New York’s unique Child Data Protection Act: Here’s everything you need to know
By on Posted in Cybersecurity, Data Privacy

New York ‘s Child Data Protection Act, available here, took effect on June 20. This is a landmark piece of legislation designed to enhance the online privacy and safety of minors. As concerns over children’s digital footprints grow, New York’s approach is drawing national attention for its distinctive legal standards.

Unlike federal laws such as the Children’s Online Privacy Protection Act and state laws, New York’s CDPA introduces new obligations for organizations interacting with minors online and raises the bar for ethical data management.

Overview of the CDPA

The CDPA is designed to safeguard the personal data of individuals under the age of 18. It applies to websites, apps, and digital services that are likely to be accessed by minors in the state of New York. The law aims to curb exploitative data practices and ensure that children’s best interests are prioritized in digital environments.

The CDPA is enforced by the New York Attorney General’s Office, which has been tasked with developing regulations and overseeing compliance.

The core requirements of the CDPA are as follows:

  • Harmful data practices prohibited. Companies are barred from collecting, processing, or sharing a child’s personal data in ways that are not in the child’s best interests.
  • Restrictions on algorithms and profiling. Businesses must limit the use of algorithms and profiling techniques that could negatively affect children, such as those used for behavioral targeting.
  • Ban on data sales. Any sale of a minor’s personal data is prohibited.
  • Data minimization. Organizations may collect only the data that is necessary for the functionality of their services.
  • “Best Interests” standard. The law introduces a flexible, child-first standard, requiring businesses to consider the potential risks of their data practices.

Contrast between CDPA and other laws

The CDPA, which protects minors under age 18, is notably broader than the federal COPPA, which primarily protects children under age 13. The CDPA also does not rely solely on parental consent.

Additionally, in contrast to California’s Age-Appropriate Design Code Act, New York’s CDPA adopts a “best interests of the child” framework, focusing on the potential harm of data practices rather than design features alone. This approach is more aligned with data protection philosophies seen in Europe under the General Data Protection Regulation

Reactions and controversies

Privacy advocates have praised the CDPA for prioritizing children’s rights when it comes to digital regulation. However, industry groups have critiqued the law’s potentially ambiguous standards and the burden of implementation.

For example, the Software & Information Industry Association expressed concern over vague definitions (for example, "personal data" and "primarily directed to minors") and potential impacts on education tech platforms. The Association advocates clearer guidance modeled after federal COPPA. Other industry concerns include the disproportionate impact on vulnerable groups, constitutional rights, the economic implications of limiting algorithmic personalization, and advertising practices.

Although legal challenges may follow the implementation of the CDPA, it remains to be seen whether attempts at the federal level will have an impact on the law.

Enforcement

The New York Attorney General has been tasked with investigating violations, and bringing enforcement actions and assessing civil penalties against organizations that fail to comply with the law.

Practical tips for organizations

The New York CDPA sets a new precedent for minors’ digital privacy in the United States. Its sweeping protections, broad age range, and flexible standards could influence legislation nationwide.

As the law takes effect, organizations must act quickly to adapt their practices or risk legal and reputational consequences:

  • Reevaluate digital services and whether they are likely to be accessed by minors.
  • Eliminate non-essential data collection for users under age 18.
  • Prepare for increased scrutiny from regulators, parents, and privacy advocates.
  • Take a proactive approach to embedding “child-first” principles into product design and data governance.

To comply with the CDPA, businesses should do the following:

  • Conduct data audits and privacy impact assessments.
  • Review their use of algorithms and targeted advertising.
  • Implement or update age estimation and parental control tools.
  • Ensure that privacy policies reflect the requirements of the CDPA.

Constangy will continue to monitor CDPA-related developments and provide insights on regulatory enforcement and best practices. If you have questions or need support, contact our Cybersecurity & Data Privacy team.

TAGS: Child Data Protection Act, Cyber Team, CyberMonday, Data Privacy, Data Security, New York
Facebook Twitter/X Linkedin Email
  • Lauren Godfrey wearing a gray blazer over a white top, accessorized with a cross necklace and drop earrings, arms crossed, posed against a light blue and white geometric background.
    Lauren Godfrey
    Partner
    412.870.4129 |

    Lauren guides clients through data security incidents, leading initial assessments and coordinating forensic and remediation efforts to contain, investigate, and resolve issues. She helps clients develop privacy, incident ...

    More from Lauren: Full Bio | Contact Author | Blog Posts

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek