Legislation
SECTION 1540
Privacy by default and parental approvals
General Business (GBS) CHAPTER 20, ARTICLE 45-B
* § 1540. Privacy by default and parental approvals. 1. (a) The
attorney general may promulgate rules and regulations identifying
methods for reasonable and technically feasible age assurance, which may
consider the size, financial resources, and technical capabilities of
covered platforms, the costs and effectiveness of available age
determination techniques for users of such platforms, the audience of
such platforms, and prevalent practices of the industry of the operator.
Such rules or regulations may also identify the appropriate levels of
accuracy that would be considered reasonable for operators to achieve in
determining whether a user is a covered minor. Such rules or regulations
may specify that information collected under this article shall not be
used for any purpose other than age assurance and shall be deleted
immediately after an attempt to determine a user's age, except where
necessary for compliance with any applicable provisions of New York
state or federal law or rule or regulation.
(b) Until such time as the rules or regulations referenced in
paragraph (a) of this subdivision may have been promulgated and are in
effect, an operator shall use age assurance methods that meet the
requirements of article forty-five of this chapter and its implementing
rules or regulations, as amended, except that for purposes of this
article, an operator may not use self-declaration of age or minor status
to determine whether a covered user is a covered minor.
(c) To the extent rules or regulations referenced in paragraph (a) of
this subdivision are not in effect and rules or regulations referenced
in paragraph (b) of this subdivision regarding age assurance methods
promulgated pursuant to article forty-five of this chapter are not in
effect, an operator shall rely on a determination of a covered user's
age made using a reasonable age assurance method that meets the
following requirements:
(i) such age assurance method shall reasonably guard against
circumvention and reasonably minimize the retention of information
collected for age assurance purposes;
(ii) an operator may not use self-declaration of age or minor status
to determine whether a covered user is a covered minor; and
(iii) an operator must make available more than one age assurance
method to covered users, including at least one method that either does
not rely on government issued identification or that allows a covered
user to maintain anonymity as to the operator.
2. An operator may not offer or make available to a covered user the
feature of communicating privately with a user within the covered
platform or through platform integration, viewing the full profile of a
user, responding to or downloading media created or posted by a user,
tagging a user in posted media or viewing the geographic location
information of a user, unless the operator has conducted age assurance
to determine whether a covered user is a covered minor.
3. For all users determined by an operator to be a covered minor, such
operator shall utilize the following settings by default for covered
minors, which shall ensure that no user age eighteen or older who is not
already connected to a covered minor may:
(a) communicate privately with such covered minor within the covered
platform or through platform integration;
(b) view the full profile of such covered minor;
(c) respond to or download media created or posted by such covered
minor;
(d) tag such covered minor in posted media; or
(e) view the geographic location information, where such information
is derived from or captured by device or network signals, including but
not limited to global position system, IP address or Wi-Fi positioning,
of such covered minor.
4. If an operator provides a mechanism on the covered platform to
suggest or recommend the profile of a user to another user to connect
with, an operator may not suggest or recommend the profile of a covered
minor to another user age eighteen or older who is not already connected
to such covered minor. This subdivision shall not apply to profile
suggestions or recommendations that are made as a result of a covered
minor or other user syncing contacts with a covered platform.
4-a. Nothing in this subdivision is intended to prohibit actions
reasonably necessary for platform safety, abuse prevention, customer
support, legal compliance or emergency response, as may be further
defined in rules or regulations promulgated by the attorney general.
5. (a) A parent of a covered minor may override the default privacy
settings provided in subdivisions three and four of this section at such
parent's discretion. An operator shall allow a parent to override or
maintain each setting provided in subdivision three of this section
separately.
(b) An operator shall notify a parent of a covered minor whenever such
covered minor requests that the operator obtain approval from a covered
minor's parent to consent to change a default setting provided in
subdivision three or four of this section. Such notice shall include a
statement that informs the parent that they are changing a default
setting required under New York law. The parent may then either provide
or withhold such consent to the request to change the settings for such
minor, provided there is separate consent provided for each request by a
covered minor.
6. A request by a user to connect with a covered minor may be sent
simultaneously with a request by such user to communicate privately with
such covered minor and a request by a covered minor to connect with a
user may be sent simultaneously with a request by such covered minor to
communicate privately with such user, provided, however, that no such
private communication may be returned or responded to, until the
connection has been approved and/or any parental consent required by
subdivision eight of this section has been provided.
7. (a) An operator may not offer or make available to a covered user
the use or access of an integrated AI companion, unless the operator has
conducted age assurance to determine whether a covered user is a covered
minor.
(b) An operator shall, by default, disable the access or use of any
integrated AI companion for any covered minor.
(c) A parent of a covered minor may override the default disabled
access or use of an integrated AI companion, provided in paragraph (b)
of this subdivision, at such parent's discretion. An operator shall
allow a parent to override or maintain the setting provided for in
paragraph (b) of this subdivision separately from any other mechanisms
to override other default settings.
(d) An operator shall notify a parent of a covered minor whenever such
minor requests that the operator obtain consent from such covered
minor's parent to change the default setting provided in paragraph (b)
of this subdivision. Such notice shall include a statement that informs
the parent that the parent is being asked to provide consent to change a
default setting required under New York law. The parent may thereafter
provide or withhold such consent.
8. (a) For any covered minor under the age of thirteen, an operator
shall require the parent of such covered minor to provide consent before
the account of such covered minor and the account of another user may be
connected. For any covered minor under the age of thirteen, an operator
shall also establish a mechanism by which a parent of such minor may
easily view the list of all users or accounts currently connected with
the account of the minor.
(b) For any covered minor, an operator shall establish a mechanism by
which a parent of such minor may easily view a list of any covered
platforms that have been linked to or requested to be linked to the
account of the minor, if the covered platform offers a mechanism for
platform integration.
9. (a) An operator of a covered platform that offers or provides the
feature described in item two of clause (B) of subparagraph (ii) of
paragraph (c) of subdivision twelve of section fifteen hundred
thirty-nine of this article, may not offer or make available such
feature to a covered user unless the operator has conducted age
assurance to determine whether a covered user is a covered minor.
(b) For all users determined by such operator to be a covered minor,
such operator shall establish a mechanism that either: (i) enables the
parent of such covered minor to set a monthly limit on the spending of
money, whether by charging a credit card or other means, in connection
with the direct or indirect purchase or acquisition of anything on or
via the covered platform, including but not limited to digital currency,
relating to such covered minor's account and where the amount of such
limit is set at the parent's discretion; or
(ii) enables the parent of such covered minor to opt out of setting
such limits.
(c) Such an operator may establish a mechanism to enable the covered
minor to request that the operator obtain consent from the parent of
such covered minor for the further expenditure of money, such as
charging the credit card associated with such covered minor's account,
once the limit set forth in subparagraph (i) of paragraph (b) of this
subdivision is reached. In such an instance, the operator shall obtain
such consent from such parent before any such charges may be processed
by the operator.
(d) Such operator shall further establish a mechanism by which a
parent of a covered minor may easily view a history of all financial
transactions relating to such covered minor's account at any time, which
at a minimum, identifies the users involved in each such transaction, in
addition to the covered minor, as well as the amounts of money or
digital currency associated with each transaction.
* NB Effective January 1, 2027
attorney general may promulgate rules and regulations identifying
methods for reasonable and technically feasible age assurance, which may
consider the size, financial resources, and technical capabilities of
covered platforms, the costs and effectiveness of available age
determination techniques for users of such platforms, the audience of
such platforms, and prevalent practices of the industry of the operator.
Such rules or regulations may also identify the appropriate levels of
accuracy that would be considered reasonable for operators to achieve in
determining whether a user is a covered minor. Such rules or regulations
may specify that information collected under this article shall not be
used for any purpose other than age assurance and shall be deleted
immediately after an attempt to determine a user's age, except where
necessary for compliance with any applicable provisions of New York
state or federal law or rule or regulation.
(b) Until such time as the rules or regulations referenced in
paragraph (a) of this subdivision may have been promulgated and are in
effect, an operator shall use age assurance methods that meet the
requirements of article forty-five of this chapter and its implementing
rules or regulations, as amended, except that for purposes of this
article, an operator may not use self-declaration of age or minor status
to determine whether a covered user is a covered minor.
(c) To the extent rules or regulations referenced in paragraph (a) of
this subdivision are not in effect and rules or regulations referenced
in paragraph (b) of this subdivision regarding age assurance methods
promulgated pursuant to article forty-five of this chapter are not in
effect, an operator shall rely on a determination of a covered user's
age made using a reasonable age assurance method that meets the
following requirements:
(i) such age assurance method shall reasonably guard against
circumvention and reasonably minimize the retention of information
collected for age assurance purposes;
(ii) an operator may not use self-declaration of age or minor status
to determine whether a covered user is a covered minor; and
(iii) an operator must make available more than one age assurance
method to covered users, including at least one method that either does
not rely on government issued identification or that allows a covered
user to maintain anonymity as to the operator.
2. An operator may not offer or make available to a covered user the
feature of communicating privately with a user within the covered
platform or through platform integration, viewing the full profile of a
user, responding to or downloading media created or posted by a user,
tagging a user in posted media or viewing the geographic location
information of a user, unless the operator has conducted age assurance
to determine whether a covered user is a covered minor.
3. For all users determined by an operator to be a covered minor, such
operator shall utilize the following settings by default for covered
minors, which shall ensure that no user age eighteen or older who is not
already connected to a covered minor may:
(a) communicate privately with such covered minor within the covered
platform or through platform integration;
(b) view the full profile of such covered minor;
(c) respond to or download media created or posted by such covered
minor;
(d) tag such covered minor in posted media; or
(e) view the geographic location information, where such information
is derived from or captured by device or network signals, including but
not limited to global position system, IP address or Wi-Fi positioning,
of such covered minor.
4. If an operator provides a mechanism on the covered platform to
suggest or recommend the profile of a user to another user to connect
with, an operator may not suggest or recommend the profile of a covered
minor to another user age eighteen or older who is not already connected
to such covered minor. This subdivision shall not apply to profile
suggestions or recommendations that are made as a result of a covered
minor or other user syncing contacts with a covered platform.
4-a. Nothing in this subdivision is intended to prohibit actions
reasonably necessary for platform safety, abuse prevention, customer
support, legal compliance or emergency response, as may be further
defined in rules or regulations promulgated by the attorney general.
5. (a) A parent of a covered minor may override the default privacy
settings provided in subdivisions three and four of this section at such
parent's discretion. An operator shall allow a parent to override or
maintain each setting provided in subdivision three of this section
separately.
(b) An operator shall notify a parent of a covered minor whenever such
covered minor requests that the operator obtain approval from a covered
minor's parent to consent to change a default setting provided in
subdivision three or four of this section. Such notice shall include a
statement that informs the parent that they are changing a default
setting required under New York law. The parent may then either provide
or withhold such consent to the request to change the settings for such
minor, provided there is separate consent provided for each request by a
covered minor.
6. A request by a user to connect with a covered minor may be sent
simultaneously with a request by such user to communicate privately with
such covered minor and a request by a covered minor to connect with a
user may be sent simultaneously with a request by such covered minor to
communicate privately with such user, provided, however, that no such
private communication may be returned or responded to, until the
connection has been approved and/or any parental consent required by
subdivision eight of this section has been provided.
7. (a) An operator may not offer or make available to a covered user
the use or access of an integrated AI companion, unless the operator has
conducted age assurance to determine whether a covered user is a covered
minor.
(b) An operator shall, by default, disable the access or use of any
integrated AI companion for any covered minor.
(c) A parent of a covered minor may override the default disabled
access or use of an integrated AI companion, provided in paragraph (b)
of this subdivision, at such parent's discretion. An operator shall
allow a parent to override or maintain the setting provided for in
paragraph (b) of this subdivision separately from any other mechanisms
to override other default settings.
(d) An operator shall notify a parent of a covered minor whenever such
minor requests that the operator obtain consent from such covered
minor's parent to change the default setting provided in paragraph (b)
of this subdivision. Such notice shall include a statement that informs
the parent that the parent is being asked to provide consent to change a
default setting required under New York law. The parent may thereafter
provide or withhold such consent.
8. (a) For any covered minor under the age of thirteen, an operator
shall require the parent of such covered minor to provide consent before
the account of such covered minor and the account of another user may be
connected. For any covered minor under the age of thirteen, an operator
shall also establish a mechanism by which a parent of such minor may
easily view the list of all users or accounts currently connected with
the account of the minor.
(b) For any covered minor, an operator shall establish a mechanism by
which a parent of such minor may easily view a list of any covered
platforms that have been linked to or requested to be linked to the
account of the minor, if the covered platform offers a mechanism for
platform integration.
9. (a) An operator of a covered platform that offers or provides the
feature described in item two of clause (B) of subparagraph (ii) of
paragraph (c) of subdivision twelve of section fifteen hundred
thirty-nine of this article, may not offer or make available such
feature to a covered user unless the operator has conducted age
assurance to determine whether a covered user is a covered minor.
(b) For all users determined by such operator to be a covered minor,
such operator shall establish a mechanism that either: (i) enables the
parent of such covered minor to set a monthly limit on the spending of
money, whether by charging a credit card or other means, in connection
with the direct or indirect purchase or acquisition of anything on or
via the covered platform, including but not limited to digital currency,
relating to such covered minor's account and where the amount of such
limit is set at the parent's discretion; or
(ii) enables the parent of such covered minor to opt out of setting
such limits.
(c) Such an operator may establish a mechanism to enable the covered
minor to request that the operator obtain consent from the parent of
such covered minor for the further expenditure of money, such as
charging the credit card associated with such covered minor's account,
once the limit set forth in subparagraph (i) of paragraph (b) of this
subdivision is reached. In such an instance, the operator shall obtain
such consent from such parent before any such charges may be processed
by the operator.
(d) Such operator shall further establish a mechanism by which a
parent of a covered minor may easily view a history of all financial
transactions relating to such covered minor's account at any time, which
at a minimum, identifies the users involved in each such transaction, in
addition to the covered minor, as well as the amounts of money or
digital currency associated with each transaction.
* NB Effective January 1, 2027