New York has enacted a children’s privacy law: Is it stricter than the GDPR?

The New York Child Data Protection Act (NYCDPA) has been signed by New York’s governor and will take effect in May 2025. 

The NYCDPA applies to online operators with “actual knowledge” that minors under 18 are using their services, or who primarily direct their services at minors under 18. The law imposes data minimization and consent standards that appear stricter than any privacy law we’ve seen yet. 

How the NYCDPA applies

The NYCDPA applies to “operators” which means any person: 

• Who operates or provides a website, online service, online application, mobile application, or connected device, and 
  • Who: Collects or maintains – either directly or through another person – personal data about its users 
  • Integrates with another service that collects personal data about its users 
  • Allows another person to collect personal data directly from users its users, or 
  • Allows its users publicly disclose personal data. 

Only operators meeting one or more of the following criteria have obligations under the NYCDPA: 

• Operators with “actual knowledge” that their services are used by a minor under 18, and 
• Operators who “primarily offer” their services to minors under 18 

What operators must do under the NYCDPA

An operator covered by the above criteria has several obligations under the NYCDPA, including applying “privacy protection by default”. 

Privacy protection by default means an operator cannot process a minor’s personal data unless: 

• The operator complies with the Children’s Online Privacy Protection Act (COPPA) (if the minor is aged 12 or younger), or 
• If the minor is aged between 13 and 18, either: 
  • The processing is “strictly necessary” for an activity listed in the NYCDPA, or  
  • The operator obtains informed consent. 

The NYCDPA’s permitted activities

As noted, the NYCDPA includes a list of activities for which an operator may process personal data about a minor over 13 if “strictly necessary”, without obtaining consent. 

In summary, these permitted activities are as follows: 

• Providing or maintaining a specifically requested product or service
• Internal business operations (excluding advertising, among other activities) 
• Fixing technical errors 
• Dealing with legal claims 
• Complying with a legal obligation 
• Complying with a legal investigation 
• Dealing with security incidents 
• Protecting someone’s vital interests 

Note that the processing must be “strictly necessary” for these activities. The “strictly necessary” threshold is a high bar.

The NYCDPA’s definition of ‘consent’ 

Operators must obtain the minor’s consent to process their personal data for any purpose not listed above. 

The NYCDPA’s rules on consent are extremely strict – perhaps stricter than in any other privacy law.  

Requests for informed consent must: 

• Be made separately from any other transaction or part of a transaction
• Be made without any mechanism that obscures, subverts, or impairs the user’s decision-making 
• Clearly and conspicuously state:  
  • That the processing for which the consent is requested is not strictly necessary, and  
  • That the user may decline and will still be able to use the operator’s services 
• Clearly present an option to refuse to provide consent as the most prominent option. 

That last requirement is novel and particularly strict. Many consent requests present “accept” as the most prominent option. Regulators increasingly require businesses to present both “accept” and “reject” options equally. 

The NYCDPA takes this principle a step further: The “reject” option must be more prominent than the “refuse” option. 

This NYCDPA is part of a trend among US privacy laws, which feature increasingly strict rules on data minimization and consent. If the trend continues, it will create a particularly challenging environment for privacy professionals – but should significantly improve privacy protections for individuals.