STATE OF NEW YORK
        ________________________________________________________________________

                                          3281

                               2023-2024 Regular Sessions

                    IN SENATE

                                    January 30, 2023
                                       ___________

        Introduced  by  Sens.  GOUNARDES,  ADDABBO,  GIANARIS,  KRUEGER,  MAYER,
          SEPULVEDA -- read twice and ordered printed, and when  printed  to  be
          committed to the Committee on Internet and Technology

        AN  ACT  to  amend the general business law, in relation to enacting the
          New York child data privacy and protection act

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:

     1    Section  1.  This act shall be known and may be cited as the "New York
     2  child data privacy and protection act".
     3    § 2. Legislative intent.   The legislature hereby finds  that  95%  of
     4  individuals under the age of 18 in the United States enjoy access to the
     5  Internet in their residences.
     6    The  legislature  further  finds  that  American teenagers spend seven
     7  hours and 22 minutes on average per day browsing social media, and  that
     8  53%  of  children  will own a smartphone by the time they're 11 years of
     9  age.
    10    The legislature recognizes that, while  broadband  access  is  a  core
    11  component  of  modern  life  and critical to the ability of children and
    12  young people to feel socially,  emotionally,  economically,  and  educa-
    13  tionally connected to the world around them, it is not without its risks
    14  and detriments.
    15    The  legislature  finds, for example, that teenagers who spend between
    16  five to seven hours a day on the Internet are twice as likely to  suffer
    17  from depression compared to those logged in for one hour a day.
    18    The  legislature  further  finds  that,  according  to  recent surveys
    19  conducted by a prominent social media platform, 34% of young adults feel
    20  uneasy when they are not online, 40.6% complain that their sleep  habits
    21  have  been  negatively  affected  by  social media, and 35% report being
    22  cyberbullied on the Internet.
    23    The legislature  further  finds  that,  according  to  the  2021  U.S.
    24  Surgeon  General  Advisory  on  Protecting  Youth Mental Health, digital

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD06552-01-3
        S. 3281                             2

     1  public spaces are frequently designed to  maximize  user  engagement  as
     2  opposed  to  safeguarding  user  health,  leading to negative impacts of
     3  digital technologies and social media on the mental health and  well-be-
     4  ing of adolescents.
     5    The  legislature  further  finds that the pitfalls of the Internet are
     6  not limited to teenagers, with young  children  potentially  exposed  to
     7  unsettling, dangerous, or age inappropriate content if not closely moni-
     8  tored by an adult.
     9    The legislature further finds that young children run a higher risk of
    10  coming   into  contact  with  strangers  online,  inadvertently  sharing
    11  personal information online, inadvertently making  in-app  purchases  or
    12  signing  contracts,  terms,  or  conditions online, becoming subject to,
    13  witnessing, or participating in potentially harmful conduct  online,  or
    14  purchasing  drugs and other dangerous products advertised online or sold
    15  through online platforms.
    16    The legislature recognizes the role of lawmakers to guard against  and
    17  mitigate these risks for children under the age of 18 wherever possible.
    18    The  legislature  finds that, while Congress passed the landmark Chil-
    19  dren's Online Privacy  Protection  Act  (COPPA)  in  1998  limiting  the
    20  collection, use, and disclosure of data collected from children under 13
    21  years  of  age,  requiring  operators  to retain such data for a limited
    22  amount of time, and restricting certain marketing to children  under  13
    23  years  of age, multiple studies have found the vast majority of applica-
    24  tion developers to be out of compliance with these rules.
    25    The legislature further finds that recent studies show at  least  two-
    26  thirds  of applications transmit data about very young children to third
    27  party marketing companies.
    28    The legislature further finds that President Biden  recently  declared
    29  the need to "strengthen privacy protections, ban targeted advertising to
    30  children,  [and]  demand tech companies stop collecting personal data on
    31  our children" in his 2022 State of the Union Address.
    32    The legislature further finds that, subsequent to  this  address,  the
    33  Federal  Trade Commission announced that it will prioritize the enforce-
    34  ment and modernization of COPPA to "crack down on companies  that  ille-
    35  gally surveil children online".
    36    The  legislature  further finds that there has been a flurry of recent
    37  legislative activity at the state, federal, and international levels  to
    38  address this issue, including the California Age-Appropriate Design Code
    39  Act,  the  Virginia's Consumer Data Protection Act, the Colorado Privacy
    40  Act, the Connecticut Data Privacy Act, the Utah  Consumer  Privacy  Act,
    41  several  federal proposals to strengthen and improve COPPA, and the UK's
    42  Age Appropriate Design Code.
    43    The legislature hereby concludes that the state of New York too has  a
    44  role to play in better preventing the exploitation of children's data in
    45  the  modern  era,  and thus presents the New York Child Data Privacy and
    46  Protection Act.
    47    § 3. The article heading of article 39-F of the general business  law,
    48  as  amended  by  chapter  117 of the laws of 2019, is amended to read as
    49  follows:
    50              NOTIFICATION OF UNAUTHORIZED ACQUISITION OF PRIVATE
    51       INFORMATION; DATA SECURITY PROTECTIONS; CHILD DATA PRIVACY AND
    52                               PROTECTION ACT
    53    § 4. The general business law is amended by adding a new section  899-
    54  cc to read as follows:
    55    §  899-cc.  New  York  child data privacy and protection act. 1. Defi-
    56  nitions.
        S. 3281                             3

     1    (a) "Bureau" shall mean the bureau of internet and technology  in  the
     2  office of the New York attorney general.
     3    (b)  "Child"  or  "children"  shall mean a consumer or consumers under
     4  eighteen years of age.
     5    (c) "Child user" shall mean a child accessing an online product with a
     6  device.
     7    (d) "Data breach" shall mean a breach of security leading to the acci-
     8  dental or unlawful destruction, loss, alteration,  unauthorized  disclo-
     9  sure of, or access to, personal data of child users transmitted, stored,
    10  or otherwise processed.
    11    (e)  "Data  controller"  or "controller" shall mean a natural or legal
    12  person which, alone or jointly with others, determines the purposes  and
    13  means  of processing of the personal data of child users. This includes,
    14  but is not limited to, any business, website, or platform that  collects
    15  data  while  selling electronic advertising space on its platform tailed
    16  to any one or any aggregation of the items of personal data  defined  in
    17  this section. No data controller is exempt from the requirements of this
    18  article  if  they are processing pseudonymized data, whereby "pseudonym-
    19  ized" or "pseudonymization" means the processing of personal data  in  a
    20  manner  that  renders  the  personal  data  no  longer attributable to a
    21  specific child user without the use of additional information,  provided
    22  that  the  additional  information  is kept separately and is subject to
    23  technical and organizational measures to ensure that the  personal  data
    24  is not attributed to an identified or identifiable child user.
    25    (f)  "Data protection impact assessment" shall mean an internal evalu-
    26  ation which the bureau requires entities to carry out in order to evalu-
    27  ate  the  level  of  risk  associated  with  such  entity's  collection,
    28  retention, processing, or sale of child user data.
    29    (g)  "Online  product" shall mean an online service, feature, or plat-
    30  form that is accessible to users with a digital device.
    31    (h) "Personal data" or  "personal  data  identifier"  shall  mean  any
    32  computerized  information about a child user set forth in this paragraph
    33  that is not made publicly available  through  federal,  state  or  local
    34  government agencies or any publicly available information, regardless of
    35  whether it is collected for the purpose of selling or transferring it to
    36  another  entity.  Personal  data shall mean information that identifies,
    37  relates to, describes or is reasonably  linked  to  a  particular  child
    38  user, including but not limited to:
    39    (i) physical address;
    40    (ii) legal name;
    41    (iii) alias;
    42    (iv) unique personal identifier;
    43    (v) online identifier;
    44    (vi) internet protocol address;
    45    (vii) e-mail address;
    46    (viii) account name;
    47    (ix) social security number;
    48    (x) place of birth;
    49    (xi) date of birth;
    50    (xii) phone number;
    51    (xiii) audio, visual, thermal, or olfactory data;
    52    (xiv) medical history, records of past medical treatment, or any diag-
    53  nosis of a physical or mental health condition or disability;
    54    (xv)  educational  information  that is not already publicly available
    55  through a local, state, or federal agency;
    56    (xvi) real time geolocation data or stored geolocation history;
        S. 3281                             4

     1    (xvii) any unique biometric data, body measurement, technical analysis
     2  or measurements collected for the purpose of allowing a  child  user  to
     3  authenticate  him  or herself on a device, internet application, or web-
     4  based platform;
     5    (xviii)  names and identifying information of a child user's immediate
     6  family;
     7    (xix) internet or any other  electronic  network  activity,  including
     8  browsing  history,  search  history,  and  information regarding a child
     9  user's activity on a website or interaction with  an  electronic  adver-
    10  tisement;
    11    (xx)  any  other  information  that alone, or combined with any of the
    12  information described in this paragraph, could  be  reasonably  used  to
    13  identify an individual child user; and
    14    (xxi)  any inferences drawn from any of the combined forms of personal
    15  data that are used to create a profile of the child user reflecting  the
    16  child's  preferences,  choices,  characteristics,  psychological trends,
    17  intelligence, aptitude, and emotional or physical health or behavior.
    18    "Personal data" shall also include any information which creates prob-
    19  abilistic identifiers that can be used  to  isolate,  individualize,  or
    20  identify  a  child user or device to a degree of certainty more probable
    21  than not based on any item of personal data defined in this paragraph.
    22    (i) "Privacy by default" shall mean  that  the  online  product,  once
    23  released  to  the  public,  is  predesigned so that the strictest online
    24  privacy settings shall apply without any manual input required from  the
    25  user. In addition, "privacy by default" shall mean that the online prod-
    26  uct  shall  only  retain  personal data provided by a child user for the
    27  duration of time necessary to provide such product to such user.
    28    (j) "Process", "processing" or "processor" shall refer to an operation
    29  or set of operations performed on personal  data  or  sets  of  personal
    30  data, whether or not by automated means, on behalf of a data controller.
    31    (k)  "Sale" or "sold" shall mean the disclosure, dissemination, making
    32  available, release, transfer,  conveyance,  license,  rental,  or  other
    33  commercialization  of  child  user  data by a data controller to another
    34  party, whether commercialization occurs via access to raw  data  or  via
    35  use  of platform interface.  This definition shall include dissemination
    36  of child user data, orally, in writing, or by electronic or other means,
    37  for monetary or other valuable consideration, or otherwise for a commer-
    38  cial purpose, by a data controller to another party.
    39    (l) "Targeted digital advertising" shall mean an effort to  market  an
    40  online product that is directed at a specific child user or device based
    41  on:  the  personal  data  of such child user, a group of child users who
    42  share personal data identifiers as such term is defined in paragraph (h)
    43  of this subdivision, psychological profiling, or a unique identifier  of
    44  the  device;  or as a result of such child user or group of child user's
    45  use of such online product or any other online product.
    46    (m) "Targeted towards child users" shall mean that the online  product
    47  should know that its product is accessible to and used by children.  The
    48  bureau  may  consider  such  factors  as  the  online product's internal
    49  research about such product's users, existing evidence of user behavior,
    50  whether advertisements featured on the online product, including  third-
    51  party  advertisements,  are likely to appeal to children, the content of
    52  complaints received, as detailed in subparagraph (xiv) of paragraph  (a)
    53  of  subdivision  two  of  this  section, about the product from parents,
    54  children, or other individuals that indicate the age of users  accessing
    55  the  online  product, content and design features of the product such as
    56  animation, musical or audio content, the presence of children or  influ-
        S. 3281                             5

     1  encers  popular  with  children,  how  the  online product describes and
     2  promotes itself, and any other characteristic the bureau deems  relevant
     3  when determining how an online product should know that it is accessible
     4  to and used by children.
     5    2.  Data  protection  impact  assessments. (a) Each entity offering an
     6  online product that is targeted towards child users in this state  shall
     7  complete a data protection impact assessment. The data protection impact
     8  assessment shall include an analysis of the following:
     9    (i)  The  ways in which child users primarily interact with or consume
    10  the online product;
    11    (ii) The amount of time, on average, that a child  user  spends  using
    12  the  online  product  and whether the product includes any features that
    13  are designed to extend or increase such amount of time;
    14    (iii) The amount and type of data of child users collected,  retained,
    15  processed, and/or sold;
    16    (iv)  The purpose of the collection, retention, processing, or sale of
    17  such data;
    18    (v) If the entity is a data controller, the data sharing relationships
    19  the entity has with data processors or other third parties with whom  it
    20  shares the personal data of child users, including any data addendums or
    21  other  legal  policies  put  into place between the entity and the party
    22  receiving the data;
    23    (vi) Data security protections of the online  product  which  work  to
    24  prevent  and  respond to data breaches, as defined in subdivision one of
    25  this section;
    26    (vii) Any privacy policies, terms of service, or other legal  policies
    27  published  on the online product which relate to child users and whether
    28  they are written in a way that can reasonably be understood by  a  child
    29  user;
    30    (viii)  Whether  such policies or terms of service require approval of
    31  the parent or legal guardian of the child user;
    32    (ix) Community standards for published content on the online  product,
    33  and  whether  and  how  the  product removes content which violates such
    34  standards;
    35    (x) Whether such online product exposes children to potentially  harm-
    36  ful content;
    37    (xi)  Whether  the  use  of such online product could lead to children
    38  being targeted by a potentially harmful contact;
    39    (xii) Whether the online product could allow child users  to  witness,
    40  participate in, or be subject to potentially harmful conduct;
    41    (xiii)  Whether  the  online  product  shares information on the child
    42  user's activity on such product with such child's legal parent or guard-
    43  ian;
    44    (xiv) Opportunities  for  individuals  developing  an  online  product
    45  targeted  towards  child  users  to  voice  concerns  about such product
    46  before, during,  and  after  development  without  fear  of  retaliation
    47  against such individual;
    48    (xv)  Ways  in  which  an  entity  offering an online product targeted
    49  towards child users solicits feedback from children, parents, educators,
    50  health professionals, youth development professionals, and  the  general
    51  public on the online product;
    52    (xvi)  Whether and how child users can limit exposure to certain types
    53  of content;
    54    (xvii) The impact of the online product on a child user's  behavioral,
    55  emotional, and physical health; and
        S. 3281                             6

     1    (xviii)  Any  other  factors  the  bureau deems relevant to assess the
     2  material risk of the online product posed to child users.
     3    (b)  Each  entity  completing  such  data protection impact assessment
     4  shall furnish such assessment to the bureau of internet  and  technology
     5  within five days of receiving a request from the bureau for such assess-
     6  ment.   Any potential risks posed by the online product, including risks
     7  of noncompliance with any provision of this section or  any  other  law,
     8  which  are  identified by the bureau shall be communicated by the bureau
     9  back to the entity, which shall then create a plan to mitigate or elimi-
    10  nate such risk.
    11    (c) The bureau shall provide technical, operational, and legal assist-
    12  ance to entities completing a data protection impact assessment upon the
    13  request of the entity. The bureau  shall  post  guidelines  for  how  to
    14  complete  a  data protection impact assessment, including best practices
    15  for how to describe data processing, how  to  ensure  data  quality  and
    16  minimization,  how to provide privacy information to child users, how to
    17  identify and assess risks to child users, how to  identify  measures  to
    18  mitigate  such  risks, and any other practices the bureau deems relevant
    19  in its guidance.  The bureau shall post such guidelines,  along  with  a
    20  model data protection impact assessment template, on a publicly accessi-
    21  ble website.
    22    3.  Ban  on  data  collection  and  digital advertising. (a) No entity
    23  offering an online product targeted towards child users  in  this  state
    24  shall  collect, retain, process, or sell the personal data of such users
    25  unless such collection, retention, processing, or sale is  necessary  to
    26  provide  such  online  product  or to comply with the provisions of this
    27  section and such collection, processing, retention, or sale  is  limited
    28  to such purpose. Alternatively, an entity offering an online product may
    29  collect,  retain,  process, or sell the personal data of a child user if
    30  it can demonstrate to the bureau that it has a compelling reason  to  do
    31  so which furthers the interest of the child.
    32    (b)  No entity offering an online product targeted towards child users
    33  in this state shall use targeted digital advertising unless consent  for
    34  such  advertising  is obtained from the child's parent or legal guardian
    35  and the entity can demonstrate to the bureau that it  has  a  compelling
    36  reason  to  offer  such  advertising  which furthers the interest of the
    37  child.
    38    (c) No entity offering an online product targeted towards child  users
    39  in  this  state where such product is intended primarily for educational
    40  purposes shall collect, retain, process, or sell the  personal  data  of
    41  child users.
    42    4.  Requirement  for  certain  settings.  (a) All entities offering an
    43  online product targeted towards child users in this state shall  utilize
    44  privacy  by  default,  unless  the  entity  can demonstrate a compelling
    45  reason to the bureau that an alternative default setting should be used.
    46    (b) All entities offering an online  product  targeted  towards  child
    47  users  must design and activate a feature which proactively alerts child
    48  users, in a manner likely to be understood by a child in the  age  range
    49  targeted  by  the  online  product,  when  their  personal data is being
    50  collected and for the duration of time such collection occurs.
    51    (c) The bureau shall  have  the  discretion  to  ban  auto-play,  push
    52  notifications,  prompts,  in-app  purchases,  or any other feature in an
    53  online product targeted towards child users that it deems to be designed
    54  to inappropriately amplify the level of engagement a child user has with
    55  such product.
        S. 3281                             7

     1    5. Deceased child users.  All  entities  offering  an  online  product
     2  targeted  towards child users in this state shall provide access to such
     3  user's account, metadata, and user history to a parent or legal guardian
     4  upon the death of such child user and request from such parent or guard-
     5  ian for such access.
     6    6.  Law  enforcement. All entities offering an online product targeted
     7  towards child users in this state shall expedite  and  prioritize  civil
     8  and  criminal  subpoenas and criminal warrants pertaining to child users
     9  who have been a victim of a crime with maximum exigence.
    10    7. Terms of service. (a) Any entity offering an online product target-
    11  ed towards child users in this state shall prominently display a privacy
    12  policy and terms of service, to include warnings about  potential  harms
    13  to  child users, in a manner which clearly and concisely communicates to
    14  a child user, using language likely to be understood by an individual in
    15  the age range targeted by such product.
    16    (b) All privacy policies and terms of service  of  an  online  product
    17  targeted towards child users in this state must be agreed to by both the
    18  child  user  and  the parent or legal guardian of such child before such
    19  product can become operational for the child user.
    20    (c) Any entity offering an online product targeted towards child users
    21  in this state shall clearly post that the terms of service do not impose
    22  binding obligations on the child user to the entity.
    23    8. Notification of emergent problems. Any entity  offering  an  online
    24  product targeted toward child users in this state shall create and prom-
    25  inently  display  a method for children, parents, and legal guardians to
    26  notify such entity of emergent problems with such product.  Such  method
    27  of notification shall not require the parent, guardian, or child user to
    28  have an account on such product in order to notify the entity. All elec-
    29  tronic  notifications of emergent problems described in this subdivision
    30  shall be assigned an identification number and contemporaneously  gener-
    31  ate an electronic receipt for the notifying individual.
    32    9.  Public  awareness  campaign.  Before  the  effective  date of this
    33  section and on a regular, ongoing basis,  the  bureau  shall  execute  a
    34  public  awareness  campaign  to  inform  entities  that  create  digital
    35  products targeted towards child users, parents, teachers, and the gener-
    36  al public of the provisions of this section in order to  ensure  maximum
    37  compliance  thereof.  Such  campaign  may include digital content, bill-
    38  boards, posters, pamphlets, targeted mailers, public  service  announce-
    39  ments,  partnerships with local school districts, or any other method to
    40  increase general awareness of the provisions of this section.
    41    10. Annual report. The bureau of internet and technology shall produce
    42  and transmit a biennial report to the temporary president of the senate,
    43  the speaker of the assembly, and the governor summarizing:
    44    (a) the number of entities completing data protection  impact  assess-
    45  ments and the results thereof;
    46    (b)  the amount and type of child user data being collected, retained,
    47  processed, and/or sold by such entities and the purpose thereof;
    48    (c) the volume and nature of material risks posed to  child  users  by
    49  such  online  products  and measures taken to mitigate or eliminate such
    50  risk;
    51    (d) the volume of notifications of emergent problems and a categorical
    52  description of each type of problem (i.e. material  that  led  to  child
    53  sexual  abuse or grooming, instances of suicide or drug overdose related
    54  to use of online products by child users, instances of bullying  facili-
    55  tated by online products);
        S. 3281                             8

     1    (e) a description of the policies and terms of service being presented
     2  to  child  users and their parents or legal guardians as well as accept-
     3  ance and denial rates of such policies and terms;
     4    (f)  the number of individuals or businesses found to be in noncompli-
     5  ance with this act pursuant to subdivision eleven of this section;
     6    (g) the number of individuals or businesses that have cured violations
     7  of this section of their own accord after being issued  notice  of  such
     8  violation by the bureau;
     9    (h)  the  number  of actions brought against individuals or businesses
    10  pursuant to paragraph (a) of subdivision eleven of this section and  the
    11  results of such actions;
    12    (i) a summary of the public education efforts undertaken by the bureau
    13  on  an  ongoing basis to alert the public and interested stakeholders of
    14  the provisions of this section, pursuant to  subdivision  nine  of  this
    15  section; and
    16    (j)  legislative recommendations for improvements to this or any other
    17  statute governing digital actors in this state.
    18    11. Penalties. (a) Whenever the attorney general  shall  believe  from
    19  evidence  satisfactory  to  him or her that there is a violation of this
    20  section, he or she may bring an action in the name and on behalf of  the
    21  people  of the state of New York, in a court of justice having jurisdic-
    22  tion to issue an injunction, to enjoin and restrain the continuation  of
    23  such violation. Wherever the court shall determine in such action that a
    24  person  or  business  violated this article knowingly or recklessly, the
    25  court may impose a civil penalty of up to twenty  thousand  dollars  per
    26  instance  of violation, provided that the latter amount shall not exceed
    27  two hundred fifty million dollars.
    28    (b) The attorney general shall provide written notice to all people or
    29  businesses of alleged violations at least ninety days before  initiating
    30  any action described in paragraph (a) of this subdivision. The person or
    31  business shall then have an opportunity to cure any alleged violation of
    32  this section within such ninety days. If such alleged violation has been
    33  cured,  the person or business shall send written notice to the attorney
    34  general who shall then retain discretion as to whether or not to  pursue
    35  an action against such person or business.
    36    (c)  The  proceeds  from  penalties  collected from violations of this
    37  section, pursuant  to  paragraph  (a)  of  this  subdivision,  shall  be
    38  disbursed  as follows:      (i) twenty percent of such proceeds shall be
    39  dedicated to the public awareness campaign described in subdivision nine
    40  of this section; and (ii) the remaining eighty percent of such  proceeds
    41  shall be dedicated to the enforcement of this section by the bureau.
    42    (d)  An  action  may be brought against any person or business who has
    43  knowingly or recklessly violated this article if such action is  brought
    44  on  behalf  of  a  child user or by next of kin of a deceased child user
    45  alleging harm from such violation. A plaintiff who prevails on  a  claim
    46  alleging  a violation of this section is entitled to compensatory, actu-
    47  al, and punitive damages, injunctive relief, reasonable attorneys'  fees
    48  and costs, and other such remedies as a court may deem appropriate.
    49    § 5. This act shall take effect on the one hundred eightieth day after
    50  it  shall  have  become  a  law  and  shall apply to all online products
    51  targeted towards child users in this state which are made  available  to
    52  the  public on or after such effective date.  Effective immediately, the
    53  addition, amendment and/or repeal of any rules or regulations  necessary
    54  for  the implementation of this act on its effective date are authorized
    55  to be made on or before such effective date.