New York’s New Rules for Processing Minors’ Data

On Friday, June 20, 2025, the New York Child Data Protection Act (“NYCDPA”) takes effect, bringing with it a slate of new responsibilities for operators of websites or online services. In advance of the effective date, the New York Office of the Attorney General (“OAG”) issued implementation guidance to clarify questions raised by industry participants. The OAG also intends to promulgate rules under NYCDPA following its Advanced Notice of Proposed Rulemaking from August 2024. 

Scope and General Obligations

The NYCDPA’s obligations apply to operators that process the data of covered users, defined as those (a) actually known by an operator to be under 18 or (b) users of websites, online services, mobile apps, or connected devices “primarily directed to minors.” 

“Primarily directed to minors” is a less defined standard than the Children’s Online Privacy Protection Act’s (“COPPA”) “directed to children” standard, considering its lack of express factors or thresholds. A site or service is “primarily directed to minors” if it is targeted to minors as its main audience, or if it has actual knowledge that it is collecting personal data directly from users of another site or service that is itself primarily directed to minors. 

OAG guidance precludes the possibility of a middle category akin to COPPA’s “mixed audience” designation, noting that sites and services “of general interest” that consider minors “to be a component of—but not primarily—the audience” will not be in scope. Ultimately, pending regulations or further guidance, similar factors as are used to determine if a site or service is “directed to children” under COPPA may be useful in assessing NYCDPA applicability. 

When is Processing Permitted?

For minors under 13, processing is explicitly permitted if also permitted under COPPA. For minors 13 to 17, processing must (a) be based on “informed consent” or (b) strictly necessary for one of nine enumerated purposes. “Informed” consent.”

Processing Must Be Strictly Necessary for Permitted Purposes …

For covered users aged 13 to 17, processing is only permitted without consent if the processing is strictly necessary for the following permissible purposes:

1. providing or maintaining a specific product or service requested by the covered user;
2. conducting the operator's internal business operations. 
3. identifying and repairing technical errors that impair existing or intended functionality;
4. protecting against malicious, fraudulent, or illegal activity;
5. investigating, establishing, exercising, preparing for, or defending legal claims;
6. complying with federal, state, or local laws, rules, or regulations;
7. complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
8. detecting, responding to, or preventing security incidents or threats; or
9. protecting the vital interests of a natural person.

A Nuanced Data Minimization Standard

The first permissible purpose closely mirrors the substantive data minimization requirement introduced by the Maryland Online Data Privacy Act, as it limits processing to what is necessary for the specific product or service requested by the consumer. By anchoring processing to this necessity, the NYCDPA imposes significant constraints on operators’ ability to process personal data. 

In its guidance, the OAG interestingly adds a different layer to this “strictly necessary” standard by requiring that any processing must be “within the expectations of a reasonable covered user.” Most reasonable users, the guidance continues, do not expect operators to track more online activities than necessary for the product or service, or to use collected personal data for purposes unrelated to providing that product or service. Pending OAG rulemaking or further guidance, it is unclear whether this should be analogized to the Maryland Online Data Privacy Act’s data minimization requirements or the California Consumer Privacy Act regulations’ reasonable expectations, but provided illustrative examples appear to favor the former. 

Further, the guidance expressly states that an operator may not circumvent this data minimization standard “simply by marketing its core service as one that includes tracking a covered user’s personal data to support personalization such as behavioral advertising or creating a profile on a specific individual to display or prioritize certain media.” 

Limited Internal Business Operations Purpose

The internal business operations exception is significantly narrower than its counterpart under COPPA, with the statute carving out all activities related to marketing, advertising, research and development, providing products or services to third parties, or engagement of inactive users. 

… or Based on Informed consent

The NYCDPA also allows covered users to provide informed consent for processing activities beyond those explicitly outlined in the statute. Informed consent must be given separately, free of dark patterns, and be as easy to revoke as to grant. Operators must clearly and conspicuously disclose that the processing is not strictly necessary and that the minors may decline without losing access to the service. Going further than the “symmetry in choice” requirements under other state laws like the California Consumer Privacy Act, NYCDPA requires that refusal to consent be the most prominent option. 

Informed consent can be obtained through user-provided “age flags” that signal user age. Like preference signals under many state comprehensive privacy laws, these can take the form of browser extensions, privacy or device settings, or other mechanisms. Given the heightened requirements for consent, it would seem that the age flag could more readily be used to decline consent, rather than provide it. 

In its guidance, the OAG indicated that, pending forthcoming rulemaking, enforcement on age flags would be discretionary based on good-faith efforts to comply with NYCDPA.

How Will It Be Enforced?

NYCDPA is enforceable only by the New York Attorney General. Among other monetary and injunctive penalties, it expressly provides for “the destruction of unlawfully obtained data,” a remedy not often contemplated in state privacy laws but included in a number of Federal Trade Commission consent orders. 

The OAG is widely considered a relatively aggressive enforcing body, and we expect its focus to turn to children's data and use of social media shortly following effective dates of NYCDPA and its companion Stop Addictive Feeds Exploitation for Kids Act. 

Next Steps

Businesses should proactively ensure compliance with the law as regulations and further guidance are issued. 

Assess and document applicability. Review your target audience to determine whether your service is “primarily directed to minors” or if you have actual knowledge of users under 18. 

Implement and revise consent mechanisms. For users aged 13 to 17, ensure consent is obtained separately, free of dark patterns, and as easy to revoke as to grant. Make refusal to consent the most prominent option. 

Determine purposes for data collection. To satisfy NYCDPA’s high data minimization standards, businesses should assess and document collection purposes in order to show good faith compliance that the OAG reiterates will be key in the event of an investigation.