The CDPPA: A Comprehensive Guide for Any Business That Collects or Uses Personal Data from Children in New York

The New York Child Privacy Law (CDPPA) is a comprehensive law that regulates the collection and use of personal data from children under the age of 17 in New York. This blog post provides a comprehensive overview of the CDPPA, including the key provisions, practical tips for businesses, and resources for further information and guidance on compliance.

Q + ASTATE LAWNEW YORK

Graham Settleman

8/18/202314 min read

a boy is playing with a computer and a keyboard
a boy is playing with a computer and a keyboard

Introduction

The child privacy law in NY is the New York Child Data Privacy and Protection Act (CDPPA), which was signed into law by Governor Kathy Hochul on September 23, 2022. The CDPPA is modelled after the California Age-Appropriate Design Code Act (CADC), and it is one of the strictest child privacy laws in the United States.


The CDPPA applies to any entity that collects personal data from children under the age of 17 in New York. The law defines personal data as "information that identifies, relates to, describes, or is reasonably linkable to a particular child user."


The CDPPA prohibits entities from collecting or using personal data from children without parental consent. The law also requires entities to:

  • Conduct a data protection impact assessment (DPIA) to assess the risks to children's privacy before collecting or using their data.

  • Provide parents with clear and concise information about how their child's data is being collected and used.

  • Allow parents to access and delete their child's data.

  • Allow parents to opt out of targeted advertising to their child.

  • Prohibit the sale of personal data from children.


The CDPPA also gives parents the right to sue entities that violate the law. The law provides for civil penalties of up to $2,500 per violation, or up to $10,000 per violation for intentional or reckless violations.


The CDPPA is a significant step forward in protecting the privacy of children online. The law is comprehensive and covers a wide range of activities, and it provides parents with strong tools to protect their children's privacy. The CDPPA is expected to have a major impact on the way that companies collect and use data from children in New York.

How do I conduct a data protection impact assessment (DPIA) to assess the risks to children's privacy before collecting or using their data?

To conduct a data protection impact assessment (DPIA) to assess the risks to children's privacy before collecting or using their data, you can follow these steps:

  1. Identify the need for a DPIA. The first step is to determine if you need to conduct a DPIA. The CDPPA requires a DPIA if you are collecting or using personal data from children under the age of 17 in New York. However, you may also want to conduct a DPIA if you are collecting or using personal data from children in other jurisdictions, or if you are collecting or using data that is sensitive in nature.

  2. Describe the processing. The next step is to describe the processing of personal data that you are conducting. This includes the following information:

    • The types of personal data that you are collecting and using.

    • The purposes for which you are collecting and using the data.

    • The methods of processing the data.

    • The third parties to whom you are disclosing the data.

  3. Consider consultation. You should consider consulting with children and parents, as well as with experts in child development and privacy, to get their input on the risks to children's privacy posed by your processing activities.

  4. Assess necessity and proportionality. You should assess whether the processing of personal data is necessary and proportionate to the purposes for which it is being collected and used. This assessment should take into account the age of the children, the sensitivity of the data, and the risks to children's privacy.

  5. Identify and assess risks. You should identify and assess the risks to children's privacy posed by your processing activities. This includes the following risks:

    • The risk of identity theft.

    • The risk of financial fraud.

    • The risk of cyberbullying.

    • The risk of grooming.

    • The risk of exposure to harmful content.

  6. Identify measures to mitigate risks. You should identify measures to mitigate the risks to children's privacy posed by your processing activities. This may include the following measures:

    • Obtaining parental consent.

    • Providing clear and concise information to parents about how their child's data is being collected and used.

    • Giving parents the right to access and delete their child's data.

    • Giving parents the right to opt out of targeted advertising to their child.

    • Limiting the collection of personal data to what is necessary for the purposes for which it is being collected.

    • Using pseudonymization or encryption to protect personal data.

  7. Sign off and record outcomes. You should sign off on the DPIA and record the outcomes of the assessment. This will help you to document your compliance with the CDPPA.

  8. Integrate outcomes into your project plan. You should integrate the outcomes of the DPIA into your project plan. This will help you to ensure that you are taking steps to mitigate the risks to children's privacy from your processing activities.

  9. Keep your DPIA under review. You should keep your DPIA under review on a regular basis. This will help you to ensure that your assessment of the risks to children's privacy is accurate and up-to-date.


By following these steps, you can conduct a data protection impact assessment (DPIA) to assess the risks to children's privacy before collecting or using their data. This will help you to comply with the CDPPA and protect the privacy of children online.

How do I provide parents with clear and concise information about how their child's data is being collected and used?

To provide parents with clear and concise information about how their child's data is being collected and used, you can follow these steps:

  1. Use plain language. The information you provide to parents should be written in plain language that is easy to understand. Avoid using jargon or technical terms that parents may not understand.

  2. Be specific. The information you provide should be specific and detailed. Don't just say that you collect "personal data" from children. Instead, list the specific types of personal data that you collect, such as name, address, phone number, email address, and birthdate.

  3. Explain the purposes for which you collect and use data. Parents should understand why you are collecting and using their child's data. Be clear about the purposes for which you collect and use data, and be sure to explain how the data will be used.

  4. Describe how you share data. Parents should know who you share their child's data with. Be sure to list all of the third parties with whom you share data, and explain how the data will be shared with those parties.

  5. Give parents the right to access and delete data. Parents should have the right to access and delete their child's data. Be sure to explain how parents can exercise this right.

  6. Give parents the right to opt out of targeted advertising. Parents should have the right to opt out of targeted advertising. Be sure to explain how parents can exercise this right.

  7. Make the information easy to find. The information you provide to parents should be easy to find. Be sure to post the information on your website in a prominent location, and be sure to include a link to the information in your privacy policy.


By following these steps, you can provide parents with clear and concise information about how their child's data is being collected and used. This will help you to comply with the CDPPA and protect the privacy of children online.


Here are some additional tips for providing clear and concise information to parents about how their child's data is being collected and used:

  • Use visuals to help explain the information. For example, you could create a diagram that shows how your company collects, uses, and shares data.

  • Use simple language that is easy for parents to understand. Avoid using jargon or technical terms.

  • Be specific about the types of data that you collect and the purposes for which you use it.

  • Explain how parents can exercise their rights to access and delete their child's data, and to opt out of targeted advertising.

  • Make the information easy to find. Post the information on your website in a prominent location, and be sure to include a link to the information in your privacy policy.


By following these tips, you can provide parents with the information they need to make informed decisions about their child's privacy.

How do I allow parents to access and delete their child's data?

To allow parents to access and delete their child's data, you can follow these steps:

  1. Create a process for parents to request access to their child's data. The process should be easy to follow and should be available on your website or in your privacy policy.

  2. Provide parents with a way to verify their identity. This may involve asking parents to provide their child's name, birthdate, and email address.

  3. Respond to parental requests promptly. Once you have verified a parent's identity, you should respond to their request within a reasonable timeframe.

  4. Provide parents with access to all of their child's data. This includes data that you have collected directly from the child, as well as data that you have collected from third parties.

  5. Allow parents to delete their child's data. Parents should be able to delete all of their child's data at any time.

  6. Keep a record of all parental requests. This will help you to document your compliance with the CDPPA.


By following these steps, you can allow parents to access and delete their child's data. This will help you to comply with the CDPPA and protect the privacy of children online.


Here are some additional tips for allowing parents to access and delete their child's data:

  • Make the process for requesting access and deletion easy to follow. Parents should be able to do it without having to contact customer support.

  • Provide parents with a variety of ways to verify their identity. This may involve asking parents to provide their child's name, birthdate, email address, and a password.

  • Respond to parental requests promptly. Parents should not have to wait more than a few days to get a response to their request.

  • Provide parents with a copy of all of their child's data. This will allow parents to review the data and make sure that it is accurate.

  • Allow parents to delete their child's data permanently. The data should not be recoverable after it has been deleted.

  • Keep a record of all parental requests. This will help you to document your compliance with the CDPPA.


By following these tips, you can make it easy for parents to access and delete their child's data. This will help you to comply with the CDPPA and protect the privacy of children online.

How do I allow parents to opt out of targeted advertising to their child?

To allow parents to opt out of targeted advertising to their child, you can follow these steps:

  1. Create a process for parents to opt out of targeted advertising. The process should be easy to follow and should be available on your website or in your privacy policy.

  2. Provide parents with a way to verify their identity. This may involve asking parents to provide their child's name, birthdate, and email address.

  3. Respond to parental requests promptly. Once you have verified a parent's identity, you should respond to their request within a reasonable timeframe.

  4. Allow parents to opt out of targeted advertising. Parents should be able to opt out of targeted advertising at any time.

  5. Keep a record of all parental requests. This will help you to document your compliance with the CDPPA.


By following these steps, you can allow parents to opt out of targeted advertising to their child. This will help you to comply with the CDPPA and protect the privacy of children online.


Here are some additional tips for allowing parents to opt out of targeted advertising:

  • Make the process for opting out easy to follow. Parents should be able to do it without having to contact customer support.

  • Provide parents with a variety of ways to verify their identity. This may involve asking parents to provide their child's name, birthdate, email address, and a password.

  • Respond to parental requests promptly. Parents should not have to wait more than a few days to get a response to their request.

  • Allow parents to opt out of targeted advertising permanently. Once a parent has opted out, they should not be able to receive targeted advertising from your company again.

  • Keep a record of all parental requests. This will help you to document your compliance with the CDPPA.


By following these tips, you can make it easy for parents to opt out of targeted advertising. This will help you to comply with the CDPPA and protect the privacy of children online.


In addition to the steps listed above, you may also want to consider the following:

  • Use clear and concise language when explaining how targeted advertising works. Parents should understand how their child's data is being used to target them with ads.

  • Provide parents with information about the types of ads that their child may see. Parents should be able to make informed decisions about whether or not they want their child to see certain types of ads.

  • Give parents the option to choose which categories of ads they want their child to see. This will give parents more control over the types of ads that their child is exposed to.

  • Work with ad networks to ensure that their ads are compliant with the CDPPA. Ad networks should not collect or use personal data from children without parental consent.


By taking these steps, you can help to ensure that parents are informed about targeted advertising and that their children are protected from harmful or inappropriate ads.

How do I prohibit the sale of personal data from children?

To prohibit the sale of personal data from children, you can follow these steps:

  1. Do not sell personal data from children. This is the most important step. You should not sell personal data from children, regardless of whether or not they have parental consent.

  2. Make it clear to parents that you will not sell their child's data. This should be included in your privacy policy and in any other materials that you provide to parents.

  3. Put in place technical and organisational measures to prevent the sale of personal data from children. This may involve using encryption, pseudonymization, and other techniques to protect children's data.

  4. Have a process for reporting and investigating suspected violations of the CDPPA. This will help you to identify and address any instances where personal data from children may have been sold in violation of the law.

  5. Be transparent about your data collection and use practices. Parents should be able to understand how their child's data is being collected, used, and shared.

  6. Get parental consent before collecting or using personal data from children. This is required by the CDPPA.

  7. Give parents the right to access and delete their child's data. This is also required by the CDPPA.


By following these steps, you can help to ensure that you are complying with the CDPPA and protecting the privacy of children online.


Here are some additional tips for prohibiting the sale of personal data from children:

  • Be aware of the different ways that personal data can be sold. Personal data can be sold directly, or it can be sold indirectly through the sale of a company or product.

  • Monitor your data collection and use practices carefully. Make sure that you are not collecting or using personal data from children without parental consent.

  • Have a process for responding to parental requests for access to and deletion of their child's data. This process should be easy to follow and should be available on your website or in your privacy policy.

  • Work with your legal counsel to ensure that you are complying with the CDPPA. The CDPPA is a complex law, and it is important to get legal advice if you are unsure about how to comply with it.

By following these tips, you can help to ensure that you are prohibiting the sale of personal data from children and complying with the CDPPA.

What types of businesses are most likely to be affected by the New York Data Privacy and Protection Act (CDPPA)?

Businesses that are most likely to need information about the child privacy law in NY are those that collect or use personal data from children under the age of 17 in New York. This includes businesses that operate online games, social media platforms, educational apps, and other services that are popular with children.


Here are some specific examples of businesses that are likely to need this information:

  • Online gaming companies. Online gaming companies collect a lot of personal data from children, such as their names, email addresses, and birthdates. This data is used to create user accounts, track progress, and match players with other players.

  • Social media platforms. Social media platforms also collect a lot of personal data from children, such as their names, email addresses, photos, and interests. This data is used to create profiles, target ads, and connect with friends.

  • Educational apps. Educational apps collect a lot of personal data from children, such as their names, grades, and test scores. This data is used to personalise the learning experience, track progress, and provide feedback.

  • Toy companies. Toy companies that sell online may collect personal data from children, such as their names, email addresses, and shipping addresses. This data is used to process orders, send marketing materials, and provide customer service.


These are just a few examples of businesses that are likely to need information about the child privacy law in NY. If you are a business that collects or uses personal data from children under the age of 17 in New York, it is important to understand your obligations under the law and to take steps to comply with it.

Are there any local businesses or nonprofit organisations that might need this information as well?

Yes, there are many local businesses and nonprofit organisations that might need information about the child privacy law in NY. This includes businesses and organisations that:

  • operate websites or mobile apps that are popular with children;

  • collect or use personal data from children in the course of their activities;

  • offer services or products to children;

  • have a physical presence in New York.


Here are some specific examples of local businesses and nonprofit organisations that might need this information:

  • Local libraries. Libraries often collect personal data from children, such as their names, email addresses, and library card numbers. This data is used to create accounts, track borrowing history, and provide personalised services.

  • YMCAs. YMCAs often collect personal data from children, such as their names, email addresses, and medical information. This data is used to create profiles, track progress, and provide services.

  • Boys and Girls Clubs. Boys and Girls Clubs also collect personal data from children, such as their names, email addresses, and interests. This data is used to create profiles, track progress, and provide services.

  • Afterschool programs. Afterschool programs often collect personal data from children, such as their names, email addresses, and transportation information. This data is used to create profiles, track attendance, and provide transportation.

  • Museums. Museums often collect personal data from children, such as their names, email addresses, and ticket information. This data is used to create accounts, track visits, and provide personalised services.


These are just a few examples of local businesses and nonprofit organisations that might need information about the child privacy law in NY. If you are a business or organisation that collects or uses personal data from children in New York, it is important to understand your obligations under the law and to take steps to comply with it.

What about churches?

Churches are also considered local businesses and nonprofit organisations that might need information about the child privacy law in NY. This is because churches often collect personal data from children, such as their names, email addresses, and religious affiliation. This data is used to create profiles, track attendance, and provide services.


If you are a church that collects or uses personal data from children in New York, it is important to understand your obligations under the law and to take steps to comply with it. This includes:

  • Obtaining parental consent before collecting or using personal data from children.

  • Providing parents with clear and concise information about how their child's data is being collected and used.

  • Giving parents the right to access and delete their child's data.

  • Prohibiting the sale of personal data from children.

  • Taking steps to protect children's data from unauthorised access, use, or disclosure.


By following these steps, you can help to ensure that you are complying with the child privacy law in NY and protecting the privacy of children in your church.


Here are some additional tips for churches that collect or use personal data from children:

  • Be transparent about your data collection and use practices. Parents should be able to understand how their child's data is being collected, used, and shared.

  • Use clear and concise language when communicating with parents about data collection and use. Parents should not have to read through legal jargon to understand what you are doing with their child's data.

  • Have a process for responding to parental requests for access to and deletion of their child's data. This process should be easy to follow and should be available on your website or in your privacy policy.

  • Work with your legal counsel to ensure that you are complying with the child privacy law in NY. The child privacy law is a complex law, and it is important to get legal advice if you are unsure about how to comply with it.


By following these tips, you can help to ensure that you are protecting the privacy of children in your church.

Everything you need to know about the New York Child Privacy Law (CDPPA).

Related Content

About | Terms | Privacy | Accessibility | Contact

By signing up you agree to receive automated marketing messages from The Industry Leader. View Terms + Privacy.

Get Connected

Stay up to date with weekly digests, product announcements, special offers and more.

Information published to or by The Industry Leader will never constitute legal, financial or business advice of any kind, nor should it ever be misconstrued or relied on as such. For individualised support for yourself or your business, we strongly encourage you to seek appropriate counsel.

Urikville Press Ltd © 2024