New York Children’s Safety and Privacy Proposals Take Control Away From Parents

Children’s online safety and privacy has been at the center of debate at every level of government for the past few years, with states, Congress, and multiple countries around the world attempting to address various real or perceived problems facing children in the digital world. On May 30, 2024, New York Governor Kathy Hochul announced her three-pronged proposal that, while well-intentioned, would take too much control away from parents and add to the state-by-state patchwork of legislation that complicates compliance and creates confusion for consumers.

Governor Hochul’s first proposal to protect children online involves banning smartphones in New York schools. The ban aims to address the issue of, as Hochul puts it, “addictive algorithms” distracting children from “human connection, social interaction, and normal classroom activity.” However, students and parents have both expressed issues with this approach. Some students argue that teachers sometimes incorporate technology, such as smartphones, into their lessons, aiding in their learning instead of distracting from it. Additionally, some students appreciate being able to use their smartphones during downtime, such as before or after school or in between classes.

Meanwhile, parents have concerns about being able to contact students during emergencies. Hochul points out that the ban would still allow students to carry simple phones that can make calls and send texts, so long as they cannot access the Internet, but this would require parents who want to maintain contact with their children to purchase new devices for their children. It is completely reasonable for schools and teachers to set limits on students’ use of personal technology, particularly if that use distracts students in the classroom, and to take phones away for the day from students who break the rules. But students’ and parents’ arguments against an outright ban are equally reasonable, which suggests that a one-size-fits all statewide ban is not the best course of action.

Hochul’s second proposal to protect children online, the Stop Addictive Feeds Exploitation (SAFE) for Kids Act, which the New York legislature passed on June 7, 2024, likewise takes aim at “addictive algorithms.” Specifically, it requires social media platforms to obtain parental consent to provide an algorithmic feed for users under 18 (and to use “commercially reasonable methods” to determine which users are not minors). However, defaulting to overly strict settings—as the SAFE for Kids Act would require in making social media platforms default to a chronological feed for underaged users—is not necessary and ignores the benefits of algorithms, which allow users to more easily discover engaging content. Allowing underaged users or their parents to opt out of an algorithmic feed would achieve the same benefits with fewer downsides.

The SAFE for Kids Act would also require platforms to obtain parental consent to send minors notifications between the hours of midnight and 6 a.m. and provide parents with the ability to prevent their children from accessing the platform between those hours and set other time limits. However, both Apple and Android devices already provide parental controls that achieve the same functions for children’s accounts. Requiring social media sites to also have a “downtime” feature is redundant. Parents can also resort to the low-tech solution of limiting screentime at night by requiring their kids to hand over their devices before they go to bed.

Finally, Hochul’s third proposal, the New York Child Data Protection Act, would apply to online services that collect or maintain users’ personal data, integrate with other online services that collect users’ personal data, allow individuals to collect personal data directly from users, or allow users to publicly disclose their personal data. Specifically, the protections in the bill would go into effect if an online service is primarily directed to minors or has actual knowledge that a user is a minor. Because the federal children’s privacy law, the Children’s Online Privacy Protection Act (COPPA), applies to users under 13, New York’s bill would mostly impose new requirements for the personal data of users aged 13 to 17.

For these users, the bill restricts online services from processing personal data unless “strictly necessary” for providing or maintaining a product or service requested by the user, conducting internal business operations (with the exception of marketing and advertising), identifying and repairing technical errors, protecting against fraud and illegal activity, preparing for legal claims, complying with the law or an investigation, detecting or responding to security incidents or threats, or protecting individuals’ vital interests. In order to process the personal data of a user aged 13 to 17 for other purposes, an online service must obtain informed consent. The bill also bans the sale of personal data from teenage users. By requiring users to opt in instead of allowing them to opt out of data collection, the bill would limit innovation by reducing access to data, limiting data sharing, and constraining the use of data.

Both the SAFE for Kids Act and the Child Data Protection Act include a private right of action, allowing individuals to sue for damages and injunctive or declaratory relief in the event of a violation. These private rights of action also allow for class actions. These private rights of action are the most expensive provisions in privacy and safety legislation, driving up compliance costs for businesses that may be passed on to consumers or may even cause a business to stop offering certain services in the state.

Both bills would contribute to the growing patchwork of state privacy and children’s safety laws. This patchwork burdens companies that do business in multiple states with a complicated and costly compliance process. It also creates confusion for consumers, who have different privacy and safety rights depending on their state. The cost of 50 different state privacy laws—not including separate children’s privacy laws—could exceed $1 trillion over 10 years, with $200 billion hitting small businesses.

One redeeming feature in these two NY bills is that they include language that supports a device-level “child flag,” an alternative to widespread age verification that would signal to apps and websites, including social media platforms, that the device’s user is underage. This approach to differentiating underaged and adult users is more privacy-protective than age verification proposals that require all users to submit a government-issued form of ID to gain access to age-gated online services.

Overall, however, Gov. Hochul’s proposal misses the mark. Moreover, the current state-by-state approach to children’s online safety and privacy is unsustainable. Congress should intervene with a comprehensive federal privacy law that preempts all state privacy laws and child safety initiatives such as a child flag requirement. Meanwhile, when attempting to address issues facing children online, states should default to giving parents more control and avoid initiatives that would take control away from parents and place it in the hands of the government.