New York's Child Data Protection Act

Written By Kevin McKernan

New York's Child Data Protection Act took effect on June 20. This is a landmark piece of legislation designed to enhance the online privacy and safety of minors. As concerns over children's digital footprints grow, New York's approach is drawing national attention for its distinctive legal standards.

Unlike federal laws such as the Children's Online Privacy Protection Act and state laws, New York's CDPA introduces new obligations for organizations interacting with minors online and raises the bar for ethical data management. The CDPA is designed to safeguard the personal data of individuals under the age of 18. It applies to websites, apps, and digital services that are likely to be accessed by minors in the state of New York. The law aims to curb exploitative data practices and ensure that children's best interests are prioritized in digital environments. The CDPA is enforced by the New York Attorney General's Office. 

The core requirements of the CDPA are as follows: 

  • Harmful data practices prohibited 

  • Restrictions on algorithms and profiling 

  • Ban on data sales 

  • Data minimization 

  • "Best Interests" standard

Practical Tips for Organizations

The New York CDPA sets a new precedent for minor's digital privacy in the United States. It’s sweeping protections, broad age range, and flexible standards could influence legislation nationwide.

As the law takes effect, organizations must act quickly to adapt their practices or risk legal and reputational consequences:

  • Reevaluate digital services and whether they are likely to be accessed by minors. 

  • Eliminate non-essential data collection for users under age 18. 

  • Prepare for increased scrutiny from regulators, parents, and privacy advocates. 

  • Take a proactive approach to embedding "child-first" principles into product design and data governance.

To comply with the CDPA, businesses should do the following:

  • Conduct data audits and privacy impact assessments. 

  • Review their use of algorithms and targeted advertising. 

  • Implement or update age estimation and parental control tools. 

  • Ensure that privacy policies reflect the requirements of the CDPA.

This document is designed for general information only. The information presented in this document should not be construed to be formal legal or tax advice nor the formation of a lawyer/client relationship. 

For more information on this and other topics, please contact Kevin via any of the channels listed below:

📧 kevin@kmckernan.com  | 📞 718-317-5007

Kevin McKernan
Next

How to Create a Disaster Recovery Plan for Your Small Business