RCBJ-Audible (Listen For Free)
|
New York State Is Directing Its Attention To The Best Legislative And Regulatory Action Items To Keep Kids Safe Online
By David Carlucci
In response to increasing concerns about data collection, youth mental health, and kids’ privacy, New York State is directing its attention to the best legislative and regulatory action items to keep kids safe online. Just this summer, Governor Hochul signed two different laws, the New York Child Data Protection Act and the SAFE for Kids Act, both with general data collection guidelines for underage users. Last month, the Office of the Attorney General released two Advanced Notices of Proposed Rulemaking, providing stakeholders until September 30, 2024, to inform the State on ways to perfect these laws before they become effective in 2025.
While these two laws share the common goal of protecting minors online, they each provide unique strategies, laying the groundwork for the state’s comprehensive efforts in this area.
The NY Child Data Protection Act (S.7695B/A8149A) safeguards children against online services collecting or using their data. Data collection makes all Internet users, especially children, susceptible to unknowingly sharing personal information, including their location, preferences, and purchasing habits. Many websites sell this data to other companies, making children more vulnerable to personalized advertising and other practices.
The CDPA reduces these risks by limiting a website host’s use of a child’s data. The law places a “privacy protection by default” rule, meaning that all digital services that know a user is a minor or provide a service primarily directed to minors may only use collected data for their service. This means that website hosts cannot collect and then sell a child’s data to an advertising company.
Websites may internally process a minor’s data if they receive informed consent. Informed consent must be clearly stated and made separately from any and all transactions. It must also clearly allow users to refuse to provide consent without preventing continued website use. That said, informed consent does not allow website operators to purchase or sell a minor’s personal data.
The second law, the SAFE for Kids Act (S.7694A/A.8148A) – “SAFE,” meaning Stop Addictive Feeds Exploitation for Kids – addresses a primary Internet safety concern from a behavioral perspective. The detrimental effects of social media on a child’s mental and physical health are well-documented, making this an urgent issue for parents across the State. A critical factor in this global concern is the addictive algorithms that produce a user’s social media feed. Major social media companies have carefully constructed machine learning algorithms that process users’ likes and dislikes, how long they spend on different posts, and, most importantly, what will keep them scrolling through their feeds.
The SAFE for Kids Act prohibits the implementation of addictive fees for users under the age of eighteen unless given verifiable consent from a parent. Similarly, the SAFE for Kids Act makes it unlawful for social media platforms to send kids notifications between 12 AM and 6 AM unless, again, the platform receives consent from a parent.
Despite these provisions, the law still requires platforms to uphold algorithms and procedures that protect children from lewd, lascivious, excessively violent, or otherwise objectionable content. Additionally, operators may not lower the quality or increase the price of any aspect of their platform if a child does not receive consent for an addictive feed.
Both laws will not be effective until 2025. However, in August, the Office of the Attorney General released Advanced Notices of Proposed Rulemaking (ANPR) for both acts to collect feedback before the formal rulemaking process. ANPRs are not required for the NYS rulemaking process but allow offices to gather stakeholders’ input, including parents, before proposing any rules.
The ANPR for the CDPA seeks feedback from parents, website operators, industry experts, researchers, and other stakeholders on the finer details of the law. The Attorney General asks website hosts how they have actual data that a given user is a minor or that their website is primarily directed to minors. Currently, the Office of the Attorney General plans to follow regulations under the federal Children’s Online Privacy Protection Act that identify several characteristics of a website “directed to children,” such as the subject matter, visual content, activities, and language. The Attorney General asked participants which traits under the COPPA regulations should be considered in New York and what else could support the CDPA’s success.
Similarly, the Attorney General asks participants to provide clarity on various scenarios that may conflict with the efficiency of the CDPA. The ANPR considers anonymized and deidentified data that can be linked to minor, potentially permissible processing scenarios and scenarios where sharing information may not equal selling data per the CDPA. Last, the ANPR tackles issues around informed consent for teenagers and how to adequately obtain consent from parents.
The second ANPR, focused on the SAFE for Kids Act, seeks more technical information on age verification and addictive feeds. The Office of the Attorney General asks participants to advise on different age verification methods while maintaining and securing all users’ safety, security, and privacy. The Office seeks to ensure users are actively informed about the age verification process, how that data is used, and where that information goes following verification.
The Office asks technological experts about the factors contributing to a user’s social media feed, namely the amount of time they spend on specific content and liking posts. Similarly, the Office seeks advice from the industry on how to address platforms that properly or slightly use addictive feeds. The questionnaire ends with general questions on the most credible information concerning the harms of addictive feeds and preserving existing safeguards for minors online.
All New York stakeholders have until September 30th to contribute to the Advanced Notices of Proposed Rulemaking. For a deeper look into the CDPA and the SAFE for Kids Act, check out the Attorney General’s website and read each question. All feedback will be accepted in writing to ProtectNYKidsOnline@ag.ny.gov for the SAFE for Kids Act and ChildDataProtection@ag.ny.gov for the Child Data Protection Act.