What Businesses Need to Know Before June 20, 2025
Bottom Line: New York’s Child Data Protection Act, taking effect June 20, 2025, fundamentally changes how online operators can collect and process personal data from minors under 18. Companies must obtain informed consent or demonstrate that data processing is “strictly necessary” to avoid penalties up to $5,000 per violation.
What Is the New York Child Data Protection Act?
The New York Child Data Protection Act (NYCDPA), signed into law by Governor Kathy Hochul on June 20, 2024, prohibits online sites from collecting, using, sharing, or selling personal data of anyone in New York under the age of 18, unless doing so is strictly necessary for the purpose of the website or the operator receives informed consent from the covered user.
The Act creates a new article 39-FF in New York’s General Business Law, prohibiting online sites from collecting, using, sharing, or otherwise processing any personal data of individuals under the age of 18 without informed consent.
Key Provisions and Requirements
Who Is Covered?
Covered Users: The Act applies to two categories of users in New York:
- Users actually known by the operator to be a minor (under 18 years old)
- Users of websites, online services, online applications, mobile applications, or connected devices primarily directed to minors
Operators: Any person who offers websites, online services, or connected devices who alone or jointly with others controls the purposes and means of processing personal data
Age-Based Protections
The Act establishes different requirements based on age:
Ages 13-17: Operators cannot process personal data of users between ages 13 and 18 unless strictly necessary for certain specified purposes or unless the user provides informed consent
Under 13: Operators cannot process personal data of users under age 13 other than in compliance with the Children’s Online Privacy Protection Act (COPPA)
“Strictly Necessary” Processing
Permitted processing purposes include providing a specific product or service requested by the user, conducting internal business operations, repairing technical errors, and complying with relevant law.
However, internal business operations specifically exclude any activities related to marketing, advertising, or providing products or services to third parties, or prompting covered users to use the service when it’s not in use.
Informed Consent Requirements
When processing isn’t strictly necessary, operators must obtain informed consent that:
- Is requested separately from any other transaction
- Does not use dark patterns
- States that the processing is not strictly necessary and that a user may decline
- Presents an option to refuse consent
Critical Compliance Requirements
Data Deletion Obligations
If an operator discovers that a user is a minor, it must delete the user’s personal data within 30 days unless processing complies with COPPA, is strictly necessary for a permitted purpose, or the operator obtains informed consent.
Device Signal Compliance
Operators must treat users as minors if a user’s device signals that the user is or shall be treated as a minor. Additionally, if a minor’s device signals that they decline to provide informed consent, an operator shall not request such consent.
Third-Party Data Sharing
The Act prohibits disclosing any data of minors to third parties unless there is a written binding agreement.
Implementation Timeline and Enforcement
Key Dates
- Law Enacted: June 20, 2024
- Effective Date: June 20, 2025
- Rulemaking Process: The Office of the New York State Attorney General released Advanced Notices of Proposed Rulemaking on August 1, 2024
Recent Guidance
On May 19, 2025, New York’s Office of the Attorney General published new guidance on the Act, suggesting that the OAG will exercise discretion in its enforcement and consider good-faith efforts to comply with the statute.
Enforcement Authority
The Act provides for enforcement solely by the attorney general, who can bring actions to enjoin violations, recover damages, and obtain civil penalties up to $5,000 per violation.
Which Businesses Are Affected?
The Act has broad applicability beyond traditional social media platforms:
Covered businesses will include, among others, financial institutions that market products and services to minors, and schools and colleges that market to prospective students who are minors.
Any business operating:
- Websites or online services primarily directed to minors
- Platforms that knowingly collect data from users under 18
- Services that process personal data of New York minors
Practical Steps for Compliance
Before June 20, 2025
- Audit Current Data Practices: Review all data collection, processing, and sharing activities involving minors
- Implement Age Verification: Develop systems to identify minor users
- Review Consent Mechanisms: Ensure informed consent processes meet Act requirements
- Update Privacy Policies: Clearly communicate data practices for minor users
- Train Staff: Educate teams on new requirements and procedures
Ongoing Compliance
- Monitor Device Signals: Implement systems to respect user device flags
- Data Deletion Procedures: Establish protocols for timely data deletion when required
- Third-Party Agreements: Ensure all data sharing agreements comply with Act requirements
- Regular Audits: Continuously monitor compliance with evolving regulations
Industry Impact and Context
The New York legislature passed this Act because New York children are in the midst of a mental health crisis caused by harmful social media use, finding that social media companies have created feeds personalized by algorithms that can keep children scrolling for dangerously long periods.
While the Act’s opt-in requirements for personal data processing are similar to other state child privacy laws, such as Virginia’s amendment to its Consumer Data Protection Act, New York’s approach represents the first of its kind specifically targeting algorithmic feeds.
Next Steps and Recommendations
With the June 20, 2025 effective date approaching, businesses should:
- Conduct Legal Review: Consult with privacy counsel to understand specific obligations
- Develop Implementation Plan: Create detailed compliance roadmap with clear timelines
- Monitor Regulatory Updates: Stay informed about final rules and guidance from the Attorney General’s office
- Consider Industry Best Practices: Learn from early adopters and industry guidance
The New York Child Data Protection Act represents a significant shift in how businesses must approach data privacy for minors. While compliance may require substantial changes to existing practices, the Act provides clear frameworks for businesses willing to prioritize child privacy and safety online.
For businesses operating in New York or serving New York minors, the time to prepare is now. The June 2025 deadline will arrive quickly, and proactive compliance efforts will be essential to avoid penalties and maintain user trust.
