NY State Senate Bill 2023-S3281 (original) (raw)

                 S T A T E   O F   N E W   Y O R K

                               3281

                    2023-2024 Regular Sessions

                         I N  S E N A T E

                         January 30, 2023
                            ___________

Introduced by Sens. GOUNARDES, ADDABBO, GIANARIS, KRUEGER, MAYER, SEPULVEDA -- read twice and ordered printed, and when printed to be committed to the Committee on Internet and Technology

AN ACT to amend the general business law, in relation to enacting the New York child data privacy and protection act

THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM- BLY, DO ENACT AS FOLLOWS:

Section 1. This act shall be known and may be cited as the "New York child data privacy and protection act". § 2. Legislative intent. The legislature hereby finds that 95% of individuals under the age of 18 in the United States enjoy access to the Internet in their residences. The legislature further finds that American teenagers spend seven hours and 22 minutes on average per day browsing social media, and that 53% of children will own a smartphone by the time they're 11 years of age. The legislature recognizes that, while broadband access is a core component of modern life and critical to the ability of children and young people to feel socially, emotionally, economically, and educa- tionally connected to the world around them, it is not without its risks and detriments. The legislature finds, for example, that teenagers who spend between five to seven hours a day on the Internet are twice as likely to suffer from depression compared to those logged in for one hour a day. The legislature further finds that, according to recent surveys conducted by a prominent social media platform, 34% of young adults feel uneasy when they are not online, 40.6% complain that their sleep habits have been negatively affected by social media, and 35% report being cyberbullied on the Internet. The legislature further finds that, according to the 2021 U.S. Surgeon General Advisory on Protecting Youth Mental Health, digital

EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD06552-01-3

S. 3281 2

public spaces are frequently designed to maximize user engagement as opposed to safeguarding user health, leading to negative impacts of digital technologies and social media on the mental health and well-be- ing of adolescents. The legislature further finds that the pitfalls of the Internet are not limited to teenagers, with young children potentially exposed to unsettling, dangerous, or age inappropriate content if not closely moni- tored by an adult. The legislature further finds that young children run a higher risk of coming into contact with strangers online, inadvertently sharing personal information online, inadvertently making in-app purchases or signing contracts, terms, or conditions online, becoming subject to, witnessing, or participating in potentially harmful conduct online, or purchasing drugs and other dangerous products advertised online or sold through online platforms. The legislature recognizes the role of lawmakers to guard against and mitigate these risks for children under the age of 18 wherever possible. The legislature finds that, while Congress passed the landmark Chil- dren's Online Privacy Protection Act (COPPA) in 1998 limiting the collection, use, and disclosure of data collected from children under 13 years of age, requiring operators to retain such data for a limited amount of time, and restricting certain marketing to children under 13 years of age, multiple studies have found the vast majority of applica- tion developers to be out of compliance with these rules. The legislature further finds that recent studies show at least two- thirds of applications transmit data about very young children to third party marketing companies. The legislature further finds that President Biden recently declared the need to "strengthen privacy protections, ban targeted advertising to children, [and] demand tech companies stop collecting personal data on our children" in his 2022 State of the Union Address. The legislature further finds that, subsequent to this address, the Federal Trade Commission announced that it will prioritize the enforce- ment and modernization of COPPA to "crack down on companies that ille- gally surveil children online". The legislature further finds that there has been a flurry of recent legislative activity at the state, federal, and international levels to address this issue, including the California Age-Appropriate Design Code Act, the Virginia's Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, several federal proposals to strengthen and improve COPPA, and the UK's Age Appropriate Design Code. The legislature hereby concludes that the state of New York too has a role to play in better preventing the exploitation of children's data in the modern era, and thus presents the New York Child Data Privacy and Protection Act. § 3. The article heading of article 39-F of the general business law, as amended by chapter 117 of the laws of 2019, is amended to read as follows: NOTIFICATION OF UNAUTHORIZED ACQUISITION OF PRIVATE INFORMATION; DATA SECURITY PROTECTIONS; CHILD DATA PRIVACY AND PROTECTION ACT § 4. The general business law is amended by adding a new section 899- cc to read as follows: § 899-CC. NEW YORK CHILD DATA PRIVACY AND PROTECTION ACT. 1. DEFI- NITIONS. S. 3281 3

(A) "BUREAU" SHALL MEAN THE BUREAU OF INTERNET AND TECHNOLOGY IN THE OFFICE OF THE NEW YORK ATTORNEY GENERAL. (B) "CHILD" OR "CHILDREN" SHALL MEAN A CONSUMER OR CONSUMERS UNDER EIGHTEEN YEARS OF AGE. (C) "CHILD USER" SHALL MEAN A CHILD ACCESSING AN ONLINE PRODUCT WITH A DEVICE. (D) "DATA BREACH" SHALL MEAN A BREACH OF SECURITY LEADING TO THE ACCI- DENTAL OR UNLAWFUL DESTRUCTION, LOSS, ALTERATION, UNAUTHORIZED DISCLO- SURE OF, OR ACCESS TO, PERSONAL DATA OF CHILD USERS TRANSMITTED, STORED, OR OTHERWISE PROCESSED. (E) "DATA CONTROLLER" OR "CONTROLLER" SHALL MEAN A NATURAL OR LEGAL PERSON WHICH, ALONE OR JOINTLY WITH OTHERS, DETERMINES THE PURPOSES AND MEANS OF PROCESSING OF THE PERSONAL DATA OF CHILD USERS. THIS INCLUDES, BUT IS NOT LIMITED TO, ANY BUSINESS, WEBSITE, OR PLATFORM THAT COLLECTS DATA WHILE SELLING ELECTRONIC ADVERTISING SPACE ON ITS PLATFORM TAILED TO ANY ONE OR ANY AGGREGATION OF THE ITEMS OF PERSONAL DATA DEFINED IN THIS SECTION. NO DATA CONTROLLER IS EXEMPT FROM THE REQUIREMENTS OF THIS ARTICLE IF THEY ARE PROCESSING PSEUDONYMIZED DATA, WHEREBY "PSEUDONYM- IZED" OR "PSEUDONYMIZATION" MEANS THE PROCESSING OF PERSONAL DATA IN A MANNER THAT RENDERS THE PERSONAL DATA NO LONGER ATTRIBUTABLE TO A SPECIFIC CHILD USER WITHOUT THE USE OF ADDITIONAL INFORMATION, PROVIDED THAT THE ADDITIONAL INFORMATION IS KEPT SEPARATELY AND IS SUBJECT TO TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THAT THE PERSONAL DATA IS NOT ATTRIBUTED TO AN IDENTIFIED OR IDENTIFIABLE CHILD USER. (F) "DATA PROTECTION IMPACT ASSESSMENT" SHALL MEAN AN INTERNAL EVALU- ATION WHICH THE BUREAU REQUIRES ENTITIES TO CARRY OUT IN ORDER TO EVALU- ATE THE LEVEL OF RISK ASSOCIATED WITH SUCH ENTITY'S COLLECTION, RETENTION, PROCESSING, OR SALE OF CHILD USER DATA. (G) "ONLINE PRODUCT" SHALL MEAN AN ONLINE SERVICE, FEATURE, OR PLAT- FORM THAT IS ACCESSIBLE TO USERS WITH A DIGITAL DEVICE. (H) "PERSONAL DATA" OR "PERSONAL DATA IDENTIFIER" SHALL MEAN ANY COMPUTERIZED INFORMATION ABOUT A CHILD USER SET FORTH IN THIS PARAGRAPH THAT IS NOT MADE PUBLICLY AVAILABLE THROUGH FEDERAL, STATE OR LOCAL GOVERNMENT AGENCIES OR ANY PUBLICLY AVAILABLE INFORMATION, REGARDLESS OF WHETHER IT IS COLLECTED FOR THE PURPOSE OF SELLING OR TRANSFERRING IT TO ANOTHER ENTITY. PERSONAL DATA SHALL MEAN INFORMATION THAT IDENTIFIES, RELATES TO, DESCRIBES OR IS REASONABLY LINKED TO A PARTICULAR CHILD USER, INCLUDING BUT NOT LIMITED TO: (I) PHYSICAL ADDRESS; (II) LEGAL NAME; (III) ALIAS; (IV) UNIQUE PERSONAL IDENTIFIER; (V) ONLINE IDENTIFIER; (VI) INTERNET PROTOCOL ADDRESS; (VII) E-MAIL ADDRESS; (VIII) ACCOUNT NAME; (IX) SOCIAL SECURITY NUMBER; (X) PLACE OF BIRTH; (XI) DATE OF BIRTH; (XII) PHONE NUMBER; (XIII) AUDIO, VISUAL, THERMAL, OR OLFACTORY DATA; (XIV) MEDICAL HISTORY, RECORDS OF PAST MEDICAL TREATMENT, OR ANY DIAG- NOSIS OF A PHYSICAL OR MENTAL HEALTH CONDITION OR DISABILITY; (XV) EDUCATIONAL INFORMATION THAT IS NOT ALREADY PUBLICLY AVAILABLE THROUGH A LOCAL, STATE, OR FEDERAL AGENCY; (XVI) REAL TIME GEOLOCATION DATA OR STORED GEOLOCATION HISTORY; S. 3281 4

(XVII) ANY UNIQUE BIOMETRIC DATA, BODY MEASUREMENT, TECHNICAL ANALYSIS OR MEASUREMENTS COLLECTED FOR THE PURPOSE OF ALLOWING A CHILD USER TO AUTHENTICATE HIM OR HERSELF ON A DEVICE, INTERNET APPLICATION, OR WEB- BASED PLATFORM; (XVIII) NAMES AND IDENTIFYING INFORMATION OF A CHILD USER'S IMMEDIATE FAMILY; (XIX) INTERNET OR ANY OTHER ELECTRONIC NETWORK ACTIVITY, INCLUDING BROWSING HISTORY, SEARCH HISTORY, AND INFORMATION REGARDING A CHILD USER'S ACTIVITY ON A WEBSITE OR INTERACTION WITH AN ELECTRONIC ADVER- TISEMENT; (XX) ANY OTHER INFORMATION THAT ALONE, OR COMBINED WITH ANY OF THE INFORMATION DESCRIBED IN THIS PARAGRAPH, COULD BE REASONABLY USED TO IDENTIFY AN INDIVIDUAL CHILD USER; AND (XXI) ANY INFERENCES DRAWN FROM ANY OF THE COMBINED FORMS OF PERSONAL DATA THAT ARE USED TO CREATE A PROFILE OF THE CHILD USER REFLECTING THE CHILD'S PREFERENCES, CHOICES, CHARACTERISTICS, PSYCHOLOGICAL TRENDS, INTELLIGENCE, APTITUDE, AND EMOTIONAL OR PHYSICAL HEALTH OR BEHAVIOR. "PERSONAL DATA" SHALL ALSO INCLUDE ANY INFORMATION WHICH CREATES PROB- ABILISTIC IDENTIFIERS THAT CAN BE USED TO ISOLATE, INDIVIDUALIZE, OR IDENTIFY A CHILD USER OR DEVICE TO A DEGREE OF CERTAINTY MORE PROBABLE THAN NOT BASED ON ANY ITEM OF PERSONAL DATA DEFINED IN THIS PARAGRAPH. (I) "PRIVACY BY DEFAULT" SHALL MEAN THAT THE ONLINE PRODUCT, ONCE RELEASED TO THE PUBLIC, IS PREDESIGNED SO THAT THE STRICTEST ONLINE PRIVACY SETTINGS SHALL APPLY WITHOUT ANY MANUAL INPUT REQUIRED FROM THE USER. IN ADDITION, "PRIVACY BY DEFAULT" SHALL MEAN THAT THE ONLINE PROD- UCT SHALL ONLY RETAIN PERSONAL DATA PROVIDED BY A CHILD USER FOR THE DURATION OF TIME NECESSARY TO PROVIDE SUCH PRODUCT TO SUCH USER. (J) "PROCESS", "PROCESSING" OR "PROCESSOR" SHALL REFER TO AN OPERATION OR SET OF OPERATIONS PERFORMED ON PERSONAL DATA OR SETS OF PERSONAL DATA, WHETHER OR NOT BY AUTOMATED MEANS, ON BEHALF OF A DATA CONTROLLER. (K) "SALE" OR "SOLD" SHALL MEAN THE DISCLOSURE, DISSEMINATION, MAKING AVAILABLE, RELEASE, TRANSFER, CONVEYANCE, LICENSE, RENTAL, OR OTHER COMMERCIALIZATION OF CHILD USER DATA BY A DATA CONTROLLER TO ANOTHER PARTY, WHETHER COMMERCIALIZATION OCCURS VIA ACCESS TO RAW DATA OR VIA USE OF PLATFORM INTERFACE. THIS DEFINITION SHALL INCLUDE DISSEMINATION OF CHILD USER DATA, ORALLY, IN WRITING, OR BY ELECTRONIC OR OTHER MEANS, FOR MONETARY OR OTHER VALUABLE CONSIDERATION, OR OTHERWISE FOR A COMMER- CIAL PURPOSE, BY A DATA CONTROLLER TO ANOTHER PARTY. (L) "TARGETED DIGITAL ADVERTISING" SHALL MEAN AN EFFORT TO MARKET AN ONLINE PRODUCT THAT IS DIRECTED AT A SPECIFIC CHILD USER OR DEVICE BASED ON: THE PERSONAL DATA OF SUCH CHILD USER, A GROUP OF CHILD USERS WHO SHARE PERSONAL DATA IDENTIFIERS AS SUCH TERM IS DEFINED IN PARAGRAPH (H) OF THIS SUBDIVISION, PSYCHOLOGICAL PROFILING, OR A UNIQUE IDENTIFIER OF THE DEVICE; OR AS A RESULT OF SUCH CHILD USER OR GROUP OF CHILD USER'S USE OF SUCH ONLINE PRODUCT OR ANY OTHER ONLINE PRODUCT. (M) "TARGETED TOWARDS CHILD USERS" SHALL MEAN THAT THE ONLINE PRODUCT SHOULD KNOW THAT ITS PRODUCT IS ACCESSIBLE TO AND USED BY CHILDREN. THE BUREAU MAY CONSIDER SUCH FACTORS AS THE ONLINE PRODUCT'S INTERNAL RESEARCH ABOUT SUCH PRODUCT'S USERS, EXISTING EVIDENCE OF USER BEHAVIOR, WHETHER ADVERTISEMENTS FEATURED ON THE ONLINE PRODUCT, INCLUDING THIRD- PARTY ADVERTISEMENTS, ARE LIKELY TO APPEAL TO CHILDREN, THE CONTENT OF COMPLAINTS RECEIVED, AS DETAILED IN SUBPARAGRAPH (XIV) OF PARAGRAPH (A) OF SUBDIVISION TWO OF THIS SECTION, ABOUT THE PRODUCT FROM PARENTS, CHILDREN, OR OTHER INDIVIDUALS THAT INDICATE THE AGE OF USERS ACCESSING THE ONLINE PRODUCT, CONTENT AND DESIGN FEATURES OF THE PRODUCT SUCH AS ANIMATION, MUSICAL OR AUDIO CONTENT, THE PRESENCE OF CHILDREN OR INFLU- S. 3281 5

ENCERS POPULAR WITH CHILDREN, HOW THE ONLINE PRODUCT DESCRIBES AND PROMOTES ITSELF, AND ANY OTHER CHARACTERISTIC THE BUREAU DEEMS RELEVANT WHEN DETERMINING HOW AN ONLINE PRODUCT SHOULD KNOW THAT IT IS ACCESSIBLE TO AND USED BY CHILDREN. 2. DATA PROTECTION IMPACT ASSESSMENTS. (A) EACH ENTITY OFFERING AN ONLINE PRODUCT THAT IS TARGETED TOWARDS CHILD USERS IN THIS STATE SHALL COMPLETE A DATA PROTECTION IMPACT ASSESSMENT. THE DATA PROTECTION IMPACT ASSESSMENT SHALL INCLUDE AN ANALYSIS OF THE FOLLOWING: (I) THE WAYS IN WHICH CHILD USERS PRIMARILY INTERACT WITH OR CONSUME THE ONLINE PRODUCT; (II) THE AMOUNT OF TIME, ON AVERAGE, THAT A CHILD USER SPENDS USING THE ONLINE PRODUCT AND WHETHER THE PRODUCT INCLUDES ANY FEATURES THAT ARE DESIGNED TO EXTEND OR INCREASE SUCH AMOUNT OF TIME; (III) THE AMOUNT AND TYPE OF DATA OF CHILD USERS COLLECTED, RETAINED, PROCESSED, AND/OR SOLD; (IV) THE PURPOSE OF THE COLLECTION, RETENTION, PROCESSING, OR SALE OF SUCH DATA; (V) IF THE ENTITY IS A DATA CONTROLLER, THE DATA SHARING RELATIONSHIPS THE ENTITY HAS WITH DATA PROCESSORS OR OTHER THIRD PARTIES WITH WHOM IT SHARES THE PERSONAL DATA OF CHILD USERS, INCLUDING ANY DATA ADDENDUMS OR OTHER LEGAL POLICIES PUT INTO PLACE BETWEEN THE ENTITY AND THE PARTY RECEIVING THE DATA; (VI) DATA SECURITY PROTECTIONS OF THE ONLINE PRODUCT WHICH WORK TO PREVENT AND RESPOND TO DATA BREACHES, AS DEFINED IN SUBDIVISION ONE OF THIS SECTION; (VII) ANY PRIVACY POLICIES, TERMS OF SERVICE, OR OTHER LEGAL POLICIES PUBLISHED ON THE ONLINE PRODUCT WHICH RELATE TO CHILD USERS AND WHETHER THEY ARE WRITTEN IN A WAY THAT CAN REASONABLY BE UNDERSTOOD BY A CHILD USER; (VIII) WHETHER SUCH POLICIES OR TERMS OF SERVICE REQUIRE APPROVAL OF THE PARENT OR LEGAL GUARDIAN OF THE CHILD USER; (IX) COMMUNITY STANDARDS FOR PUBLISHED CONTENT ON THE ONLINE PRODUCT, AND WHETHER AND HOW THE PRODUCT REMOVES CONTENT WHICH VIOLATES SUCH STANDARDS; (X) WHETHER SUCH ONLINE PRODUCT EXPOSES CHILDREN TO POTENTIALLY HARM- FUL CONTENT; (XI) WHETHER THE USE OF SUCH ONLINE PRODUCT COULD LEAD TO CHILDREN BEING TARGETED BY A POTENTIALLY HARMFUL CONTACT; (XII) WHETHER THE ONLINE PRODUCT COULD ALLOW CHILD USERS TO WITNESS, PARTICIPATE IN, OR BE SUBJECT TO POTENTIALLY HARMFUL CONDUCT; (XIII) WHETHER THE ONLINE PRODUCT SHARES INFORMATION ON THE CHILD USER'S ACTIVITY ON SUCH PRODUCT WITH SUCH CHILD'S LEGAL PARENT OR GUARD- IAN; (XIV) OPPORTUNITIES FOR INDIVIDUALS DEVELOPING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS TO VOICE CONCERNS ABOUT SUCH PRODUCT BEFORE, DURING, AND AFTER DEVELOPMENT WITHOUT FEAR OF RETALIATION AGAINST SUCH INDIVIDUAL; (XV) WAYS IN WHICH AN ENTITY OFFERING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS SOLICITS FEEDBACK FROM CHILDREN, PARENTS, EDUCATORS, HEALTH PROFESSIONALS, YOUTH DEVELOPMENT PROFESSIONALS, AND THE GENERAL PUBLIC ON THE ONLINE PRODUCT; (XVI) WHETHER AND HOW CHILD USERS CAN LIMIT EXPOSURE TO CERTAIN TYPES OF CONTENT; (XVII) THE IMPACT OF THE ONLINE PRODUCT ON A CHILD USER'S BEHAVIORAL, EMOTIONAL, AND PHYSICAL HEALTH; AND S. 3281 6

(XVIII) ANY OTHER FACTORS THE BUREAU DEEMS RELEVANT TO ASSESS THE MATERIAL RISK OF THE ONLINE PRODUCT POSED TO CHILD USERS. (B) EACH ENTITY COMPLETING SUCH DATA PROTECTION IMPACT ASSESSMENT SHALL FURNISH SUCH ASSESSMENT TO THE BUREAU OF INTERNET AND TECHNOLOGY WITHIN FIVE DAYS OF RECEIVING A REQUEST FROM THE BUREAU FOR SUCH ASSESS- MENT. ANY POTENTIAL RISKS POSED BY THE ONLINE PRODUCT, INCLUDING RISKS OF NONCOMPLIANCE WITH ANY PROVISION OF THIS SECTION OR ANY OTHER LAW, WHICH ARE IDENTIFIED BY THE BUREAU SHALL BE COMMUNICATED BY THE BUREAU BACK TO THE ENTITY, WHICH SHALL THEN CREATE A PLAN TO MITIGATE OR ELIMI- NATE SUCH RISK. (C) THE BUREAU SHALL PROVIDE TECHNICAL, OPERATIONAL, AND LEGAL ASSIST- ANCE TO ENTITIES COMPLETING A DATA PROTECTION IMPACT ASSESSMENT UPON THE REQUEST OF THE ENTITY. THE BUREAU SHALL POST GUIDELINES FOR HOW TO COMPLETE A DATA PROTECTION IMPACT ASSESSMENT, INCLUDING BEST PRACTICES FOR HOW TO DESCRIBE DATA PROCESSING, HOW TO ENSURE DATA QUALITY AND MINIMIZATION, HOW TO PROVIDE PRIVACY INFORMATION TO CHILD USERS, HOW TO IDENTIFY AND ASSESS RISKS TO CHILD USERS, HOW TO IDENTIFY MEASURES TO MITIGATE SUCH RISKS, AND ANY OTHER PRACTICES THE BUREAU DEEMS RELEVANT IN ITS GUIDANCE. THE BUREAU SHALL POST SUCH GUIDELINES, ALONG WITH A MODEL DATA PROTECTION IMPACT ASSESSMENT TEMPLATE, ON A PUBLICLY ACCESSI- BLE WEBSITE. 3. BAN ON DATA COLLECTION AND DIGITAL ADVERTISING. (A) NO ENTITY OFFERING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS IN THIS STATE SHALL COLLECT, RETAIN, PROCESS, OR SELL THE PERSONAL DATA OF SUCH USERS UNLESS SUCH COLLECTION, RETENTION, PROCESSING, OR SALE IS NECESSARY TO PROVIDE SUCH ONLINE PRODUCT OR TO COMPLY WITH THE PROVISIONS OF THIS SECTION AND SUCH COLLECTION, PROCESSING, RETENTION, OR SALE IS LIMITED TO SUCH PURPOSE. ALTERNATIVELY, AN ENTITY OFFERING AN ONLINE PRODUCT MAY COLLECT, RETAIN, PROCESS, OR SELL THE PERSONAL DATA OF A CHILD USER IF IT CAN DEMONSTRATE TO THE BUREAU THAT IT HAS A COMPELLING REASON TO DO SO WHICH FURTHERS THE INTEREST OF THE CHILD. (B) NO ENTITY OFFERING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS IN THIS STATE SHALL USE TARGETED DIGITAL ADVERTISING UNLESS CONSENT FOR SUCH ADVERTISING IS OBTAINED FROM THE CHILD'S PARENT OR LEGAL GUARDIAN AND THE ENTITY CAN DEMONSTRATE TO THE BUREAU THAT IT HAS A COMPELLING REASON TO OFFER SUCH ADVERTISING WHICH FURTHERS THE INTEREST OF THE CHILD. (C) NO ENTITY OFFERING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS IN THIS STATE WHERE SUCH PRODUCT IS INTENDED PRIMARILY FOR EDUCATIONAL PURPOSES SHALL COLLECT, RETAIN, PROCESS, OR SELL THE PERSONAL DATA OF CHILD USERS. 4. REQUIREMENT FOR CERTAIN SETTINGS. (A) ALL ENTITIES OFFERING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS IN THIS STATE SHALL UTILIZE PRIVACY BY DEFAULT, UNLESS THE ENTITY CAN DEMONSTRATE A COMPELLING REASON TO THE BUREAU THAT AN ALTERNATIVE DEFAULT SETTING SHOULD BE USED. (B) ALL ENTITIES OFFERING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS MUST DESIGN AND ACTIVATE A FEATURE WHICH PROACTIVELY ALERTS CHILD USERS, IN A MANNER LIKELY TO BE UNDERSTOOD BY A CHILD IN THE AGE RANGE TARGETED BY THE ONLINE PRODUCT, WHEN THEIR PERSONAL DATA IS BEING COLLECTED AND FOR THE DURATION OF TIME SUCH COLLECTION OCCURS. (C) THE BUREAU SHALL HAVE THE DISCRETION TO BAN AUTO-PLAY, PUSH NOTIFICATIONS, PROMPTS, IN-APP PURCHASES, OR ANY OTHER FEATURE IN AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS THAT IT DEEMS TO BE DESIGNED TO INAPPROPRIATELY AMPLIFY THE LEVEL OF ENGAGEMENT A CHILD USER HAS WITH SUCH PRODUCT. S. 3281 7

1. DECEASED CHILD USERS. ALL ENTITIES OFFERING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS IN THIS STATE SHALL PROVIDE ACCESS TO SUCH USER'S ACCOUNT, METADATA, AND USER HISTORY TO A PARENT OR LEGAL GUARDIAN UPON THE DEATH OF SUCH CHILD USER AND REQUEST FROM SUCH PARENT OR GUARD- IAN FOR SUCH ACCESS.
2. LAW ENFORCEMENT. ALL ENTITIES OFFERING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS IN THIS STATE SHALL EXPEDITE AND PRIORITIZE CIVIL AND CRIMINAL SUBPOENAS AND CRIMINAL WARRANTS PERTAINING TO CHILD USERS WHO HAVE BEEN A VICTIM OF A CRIME WITH MAXIMUM EXIGENCE.
3. TERMS OF SERVICE. (A) ANY ENTITY OFFERING AN ONLINE PRODUCT TARGET- ED TOWARDS CHILD USERS IN THIS STATE SHALL PROMINENTLY DISPLAY A PRIVACY POLICY AND TERMS OF SERVICE, TO INCLUDE WARNINGS ABOUT POTENTIAL HARMS TO CHILD USERS, IN A MANNER WHICH CLEARLY AND CONCISELY COMMUNICATES TO A CHILD USER, USING LANGUAGE LIKELY TO BE UNDERSTOOD BY AN INDIVIDUAL IN THE AGE RANGE TARGETED BY SUCH PRODUCT. (B) ALL PRIVACY POLICIES AND TERMS OF SERVICE OF AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS IN THIS STATE MUST BE AGREED TO BY BOTH THE CHILD USER AND THE PARENT OR LEGAL GUARDIAN OF SUCH CHILD BEFORE SUCH PRODUCT CAN BECOME OPERATIONAL FOR THE CHILD USER. (C) ANY ENTITY OFFERING AN ONLINE PRODUCT TARGETED TOWARDS CHILD USERS IN THIS STATE SHALL CLEARLY POST THAT THE TERMS OF SERVICE DO NOT IMPOSE BINDING OBLIGATIONS ON THE CHILD USER TO THE ENTITY.
4. NOTIFICATION OF EMERGENT PROBLEMS. ANY ENTITY OFFERING AN ONLINE PRODUCT TARGETED TOWARD CHILD USERS IN THIS STATE SHALL CREATE AND PROM- INENTLY DISPLAY A METHOD FOR CHILDREN, PARENTS, AND LEGAL GUARDIANS TO NOTIFY SUCH ENTITY OF EMERGENT PROBLEMS WITH SUCH PRODUCT. SUCH METHOD OF NOTIFICATION SHALL NOT REQUIRE THE PARENT, GUARDIAN, OR CHILD USER TO HAVE AN ACCOUNT ON SUCH PRODUCT IN ORDER TO NOTIFY THE ENTITY. ALL ELEC- TRONIC NOTIFICATIONS OF EMERGENT PROBLEMS DESCRIBED IN THIS SUBDIVISION SHALL BE ASSIGNED AN IDENTIFICATION NUMBER AND CONTEMPORANEOUSLY GENER- ATE AN ELECTRONIC RECEIPT FOR THE NOTIFYING INDIVIDUAL.
5. PUBLIC AWARENESS CAMPAIGN. BEFORE THE EFFECTIVE DATE OF THIS SECTION AND ON A REGULAR, ONGOING BASIS, THE BUREAU SHALL EXECUTE A PUBLIC AWARENESS CAMPAIGN TO INFORM ENTITIES THAT CREATE DIGITAL PRODUCTS TARGETED TOWARDS CHILD USERS, PARENTS, TEACHERS, AND THE GENER- AL PUBLIC OF THE PROVISIONS OF THIS SECTION IN ORDER TO ENSURE MAXIMUM COMPLIANCE THEREOF. SUCH CAMPAIGN MAY INCLUDE DIGITAL CONTENT, BILL- BOARDS, POSTERS, PAMPHLETS, TARGETED MAILERS, PUBLIC SERVICE ANNOUNCE- MENTS, PARTNERSHIPS WITH LOCAL SCHOOL DISTRICTS, OR ANY OTHER METHOD TO INCREASE GENERAL AWARENESS OF THE PROVISIONS OF THIS SECTION.
6. ANNUAL REPORT. THE BUREAU OF INTERNET AND TECHNOLOGY SHALL PRODUCE AND TRANSMIT A BIENNIAL REPORT TO THE TEMPORARY PRESIDENT OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, AND THE GOVERNOR SUMMARIZING: (A) THE NUMBER OF ENTITIES COMPLETING DATA PROTECTION IMPACT ASSESS- MENTS AND THE RESULTS THEREOF; (B) THE AMOUNT AND TYPE OF CHILD USER DATA BEING COLLECTED, RETAINED, PROCESSED, AND/OR SOLD BY SUCH ENTITIES AND THE PURPOSE THEREOF; (C) THE VOLUME AND NATURE OF MATERIAL RISKS POSED TO CHILD USERS BY SUCH ONLINE PRODUCTS AND MEASURES TAKEN TO MITIGATE OR ELIMINATE SUCH RISK; (D) THE VOLUME OF NOTIFICATIONS OF EMERGENT PROBLEMS AND A CATEGORICAL DESCRIPTION OF EACH TYPE OF PROBLEM (I.E. MATERIAL THAT LED TO CHILD SEXUAL ABUSE OR GROOMING, INSTANCES OF SUICIDE OR DRUG OVERDOSE RELATED TO USE OF ONLINE PRODUCTS BY CHILD USERS, INSTANCES OF BULLYING FACILI- TATED BY ONLINE PRODUCTS); S. 3281 8

(E) A DESCRIPTION OF THE POLICIES AND TERMS OF SERVICE BEING PRESENTED TO CHILD USERS AND THEIR PARENTS OR LEGAL GUARDIANS AS WELL AS ACCEPT- ANCE AND DENIAL RATES OF SUCH POLICIES AND TERMS; (F) THE NUMBER OF INDIVIDUALS OR BUSINESSES FOUND TO BE IN NONCOMPLI- ANCE WITH THIS ACT PURSUANT TO SUBDIVISION ELEVEN OF THIS SECTION; (G) THE NUMBER OF INDIVIDUALS OR BUSINESSES THAT HAVE CURED VIOLATIONS OF THIS SECTION OF THEIR OWN ACCORD AFTER BEING ISSUED NOTICE OF SUCH VIOLATION BY THE BUREAU; (H) THE NUMBER OF ACTIONS BROUGHT AGAINST INDIVIDUALS OR BUSINESSES PURSUANT TO PARAGRAPH (A) OF SUBDIVISION ELEVEN OF THIS SECTION AND THE RESULTS OF SUCH ACTIONS; (I) A SUMMARY OF THE PUBLIC EDUCATION EFFORTS UNDERTAKEN BY THE BUREAU ON AN ONGOING BASIS TO ALERT THE PUBLIC AND INTERESTED STAKEHOLDERS OF THE PROVISIONS OF THIS SECTION, PURSUANT TO SUBDIVISION NINE OF THIS SECTION; AND (J) LEGISLATIVE RECOMMENDATIONS FOR IMPROVEMENTS TO THIS OR ANY OTHER STATUTE GOVERNING DIGITAL ACTORS IN THIS STATE. 11. PENALTIES. (A) WHENEVER THE ATTORNEY GENERAL SHALL BELIEVE FROM EVIDENCE SATISFACTORY TO HIM OR HER THAT THERE IS A VIOLATION OF THIS SECTION, HE OR SHE MAY BRING AN ACTION IN THE NAME AND ON BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK, IN A COURT OF JUSTICE HAVING JURISDIC- TION TO ISSUE AN INJUNCTION, TO ENJOIN AND RESTRAIN THE CONTINUATION OF SUCH VIOLATION. WHEREVER THE COURT SHALL DETERMINE IN SUCH ACTION THAT A PERSON OR BUSINESS VIOLATED THIS ARTICLE KNOWINGLY OR RECKLESSLY, THE COURT MAY IMPOSE A CIVIL PENALTY OF UP TO TWENTY THOUSAND DOLLARS PER INSTANCE OF VIOLATION, PROVIDED THAT THE LATTER AMOUNT SHALL NOT EXCEED TWO HUNDRED FIFTY MILLION DOLLARS. (B) THE ATTORNEY GENERAL SHALL PROVIDE WRITTEN NOTICE TO ALL PEOPLE OR BUSINESSES OF ALLEGED VIOLATIONS AT LEAST NINETY DAYS BEFORE INITIATING ANY ACTION DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION. THE PERSON OR BUSINESS SHALL THEN HAVE AN OPPORTUNITY TO CURE ANY ALLEGED VIOLATION OF THIS SECTION WITHIN SUCH NINETY DAYS. IF SUCH ALLEGED VIOLATION HAS BEEN CURED, THE PERSON OR BUSINESS SHALL SEND WRITTEN NOTICE TO THE ATTORNEY GENERAL WHO SHALL THEN RETAIN DISCRETION AS TO WHETHER OR NOT TO PURSUE AN ACTION AGAINST SUCH PERSON OR BUSINESS. (C) THE PROCEEDS FROM PENALTIES COLLECTED FROM VIOLATIONS OF THIS SECTION, PURSUANT TO PARAGRAPH (A) OF THIS SUBDIVISION, SHALL BE DISBURSED AS FOLLOWS: (I) TWENTY PERCENT OF SUCH PROCEEDS SHALL BE DEDICATED TO THE PUBLIC AWARENESS CAMPAIGN DESCRIBED IN SUBDIVISION NINE OF THIS SECTION; AND (II) THE REMAINING EIGHTY PERCENT OF SUCH PROCEEDS SHALL BE DEDICATED TO THE ENFORCEMENT OF THIS SECTION BY THE BUREAU. (D) AN ACTION MAY BE BROUGHT AGAINST ANY PERSON OR BUSINESS WHO HAS KNOWINGLY OR RECKLESSLY VIOLATED THIS ARTICLE IF SUCH ACTION IS BROUGHT ON BEHALF OF A CHILD USER OR BY NEXT OF KIN OF A DECEASED CHILD USER ALLEGING HARM FROM SUCH VIOLATION. A PLAINTIFF WHO PREVAILS ON A CLAIM ALLEGING A VIOLATION OF THIS SECTION IS ENTITLED TO COMPENSATORY, ACTU- AL, AND PUNITIVE DAMAGES, INJUNCTIVE RELIEF, REASONABLE ATTORNEYS' FEES AND COSTS, AND OTHER SUCH REMEDIES AS A COURT MAY DEEM APPROPRIATE. § 5. This act shall take effect on the one hundred eightieth day after it shall have become a law and shall apply to all online products targeted towards child users in this state which are made available to the public on or after such effective date. Effective immediately, the addition, amendment and/or repeal of any rules or regulations necessary for the implementation of this act on its effective date are authorized to be made on or before such effective date.