The New York Attorney General’s office and the UK Information Commissioner’s Office were busy last month when it came to children’s privacy. Both sought input from the public about regulating children’s online privacy, including on social media.
New York
In New York, the AG office released notices of proposed rulemaking for the New York Child Data Protection Act (effective June 20, 2025) and the Stop Addictive Feeds Exploitation (SAFE) for Kids Act (effective 180 days after rulemaking is complete). In the notice, the AG office is seeking comments to rules for these two laws by the end of this month.
The New York Child Data Protection Act places restrictions on businesses that collect personal information from teens and requires “privacy protection by default.” The law includes obligations not only on information collection and use for children under 13, but also for those from 13 to 18. For those under 13, companies must comply with COPPA. The SAFE for Kids Act, on the other hand, governs “addictive social media” patterns on websites and apps for kids under 18.
United Kingdom
Across the pond, the UK ICO has signaled that it will be looking closely at social media platforms’ compliance with its UK Age Appropriate Design Code. The Code outlines for companies how to adhere to UK GDPR when offering digital services to children. Similar to New York, the ICO is also asking for public comments, with a deadline of October 11, 2024. It has asked for input how children’s data is used by recommender systems and developments in the use of age assurance systems to identify children under 13.
By way of background, the Code calls on companies to adopt privacy-friendly default settings when offering services to children. In April of this year the ICO issued a compliance strategy that offered suggestions for these privacy-friendly defaults. This includes not defaulting to geo-tracking or profiling children. As a further development, late this summer, the ICO reviewed account sign-up flows for over 30 platforms and had concerns with many for not adhering to the Code.
Putting it into Practice: We expect to see more developments in children’s privacy through the end of the year, especially in social media space. These two requests for comments are a reminder that regulators expect companies to default to “privacy friendly” settings when interacting with children online.