Key Takeaways

• The New York Privacy Act (NYPA) is back in 2025, but still hasn’t passed into law.
• A competing bill, the Data Protection Act (A974), brings a stricter, more prescriptive model.
• The Child Data Protection Act takes effect June 20, 2025, and applies to all users under 18.
• New AG guidance says data use must match what a reasonable minor user would expect.

June 2025 Legislative Update: New York 

New York continues to be one of the most active battlegrounds for state privacy legislation in the U.S., and 2025 is no exception. While the long-debated New York Privacy Act (NYPA) still hasn’t crossed the finish line, several significant developments have reshaped the state’s privacy landscape, and more may be on the way.

NYPA Reintroduced, But Lacks a Clear Champion

The NYPA was reintroduced in 2025 as companion bills A4947 (Assembly) and S3044 (Senate), retaining the core consumer protections of the original 2023 proposal: data minimization, opt-in consent for sensitive data, and strict accountability for data brokers. Notably, the 2025 version introduces clearer language on de-identification, controller obligations, and data transparency.

However, the political landscape has shifted. Senator Kevin Thomas, who spearheaded the NYPA in previous sessions, is no longer in office, leaving the bill without its longtime champion. While both A4947 and S3044 are currently under committee review, there is still no unified proposal drawing broad legislative support, and competing privacy frameworks continue to surface.

Other 2025 Privacy Bills: A Crowded Field

In addition to the reintroduced NYPA, Assembly Bill A974, known as the New York Data Protection Act, was filed this year. It takes a different approach, resembling the Washington Privacy Act but with uniquely detailed provisions around data broker registration. While A974 offers an alternative model, its heavy prescriptiveness may slow momentum.

The Child Data Protection Act Is Now Law in NY

While broader consumer privacy laws remain in legislative limbo, New York has successfully passed landmark legislation protecting minors online. The New York Child Data Protection Act (S7695) was signed into law in June 2025 and takes effect on June 20, 2025. It restricts how online platforms collect and use data from anyone under 18.

In tandem, the Attorney General issued implementation guidance clarifying how the law’s “strictly necessary” data minimization standard will be interpreted. Key takeaways include:

• Data collection must align with the reasonable expectations of a minor, even though this wasn’t spelled out in the statute.
• Customer support and basic tracking (like budgeting tools) are examples that likely meet the standard.
• Behavioral advertising and personalization, even if considered core to a service, are not considered “strictly necessary” under this law.
• The law also introduces the concept of “age flags”, signals indicating a user’s age, that platforms must honor, with rulemaking still in progress.

Businesses serving minors in New York should act swiftly to update age verification, consent management, and data collection practices. While the AG has promised some enforcement discretion, good faith compliance efforts are now critical.

2023 New York Privacy Legislation Update

Finding a balance between the need to handle personal information and protecting the privacy of individuals can be challenging. Privacy is a significant element of freedom, “to be secure… against unreasonable searches and seizures” (according to the Fourth Amendment). Privacy laws hold accountable those who steal or misuse data, and are necessary to protect privacy rights. These laws drive stronger industry standards and prioritize privacy over other objectives. 

The familiarity and comfort of tailor-made online experiences and sheer convenience of having our devices anticipate our every move take on a slightly darker twist with the popular belief that “Big Tech” is trying to exploit our personal data and various governments are trying to keep tabs on us. Whether or not this is the case, data protection acts are taking action to help us regain our privacy and control over our information.

NYPA is a comprehensive consumer privacy law that aims to protect the privacy of the citizens of New York by empowering them to exercise greater control over their personal information and by holding businesses accountable.

The New York Privacy Act, advocated by Senator Kevin Thomas (D-Nassau County), passed in the New York State Senate after its third reading on June 8, 2023, and was delivered to the New York State Assembly. 

The 2023 bill is titled Senate Bill 365A and includes some notable provisions. We’ll review some of them below.

Key Takeaways From the New York Privacy Act

The proposed measures aim to empower consumers with greater control over their privacy and enhance accountability in data processing practices. The key provisions include:

1. Mandatory Consent: Companies would be obligated to obtain explicit consent from consumers before processing their personal data. This requirement ensures that individuals have the choice and awareness regarding the use of their information.
2. Transparency and Accountability: The legislation would establish robust transparency and accountability standards for businesses that handle substantial amounts of personal data. This ensures that companies are transparent about their data collection and processing practices, and are accountable for how they handle consumer information.
3. Oversight of Data Brokers: The Office of the Attorney General would be granted authority to conduct oversight of data brokers. These are entities that collect personal information about consumers and sell that data to other controllers or third parties. This oversight ensures that data brokers adhere to privacy regulations and responsibly handle consumers’ personal information.

Who does it apply to?

It is yet to be determined in detail but the NY personal privacy protection law will apply to entities conducting business in New York and possibly those handling personal data of New York residents.

The projected criteria for the application of NYPA are said to be:

• If your yearly gross revenue is over $25,000,000.
• If you control the data of a minimum of 100,000 New Yorkers.
• If you control the data of a minimum of 500,000 people in general, with 10,000 that are New York residents.
• If you derive 50% or more of your gross revenue from the selling of personal data.

Targeted advertising and data sellers are not the only ones who need to take heed of the upcoming laws and regulations to ensure they won’t be in violation and open to penalties. Any business or company that processes, stores, handles or uses personal information of any kind will need to adhere to these laws. 

As the global market becomes more and more interconnected, businesses around the world will need to take into account the NYPA if they want New York’s residents to use their websites or services. 

Government bodies who are processing or storing data for reasons other than sales are exempt from the NYPA, as is data maintained for employment purposes, protected health information and data collected to research on human subjects. These exemptions will need to be examined in greater detail when the final version of NYPA is released.

The Latest in New York Privacy: Child Data Protection and SAFE for Kids Act

While the NYPA remains stuck in legislative limbo, New York has taken a different route to strengthen privacy protections—this time with a focus on children. Two newly passed bills, the New York Child Data Protection Act (S7695) and the SAFE for Kids Act (S7694), are now awaiting Governor Kathy Hochul’s signature. Together, these bills represent a significant push to protect minors online.

Here’s an overview of these developments and what they could mean for businesses and consumers.

The New York Child Data Protection Act (S7695)

This act is aimed squarely at operators of websites, online services, and applications that collect personal data from minors under 18. It introduces strict rules to ensure minors’ data is handled responsibly:

• Operators must obtain parental consent for users under 13 and informed consent for users aged 13-17, unless the data is necessary for limited purposes like fraud prevention or compliance with the law.
• Businesses will be required to delete data of minors within 30 days of learning their age unless specific exceptions apply.
• The sale or purchase of minors’ personal data will be outright prohibited.
• Contracts with third-party vendors must reflect the new rules governing minors’ data.

If signed, this law will take effect one year after its passage. For businesses, that means a ticking clock to overhaul policies and systems to comply with these strict standards.

The SAFE for Kids Act (S7694)

While the Child Data Protection Act focuses on data collection, the SAFE for Kids Act takes aim at the addictive nature of social media platforms. It regulates services that use algorithms to prioritize content based on user data and imposes specific obligations on platforms offering “addictive feeds.”

Under the SAFE for Kids Act:

• Platforms must verify that users are not minors or secure parental consent before delivering addictive feeds.
• Notifications to minors are restricted between 12 a.m. and 6 a.m. ET unless parents explicitly allow them.

This act has a faster timeline, taking effect 180 days after the Attorney General establishes the rules for implementation. Businesses that rely on algorithm-driven content delivery will need to make swift adjustments.

Implications for Businesses

If these bills become law, businesses operating in New York will face significant compliance challenges. To prepare, companies should focus on:

1. Implementing Age Verification: Adopting methods to confirm users’ ages accurately.
2. Revising Data Policies: Aligning data collection, processing, and deletion practices with these new requirements.
3. Updating Contracts: Ensuring agreements with third-party vendors handling minors’ data comply with the law.
4. Limiting Notifications: Redesigning notification systems for social media platforms to avoid violations.

Stakeholder Reactions

These bills have received mixed responses. Governor Kathy Hochul has endorsed them as essential to protecting children in an increasingly digital world. On the other hand, groups like NetChoice, an internet trade association, have criticized the bills as unconstitutional. NetChoice has likened these measures to California’s controversial Age-Appropriate Design Code Act, which is already the subject of legal battles.

Unique Aspects of NYPA versus Other Privacy Laws

NYPA has been noted to surpass its contemporaries, like the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA), in its stringencies. It is more specific than the CCPA, which has received criticism for being impractical due to its breadth and very general terms. Yet it is less broad than the GDPR.

There are plenty of common factors between the New York Privacy Act and other more established privacy laws, like Europe’s GDPR, including lawful processing, consent, individual rights to name a few. 

The naming of third parties with whom a company does business is a requirement of NYPA in order to provide full transparency to consumers. The New York Privacy Act also refers to data fiduciary responsibilities. This can be compared to the GDPR’s Data Controller- the one who decides the purpose and process to handle personal data.

Yet unlike most other famous privacy laws, the NYPA does not include a category of “sensitive data” that usually requires many of its own unique controls and handling laws.  

What happens if you don’t comply?

As is the case with the vast majority of privacy laws, failure to comply will lead to fines and penalties that can be financially crippling, or at least significant. Relative to laws like the GDPR, the penalties for non-compliance with NYPA are more modest, namely up to $15,000 per violation. This may at first sound moderate but we will need to establish what constitutes a single violation- it may well add up. 

Steps to The New York Privacy Act Compliance

As with all privacy laws, the best place to start is by knowing where your company touches personal data and evaluating the flow of data from inception through the completion of your service or business. Take into account not only the networks and systems within your organization, but also the vendors with whom you do business. Do they receive personal data from you? Are your compliance demands incorporated into your SLA’s (Service Level Agreements)? Ensure your vendors will not be the downfall of your compliance with vendor risk assessments.

Create a privacy notice for your customers. Scope your organization to know where personal information is to be found and ensure all aspects are covered in the privacy notice- including the rights mentioned above.
Consider using an automated risk and compliance management platform that will prepare your organization for compliance with all of the major privacy laws. Schedule a demo to see how Centraleyes cutting-edge compliance tools will boost your company’s compliance with the upcoming NYPA privacy regulations.

Frequently Asked Questions About NYPA and Related Privacy Laws

Is the New York Privacy Act (NYPA) officially the law in June 2025?

Answer: Not yet. The NYPA was reintroduced in 2025 as bills A4947 and S3044, and it passed a key Senate committee vote in May. But it still hasn’t cleared both chambers or reached the governor’s desk. That means it’s not enforceable, yet.

Is there any sign that NYPA might actually pass this year?

Answer: It’s possible, but uncertain. Without Senator Kevin Thomas, who previously championed the bill, the NYPA lacks a strong legislative driver. Still, it’s moving through committees, and with other states like Pennsylvania advancing their own laws, pressure is growing for New York to act. If momentum continues and the Assembly unites around a framework, 2025 could be the year it breaks through.

Who would the NYPA apply to?

Answer: If passed, NYPA would apply to businesses that:

• Generate over $25 million in annual revenue, or
• Handle data on 100,000+ New Yorkers, or
• Make 50% or more of revenue from selling personal data.

So, it’s not just targeted at tech giants; any company handling significant consumer data in New York may be affected.

What’s the difference between the Child Data Protection Act and the SAFE for Kids Act?

Answer: They’re separate laws passed together, and they address different privacy risks:

Act	What it Regulates	Key Focus
Child Data Protection Act (S7695)	How data is collected and processed for users under 18	Consent, data minimization, age flags, and data sales
SAFE for Kids Act (S7694)	How online platforms deliver content to minors	Algorithmic feeds, push notifications,and platform design

If my company already follows COPPA, am I compliant with New York’s Child Privacy Law?

Answer: COPPA covers users under 13 and sets rules for parental consent. The New York law extends protections up to age 18. That means for teens aged 13–17, you’ll need informed consent or a clear, strictly necessary purpose. So, COPPA compliance is a good start, but not enough on its own.

The post Everything You Need To Know About The New York Privacy Act appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Yehuda Raz. Read the original post at: https://www.centraleyes.com/everything-you-need-to-know-about-the-new-york-privacy-act-2021/