On May 19, 2025, New York’s Office of the Attorney General (“OAG”) published new guidance on the New York Child Data Protection Act (the “Act”), which becomes effective on June 20, 2025.  As we reported last summer, the OAG released an Advanced Notice of Proposed Rulemaking addressing the Act on August 1, 2024.  The OAG has yet to release a full Notice of Proposed Rulemaking, which would be the next step in the process of developing a final rule implementing the Act’s rulemaking provisions.  Until the rules are finalized, the guidance suggests that the OAG will exercise discretion in its enforcement of the Act and consider good-faith efforts to comply with the statute.  Informal guidance is not legally binding, but provides some additional context on how the OAG might prioritize enforcement of the Act.  For a broader description of the Act’s provisions, see our previous reporting linked above. Some key elements from the guidance are listed below. 

  • Complying with COPPA will be deemed compliance with the Act.  The guidance clarifies that operators that comply with COPPA also will be considered compliant with the Act.
  • Age flags.  The Act includes certain requirements related to covered operators’ ingestion of device-based “age flags.”  The guidance recognizes that processing of age flags is a complex issue that implicates “potential nuances related to when and how an operator can rely on a communication or signal from a user’s device about a user’s status as a covered user.”  It also states that until the OAG promulgates rules clarifying operators’ responsibilities with respect to age flags, the OAG “will exercise discretion in pursuing enforcement action on this provision, so long as operators otherwise exhibit good-faith efforts to comply with all other provisions of [the Act] consistent with this guidance.”
  • Scope of the term “primarily directed to minors.”  The Act’s requirements apply if (a) the operator of a website, service, application, or connected device knows the particular user is under 18 or (b) the website, service, application, or connected device is “primarily directed to minors.”  The guidance suggests that this “primarily directed to minors” standard is narrower than the Children’s Online Privacy Protection Act’s (“COPPA”) “directed to children” standard, and that it “provides some additional flexibility to operators as compared to the standard under COPPA for younger children.”  The guidance recognizes many online services may be used by teens without being “primarily directed” to that audience. 
  • “Strictly necessary” processing.  In general, the Act requires that an operator obtain a minor’s “informed consent” before processing personal data, except where such processing is “strictly necessary” for a permitted purpose under the Act.  The guidance elaborates at some length on one of the permitted purposes: “providing or maintaining a specific product or service requested by the covered user.”  It explains, for example, when tracking is strictly necessary.
  • Parental requests.  The guidance confirms that the Act does not disturb existing legal frameworks that allow parents to “enter into agreements for particular products or services on behalf of their children.”  The Act does not require an operator to obtain the child’s consent in such circumstances where data processing is strictly necessary to provide the product or service requested by the parent.
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey Tonsager
Show more Show less
Photo of Jenna Zhang Jenna Zhang

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy…

Jenna Zhang advises clients across industries on data privacy, cybersecurity, and emerging technologies. 

Jenna partners with clients to ensure their compliance with the rapidly evolving federal and state privacy and cybersecurity laws. She supports clients in designing new products and services, drafting privacy notices and terms of use, responding to cyber and data security incidents, and evaluating privacy and cybersecurity risks in corporate transactions. In particular, she advises clients on substantive requirements relating to children’s and student privacy, including COPPA, FERPA, age-appropriate design code laws, and social media laws.

As part of her practice, Jenna regularly represents clients in data privacy investigations and enforcement actions brought by the Federal Trade Commission and state attorneys general. She also supports clients in proactive engagement with regulators and policymakers to ensure their perspectives are heard.

Jenna also maintains an active pro bono practice with a focus on supporting families in adoptions, guardianships, and immigration matters.

Read more about Jenna Zhang
Show more Show less
Photo of John Bowers John Bowers

John Bowers is an associate in the firm’s Washington, DC office. He is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

John advises clients on a wide range of privacy and communications issues…

John Bowers is an associate in the firm’s Washington, DC office. He is a member of the Data Privacy and Cybersecurity Practice Group and the Technology and Communications Regulation Practice Group.

John advises clients on a wide range of privacy and communications issues, including compliance with telecommunications regulations and U.S. state and federal privacy laws.

Read more about John Bowers
Show more Show less