STATE OF NEW YORK
        ________________________________________________________________________

                                          9563

                    IN SENATE

                                   September 23, 2022
                                       ___________

        Introduced by Sen. GOUNARDES -- read twice and ordered printed, and when
          printed to be committed to the Committee on Rules

        AN  ACT  to  amend the general business law, in relation to enacting the
          New York child data privacy and protection act

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:

     1    Section  1.  This act shall be known and may be cited as the "New York
     2  child data privacy and protection act".
     3    § 2. Legislative intent.   The legislature hereby finds  that  95%  of
     4  individuals under the age of 18 in the United States enjoy access to the
     5  Internet in their residences.
     6    The  legislature  further  finds  that  American teenagers spend seven
     7  hours and 22 minutes on average per day browsing social media, and  that
     8  53%  of  children  will own a smartphone by the time they're 11 years of
     9  age.
    10    The legislature recognizes that, while  broadband  access  is  a  core
    11  component  of  modern  life  and critical to the ability of children and
    12  young people to feel socially,  emotionally,  economically,  and  educa-
    13  tionally connected to the world around them, it is not without its risks
    14  and detriments.
    15    The  legislature  finds, for example, that teenagers who spend between
    16  five to seven hours a day on the Internet are twice as likely to  suffer
    17  from depression compared to those logged in for one hour a day.
    18    The  legislature  further  finds  that,  according  to  recent surveys
    19  conducted by a prominent social media platform, 34% of young adults feel
    20  uneasy when they are not online, 40.6% complain that their sleep  habits
    21  have  been  negatively  affected  by  social media, and 35% report being
    22  cyberbullied on the Internet.
    23    The legislature  further  finds  that,  according  to  the  2021  U.S.
    24  Surgeon  General  Advisory  on  Protecting  Youth Mental Health, digital
    25  public spaces are frequently designed to  maximize  user  engagement  as
    26  opposed  to  safeguarding  user  health,  leading to negative impacts of
    27  digital technologies and social media on the mental health and  well-be-
    28  ing of adolescents.

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD16301-04-2
        S. 9563                             2

     1    The  legislature  further  finds that the pitfalls of the Internet are
     2  not limited to teenagers, with young  children  potentially  exposed  to
     3  unsettling, dangerous, or age inappropriate content if not closely moni-
     4  tored by an adult.
     5    The legislature further finds that young children run a higher risk of
     6  coming   into  contact  with  strangers  online,  inadvertently  sharing
     7  personal information online, inadvertently making  in-app  purchases  or
     8  signing  contracts,  terms,  or  conditions online, becoming subject to,
     9  witnessing, or participating in potentially harmful conduct  online,  or
    10  purchasing  drugs and other dangerous products advertised online or sold
    11  through online platforms.
    12    The legislature recognizes the role of lawmakers to guard against  and
    13  mitigate these risks for children under the age of 18 wherever possible.
    14    The  legislature  finds that, while Congress passed the landmark Chil-
    15  dren's Online Privacy  Protection  Act  (COPPA)  in  1998  limiting  the
    16  collection, use, and disclosure of data collected from children under 13
    17  years  of  age,  requiring  operators  to retain such data for a limited
    18  amount of time, and restricting certain marketing to children  under  13
    19  years  of age, multiple studies have found the vast majority of applica-
    20  tion developers to be out of compliance with these rules.
    21    The legislature further finds that recent studies show at  least  two-
    22  thirds  of applications transmit data about very young children to third
    23  party marketing companies.
    24    The legislature further finds that President Biden  recently  declared
    25  the need to "strengthen privacy protections, ban targeted advertising to
    26  children,  [and]  demand tech companies stop collecting personal data on
    27  our children" in his 2022 State of the Union Address.
    28    The legislature further finds that, subsequent to  this  address,  the
    29  Federal  Trade Commission announced that it will prioritize the enforce-
    30  ment and modernization of COPPA to "crack down on companies  that  ille-
    31  gally surveil children online".
    32    The  legislature  further finds that there has been a flurry of recent
    33  legislative activity at the state, federal, and international levels  to
    34  address this issue, including the California Age-Appropriate Design Code
    35  Act,  the  Virginia's Consumer Data Protection Act, the Colorado Privacy
    36  Act, the Connecticut Data Privacy Act, the Utah  Consumer  Privacy  Act,
    37  several  federal proposals to strengthen and improve COPPA, and the UK's
    38  Age Appropriate Design Code.
    39    The legislature hereby concludes that the state of New York too has  a
    40  role to play in better preventing the exploitation of children's data in
    41  the  modern  era,  and thus presents the New York Child Data Privacy and
    42  Protection Act.
    43    § 3. The article heading of article 39-F of the general business  law,
    44  as  amended  by  chapter  117 of the laws of 2019, is amended to read as
    45  follows:
    46              NOTIFICATION OF UNAUTHORIZED ACQUISITION OF PRIVATE
    47       INFORMATION; DATA SECURITY PROTECTIONS; CHILD DATA PRIVACY AND
    48                               PROTECTION ACT
    49    § 4. The general business law is amended by adding a new section  899-
    50  cc to read as follows:
    51    §  899-cc.  New  York  child data privacy and protection act. 1. Defi-
    52  nitions.
    53    (a) "Bureau" shall mean the bureau of internet and technology  in  the
    54  office of the New York attorney general.
    55    (b)  "Child"  or  "children"  shall mean a consumer or consumers under
    56  eighteen years of age.
        S. 9563                             3

     1    (c) "Child user" shall mean a child accessing an online product with a
     2  device.
     3    (d) "Data breach" shall mean a breach of security leading to the acci-
     4  dental  or  unlawful destruction, loss, alteration, unauthorized disclo-
     5  sure of, or access to, personal data of child users transmitted, stored,
     6  or otherwise processed.
     7    (e) "Data controller" or "controller" shall mean a  natural  or  legal
     8  person  which, alone or jointly with others, determines the purposes and
     9  means of processing of the personal data of child users. This  includes,
    10  but  is not limited to, any business, website, or platform that collects
    11  data while selling electronic advertising space on its  platform  tailed
    12  to  any  one or any aggregation of the items of personal data defined in
    13  this section. No data controller is exempt from the requirements of this
    14  article if they are processing pseudonymized data,  whereby  "pseudonym-
    15  ized"  or  "pseudonymization" means the processing of personal data in a
    16  manner that renders the  personal  data  no  longer  attributable  to  a
    17  specific  child user without the use of additional information, provided
    18  that the additional information is kept separately  and  is  subject  to
    19  technical  and  organizational measures to ensure that the personal data
    20  is not attributed to an identified or identifiable child user.
    21    (f) "Data protection impact assessment" shall mean an internal  evalu-
    22  ation which the bureau requires entities to carry out in order to evalu-
    23  ate  the  level  of  risk  associated  with  such  entity's  collection,
    24  retention, processing, or sale of child user data.
    25    (g) "Online product" shall mean an online service, feature,  or  plat-
    26  form that is accessible to users with a digital device.
    27    (h)  "Personal  data"  shall mean any computerized information about a
    28  child user set forth in this paragraph that is not made publicly  avail-
    29  able through federal, state or local government agencies or any publicly
    30  available  information,  regardless  of  whether it is collected for the
    31  purpose of selling or transferring it to another entity.  Personal  data
    32  shall  mean  information  that  identifies,  relates to, describes or is
    33  reasonably linked to a particular child user, including but not  limited
    34  to:
    35    (i) physical address;
    36    (ii) legal name;
    37    (iii) alias;
    38    (iv) unique personal identifier;
    39    (v) online identifier;
    40    (vi) internet protocol address;
    41    (vii) e-mail address;
    42    (viii) account name;
    43    (ix) social security number;
    44    (x) place of birth;
    45    (xi) date of birth;
    46    (xii) phone number;
    47    (xiii) audio, visual, thermal, or olfactory data;
    48    (xiv) medical history, records of past medical treatment, or any diag-
    49  nosis of a physical or mental health condition or disability;
    50    (xv)  educational  information  that is not already publicly available
    51  through a local, state, or federal agency;
    52    (xvi) real time geolocation data or stored geolocation history;
    53    (xvii) any unique biometric data, body measurement, technical analysis
    54  or measurements collected for the purpose of allowing a  child  user  to
    55  authenticate  him  or herself on a device, internet application, or web-
    56  based platform;
        S. 9563                             4

     1    (xviii) names and identifying information of a child user's  immediate
     2  family;
     3    (xix)  internet  or  any  other electronic network activity, including
     4  browsing history, search history,  and  information  regarding  a  child
     5  user's  activity  on  a website or interaction with an electronic adver-
     6  tisement;
     7    (xx) any other information that alone, or combined  with  any  of  the
     8  information  described  in  this  paragraph, could be reasonably used to
     9  identify an individual child user; and
    10    (xxi) any inferences drawn from any of the combined forms of  personal
    11  data  that are used to create a profile of the child user reflecting the
    12  child's preferences,  choices,  characteristics,  psychological  trends,
    13  intelligence, aptitude, and emotional or physical health or behavior.
    14    "Personal data" shall also include any information which creates prob-
    15  abilistic  identifiers  that  can  be used to isolate, individualize, or
    16  identify a child user or device to a degree of certainty  more  probable
    17  than not based on any item of personal data defined in this paragraph.
    18    (i)  "Privacy  by  default"  shall  mean that the online product, once
    19  released to the public, is predesigned  so  that  the  strictest  online
    20  privacy  settings shall apply without any manual input required from the
    21  user. In addition, "privacy by default" shall mean that the online prod-
    22  uct shall only retain personal data provided by a  child  user  for  the
    23  duration of time necessary to provide such product to such user.
    24    (j) "Process", "processing" or "processor" shall refer to an operation
    25  or  set  of  operations  performed  on personal data or sets of personal
    26  data, whether or not by automated means, on behalf of a data controller.
    27    (k) "Sale" or "sold" shall mean the disclosure, dissemination,  making
    28  available,  release,  transfer,  conveyance,  license,  rental, or other
    29  commercialization of child user data by a  data  controller  to  another
    30  party,  whether  commercialization  occurs via access to raw data or via
    31  use of platform interface.  This definition shall include  dissemination
    32  of child user data, orally, in writing, or by electronic or other means,
    33  for monetary or other valuable consideration, or otherwise for a commer-
    34  cial purpose, by a data controller to another party.
    35    (l)  "Targeted towards child users" shall mean that the online product
    36  knows or should know that its product is accessible to and used by chil-
    37  dren.
    38    2. Data protection impact assessments. (a)  Each  entity  offering  an
    39  online  product that is targeted towards child users in this state shall
    40  complete a data protection impact assessment before such product can  be
    41  made  available  to  the  public.  The data protection impact assessment
    42  shall include an analysis of the following:
    43    (i) The ways in which child users primarily interact with  or  consume
    44  the online product;
    45    (ii)  The  amount  of time, on average, that a child user spends using
    46  the online product and whether the product includes  any  features  that
    47  are designed to extend or increase such amount of time;
    48    (iii)  The amount and type of data of child users collected, retained,
    49  processed, and/or sold;
    50    (iv) The purpose of the collection, retention, processing, or sale  of
    51  such data;
    52    (v) If the entity is a data controller, the data sharing relationships
    53  the  entity has with data processors or other third parties with whom it
    54  shares the personal data of child users, including any data addendums or
    55  other legal policies put into place between the  entity  and  the  party
    56  receiving the data;
        S. 9563                             5

     1    (vi)  Data  security  protections  of the online product which work to
     2  prevent and respond to data breaches, as defined in subdivision  one  of
     3  this section;
     4    (vii)  Any privacy policies, terms of service, or other legal policies
     5  published on the online product which relate to child users and  whether
     6  they  are  written in a way that can reasonably be understood by a child
     7  user;
     8    (viii) Whether such policies or terms of service require  approval  of
     9  the parent or legal guardian of the child user;
    10    (ix)  Community standards for published content on the online product,
    11  and whether and how the product  removes  content  which  violates  such
    12  standards;
    13    (x)  Whether such online product exposes children to potentially harm-
    14  ful content;
    15    (xi) Whether the use of such online product  could  lead  to  children
    16  being targeted by a potentially harmful contact;
    17    (xii)  Whether  the online product could allow child users to witness,
    18  participate in, or be subject to potentially harmful conduct;
    19    (xiii) Whether the online product  shares  information  on  the  child
    20  user's activity on such product with such child's legal parent or guard-
    21  ian;
    22    (xiv)  Opportunities  for  individuals  developing  an  online product
    23  targeted towards child  users  to  voice  concerns  about  such  product
    24  before,  during,  and  after  development  without  fear  of retaliation
    25  against such individual;
    26    (xv) Ways in which an  entity  offering  an  online  product  targeted
    27  towards child users solicits feedback from children, parents, educators,
    28  health  professionals,  youth development professionals, and the general
    29  public on the online product;
    30    (xvi) Whether and how child users can opt out  or  limit  exposure  to
    31  certain types of content;
    32    (xvii)  The impact of the online product on a child user's behavioral,
    33  emotional, and physical health; and
    34    (xviii) Any other factors the bureau  deems  relevant  to  assess  the
    35  material risk of the online product posed to child users.
    36    (b)  Each  entity  completing  such  data protection impact assessment
    37  shall send such assessment to the bureau  of  internet  and  technology,
    38  which  shall  determine  whether  such  entity's  online  product may be
    39  offered to the public based on  such  assessment.  Any  potential  risks
    40  posed  by  the online product, including risks of noncompliance with any
    41  provision of this section or any other law, which are identified by  the
    42  bureau  shall  be  communicated  by the bureau back to the entity, which
    43  shall then create a plan to mitigate or eliminate such risk before  such
    44  product may be made available to the public.
    45    (c)  An  entity  shall  be  required  to submit annual data protection
    46  impact assessments for review to  the  bureau  after  receiving  initial
    47  approval  for such entity's online product as described in paragraph (b)
    48  of this subdivision.
    49    3. Ban on data collection  and  digital  advertising.  (a)  No  entity
    50  offering  an  online  product targeted towards child users in this state
    51  shall collect, retain, process, or sell the personal data of such  users
    52  unless  such  collection, retention, processing, or sale is necessary to
    53  provide such online product and such collection, processing,  retention,
    54  or sale is limited to such purpose. Alternatively, an entity offering an
    55  online  product  may collect, retain, process, or sell the personal data
        S. 9563                             6

     1  of a child user if it can demonstrate  to  the  bureau  that  it  has  a
     2  compelling reason to do so which furthers the interest of the child.
     3    (b)  No entity offering an online product targeted towards child users
     4  in this state shall use digital advertising on such  product  to  target
     5  such  users  unless  consent  for  such advertising is obtained from the
     6  child's parent or legal guardian and the entity can demonstrate  to  the
     7  bureau  that  it has a compelling reason to offer such advertising which
     8  furthers the interest of the child.
     9    (c) No entity offering an online product targeted towards child  users
    10  in  this  state where such product is intended primarily for educational
    11  purposes shall collect, retain, process, or sell the  personal  data  of
    12  child users.
    13    4.  Requirement  for  certain  settings.  (a) All entities offering an
    14  online product targeted towards child users in this state shall  utilize
    15  privacy  by  default,  unless  the  entity  can demonstrate a compelling
    16  reason to the bureau that an alternative default setting should be used.
    17    (b) All entities offering an online  product  targeted  towards  child
    18  users  must design and activate a feature which proactively alerts child
    19  users, in a manner likely to be understood by a child in the  age  range
    20  targeted  by  the  online  product,  when  their  personal data is being
    21  collected and for the duration of time such collection occurs.
    22    (c) The bureau shall  have  the  discretion  to  ban  auto-play,  push
    23  notifications,  prompts,  in-app  purchases,  or any other feature in an
    24  online product targeted towards child users that it deems to be designed
    25  to inappropriately amplify the level of engagement a child user has with
    26  such product.
    27    5. Deceased child users.  All  entities  offering  an  online  product
    28  targeted  towards child users in this state shall provide access to such
    29  user's account, metadata, and user history to a parent or legal guardian
    30  upon the death of such child user and request from such parent or guard-
    31  ian for such access.
    32    6. Law enforcement. All entities offering an online  product  targeted
    33  towards  child  users  in this state shall expedite and prioritize civil
    34  and criminal subpoenas and criminal warrants pertaining to  child  users
    35  who have been a victim of a crime with maximum exigence.
    36    7. Terms of service. (a) Any entity offering an online product target-
    37  ed towards child users in this state shall prominently display a privacy
    38  policy  and  terms of service, to include warnings about potential harms
    39  to child users, in a manner which clearly and concisely communicates  to
    40  a child user, using language likely to be understood by an individual in
    41  the age range targeted by such product.
    42    (b)  All  privacy  policies  and terms of service of an online product
    43  targeted towards child users in this state must be agreed to by both the
    44  child user and the parent or legal guardian of such  child  before  such
    45  product can become operational for the child user.
    46    (c) Any entity offering an online product targeted towards child users
    47  in this state shall clearly post that the terms of service do not impose
    48  binding obligations on the child user to the entity.
    49    8.  Notification  of  emergent problems. Any entity offering an online
    50  product targeted toward child users in this state shall create and prom-
    51  inently display a method for children, parents, and legal  guardians  to
    52  notify  such  entity of emergent problems with such product. Such method
    53  of notification shall not require the parent, guardian, or child user to
    54  have an account on such product in order to notify the entity. All elec-
    55  tronic notifications of emergent problems described in this  subdivision
        S. 9563                             7

     1  shall  be assigned an identification number and contemporaneously gener-
     2  ate an electronic receipt for the notifying individual.
     3    9.  Public  awareness  campaign.  Before  the  effective  date of this
     4  section and on a regular, ongoing basis,  the  bureau  shall  execute  a
     5  public  awareness  campaign  to  inform  entities  that  create  digital
     6  products targeted towards child users, parents, teachers, and the gener-
     7  al public of the provisions of this section in order to  ensure  maximum
     8  compliance  thereof.  Such  campaign  may include digital content, bill-
     9  boards, posters, pamphlets, targeted mailers, public  service  announce-
    10  ments,  partnerships with local school districts, or any other method to
    11  increase general awareness of the provisions of this section.
    12    10. Annual report. The bureau of internet and technology shall produce
    13  and transmit a biennial report to the temporary president of the senate,
    14  the speaker of the assembly, and the governor summarizing:
    15    (a) the number of entities completing data protection  impact  assess-
    16  ments and the results thereof;
    17    (b)  the amount and type of child user data being collected, retained,
    18  processed, and/or sold by such entities and the purpose thereof;
    19    (c) the volume and nature of material risks posed to  child  users  by
    20  such  online  products  and measures taken to mitigate or eliminate such
    21  risk;
    22    (d) the volume of notifications of emergent problems and a categorical
    23  description of each type of problem (i.e. material  that  led  to  child
    24  sexual  abuse or grooming, instances of suicide or drug overdose related
    25  to use of online products by child users, instances of bullying  facili-
    26  tated by online products);
    27    (e) a description of the policies and terms of service being presented
    28  to  child  users and their parents or legal guardians as well as accept-
    29  ance and denial rates of such policies and terms;
    30    (f) the number of individuals or businesses found to be in  noncompli-
    31  ance with this act pursuant to subdivision eleven of this section;
    32    (g) the number of individuals or businesses that have cured violations
    33  of  this  section  of their own accord after being issued notice of such
    34  violation by the bureau;
    35    (h) the number of actions brought against  individuals  or  businesses
    36  pursuant  to paragraph (a) of subdivision eleven of this section and the
    37  results of such actions;
    38    (i) a summary of the public education efforts undertaken by the bureau
    39  on an ongoing basis to alert the public and interested  stakeholders  of
    40  the  provisions  of  this  section, pursuant to subdivision nine of this
    41  section; and
    42    (j) legislative recommendations for improvements to this or any  other
    43  statute governing digital actors in this state.
    44    11.  Penalties.  (a)  Whenever the attorney general shall believe from
    45  evidence satisfactory to him or her that there is a  violation  of  this
    46  section,  he or she may bring an action in the name and on behalf of the
    47  people of the state of New York, in a court of justice having  jurisdic-
    48  tion  to issue an injunction, to enjoin and restrain the continuation of
    49  such violation. Wherever the court shall determine in such action that a
    50  person or business violated this article knowingly  or  recklessly,  the
    51  court  may  impose  a civil penalty of up to twenty thousand dollars per
    52  instance of violation, provided that the latter amount shall not  exceed
    53  two hundred fifty million dollars.
    54    (b) The attorney general shall provide written notice to all people or
    55  businesses  of alleged violations at least ninety days before initiating
    56  any action described in paragraph (a) of this subdivision. The person or
        S. 9563                             8

     1  business shall then have an opportunity to cure any alleged violation of
     2  this section. After such alleged violation has been cured, the person or
     3  business shall send written notice to the  attorney  general  who  shall
     4  then  retain discretion as to whether or not to pursue an action against
     5  such person or business.
     6    (c) The proceeds from penalties  collected  from  violations  of  this
     7  section,  pursuant  to  paragraph  (a)  of  this  subdivision,  shall be
     8  disbursed as follows:     (i) twenty percent of such proceeds  shall  be
     9  dedicated to the public awareness campaign described in subdivision nine
    10  of  this section; and (ii) the remaining eighty percent of such proceeds
    11  shall be dedicated to the enforcement of this section by the bureau.
    12    (d) An action may be brought against any person or  business  who  has
    13  knowingly  or recklessly violated this article if such action is brought
    14  on behalf of a child user or by next of kin of  a  deceased  child  user
    15  alleging  harm  from such violation. A plaintiff who prevails on a claim
    16  alleging a violation of this section is entitled to compensatory,  actu-
    17  al,  and punitive damages, injunctive relief, reasonable attorneys' fees
    18  and costs, and other such remedies as a court may deem appropriate.
    19    § 5. This act shall take effect on the one hundred eightieth day after
    20  it shall have become a law  and  shall  apply  to  all  online  products
    21  targeted  towards  child users in this state which are made available to
    22  the public on or after such effective date.  Effective immediately,  the
    23  addition,  amendment and/or repeal of any rules or regulations necessary
    24  for the implementation of this act on its effective date are  authorized
    25  to be made on or before such effective date.