobile applications, or connected devices that are primarily directed to minors. The NYCDPA also applies when the operator actually knows they are processing data from a minor. The OAG’s guidance clarifies several aspects of the law, addresses questions raised by stakeholders, and outlines the OAG’s enforcement approach during the initial compliance period.

For minors under thirteen, NYCDPA compliance aligns with COPPA.

The NYCDPA adopts COPPA as the applicable standard of data processing for covered users who are actually known by the operator to be twelve years of age or younger, or are using an online device or service primarily directed to covered users twelve years of age or younger. This includes COPPA’s general requirement for parental consent to collect, use, share, or sell the personal data of minors, as well as how such consent should be obtained.

“Primarily directed to minors” standard.

A central question for many businesses is whether their online device or service is “primarily directed” to minors. The guidance clarifies that this standard is similar, but not identical, to COPPA’s “directed to children” test. For users under thirteen years of age, the COPPA standard applies. For children ages thirteen to seventeen, the OAG recognizes that many general-interest services may have some minor users without being primarily directed or targeted to them, and the OAG interprets the NYCDPA’s “primarily directed” standard to provide more flexibility to operators regarding these users.

Processing personal data of minors aged thirteen to seventeen may be allowed without consent when “strictly necessary” for one of nine purposes.

Although the NYCDPA generally requires parental consent before an operator may process a user’s data, when the user is between the ages of thirteen and seventeen, processing may be permitted without consent if it is “strictly necessary” for one of the following purposes:

• providing or maintaining a specific product or service requested by the user;
• conducting the operator’s internal business. The guidance emphasizes that, unlike COPPA, this does not include any activities related to marketing, advertising, research and development, or providing products or services to third parties;
• identifying and repairing technical errors;
• protecting against malicious, fraudulent, or illegal activity. The guidance explains that this allows the processing of personal data to protect against fraud, such as frequency capping of advertising;
• investigating, establishing, exercising, preparing for, or defending legal claims;
• complying with federal, state, or local law;
• responding to a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by proper authorities;
• detecting, responding to, or preventing security incidents or threats; or
• protecting the vital interests of a natural person. The guidance clarifies that this exception allows personal data processing associated with an online device or service’s user trust, health, and safety policies without consent.

The OAG will consider the expectations of a reasonable user when determining whether processing data is “strictly necessary.”

Importantly, the guidance introduced a new factor for whether processing is “strictly necessary” to provide or maintain a specific product or service requested by the user: the expectations of a reasonable user. It explains that users of most products or services would reasonably expect the processing of personal data to provide customer support for a product or service to be included, but would not expect operators to track more of their online activities than are necessary for the specific product or service they are using, or to use the collected personal data for purposes outside of the provision of that product or service. The guidance further warns against operators attempting to circumvent the NYCDPA simply by marketing its core service as including tracking personal data merely for behavioral advertising or creating a user profile.

Requirements for schools, educational services, and related third parties.

The guidance clarifies that the NYCDPA does not disrupt the framework in place for personally identifiable information (PII) covered by the New York Education Law, or the federal Family Educational Rights Privacy Act (FERPA), and their respective implementing regulations. It further explains that the NYCDPA applies the same standard as COPPA for when data can be collected and processed pursuant to school authorization for children under thirteen years of age. For children ages thirteen to seventeen, student educational data may be collected and processed pursuant to the requirements set forth under Section 2(d) of the New York Education Law for educational purposes without triggering separate informed consent under the NYCDPA.

Parental requests and minors’ rights.

According to the guidance, the NYCDPA does not disturb existing legal frameworks under which parents may legally agree to or enter into agreements for particular products or services on behalf of their children. In other words, the NYCDPA does not require an operator to obtain the child’s consent before processing data strictly necessary to fulfill the parent’s agreement to the product or service, including any personal data of the child provided by the parent. The guidance further clarifies that where the parent agrees to a product or service on behalf of a child, an operator may consider the parent’s expectations regarding the processing of personal data strictly necessary for permissible purposes.

Conclusion

The NYCDPA represents a significant shift in how businesses must approach the privacy of minors’ data. Businesses that operate online products or services accessible to New York minors may want to consider reviewing their data collection, processing, and consent practices to ensure compliance with this new law.