Platform and Marketplace Compliance · Memo

NY State Age-Appropriate Design Code Implications for US Platforms With New York Users

New York passed two pieces of legislation in 2024 directly targeting platforms with minor users. The First Amendment challenges are pending, but the operational obligations on platforms are real and immediate. I am going to walk through what compliance looks like.

New York's 2024 legislative session produced two pieces of legislation that materially affect US-based platforms with New York users: the New York Child Data Protection Act and the Stop Addictive Feeds Exploitation for Kids Act. The first regulates the collection and use of personal information of New York minors. The second restricts the deployment of algorithmically curated 'addictive' feeds to New York minors. Both went into effect in 2024 or 2025 with phased compliance dates.

The legislation is part of a broader state-level push to regulate platform conduct toward minors. California passed AB 2273 (the California Age-Appropriate Design Code Act), which has been the subject of significant First Amendment litigation in NetChoice LLC v. Bonta (Ninth Circuit). Other states have enacted parallel legislation. New York's approach is distinct in several respects, and the operational obligations imposed on platforms are not interchangeable with the California framework.

The New York Child Data Protection Act

The CDPA, codified in the New York General Business Law, restricts operators of websites or online services directed to minors (those under 18) from collecting personal information from minors without informed consent. The framework borrows substantially from COPPA at the federal level but extends the protection to minors aged 13 to 17 (COPPA covers only children under 13).

The CDPA's core obligations include: notice in clear and conspicuous terms of the platform's data collection practices with respect to minor users; informed consent prior to the processing of personal information of minor users for purposes outside what is reasonably necessary to operate the service; restrictions on the sale of personal information of minor users; restrictions on the use of minor user data for targeted advertising; and rights for minors and their parents or guardians to access, correct, and delete personal information collected from the minors.

The enforcement framework gives the New York Attorney General primary enforcement authority. The penalties are substantial: up to 5,000 dollars per violation, with violations potentially counted on a per-user or per-incident basis. The Attorney General has also indicated, in published enforcement priorities, that platforms with documented compliance programs will be treated differently from platforms operating without operational controls.

The SAFE for Kids Act

The Stop Addictive Feeds Exploitation for Kids Act, codified at General Business Law section 1500 and following, restricts platforms from providing an 'addictive feed' to a New York minor without verified parental consent. An addictive feed is defined as a feed in which the order or selection of content is determined by an algorithm using information about the user other than the user's express selection. The standard non-algorithmic chronological or reverse-chronological feeds are not addictive feeds under this definition.

The Act's substantive restrictions: a platform that operates an addictive feed must verify whether the user is a New York minor; if so, the platform must obtain verified parental consent before providing the addictive feed to the minor user; the platform must default to a non-addictive feed for users who have not provided verified parental consent; the platform must restrict the times of day when addictive feeds are provided to minor users without express parental authorization.

The age-verification requirement is the most operationally demanding element. The Act requires platforms to verify whether users are minors with 'commercially reasonable' methods, but does not specify which methods qualify. The verification standards are the subject of regulatory development by the Attorney General and the State of New York's enforcement framework.

The First Amendment challenges

Both pieces of legislation have been challenged on First Amendment and Commerce Clause grounds. The NetChoice litigation against California's age-appropriate design code resulted in a preliminary injunction in 2023, with subsequent district court and Ninth Circuit decisions that have been pending appellate review. The New York legislation is similarly subject to challenge, though the New York statutes are not identical to the California framework and the specific First Amendment posture differs.

The constitutional analysis turns on several questions: whether the restrictions burden protected speech; whether the restrictions are subject to strict scrutiny or intermediate scrutiny; whether the restrictions are narrowly tailored to advance a compelling or substantial state interest; and whether the restrictions impermissibly burden interstate commerce. The case law continues to develop, with district court and appellate decisions in 2024-2026 that have refined the analysis without producing a fully settled framework.

For platforms, the constitutional uncertainty does not eliminate the operational compliance obligation. The legislation is in effect; preliminary injunctions in related challenges do not bind all platforms; and the enforcement risk for non-compliance during the pendency of litigation is real. The conservative position is to comply with the legislation while preserving the constitutional challenge in any specific enforcement action.

The operational compliance architecture

Compliance with the New York framework requires platforms to implement several operational capabilities.

First, age verification. The platform needs a method to determine whether a user is a New York minor. The available methods include self-identification, third-party age-verification services, account-history analysis, and inference from usage patterns. Each method has limitations. Self-identification is unreliable for minors who misrepresent their age. Third-party services impose cost and operational complexity. Inference-based methods have privacy implications. The platform needs to choose a method consistent with the 'commercially reasonable' standard while addressing the platform's specific user population.

Second, location determination. The platform needs to determine whether a user is in New York. The methods include IP address geolocation, billing address, declared location, and inference from usage patterns. The location determination interacts with the age determination: only New York minors trigger the specific obligations, and the platform's compliance posture depends on accurate identification of users who fall within the protected category.

Third, consent infrastructure. The platform needs a method to obtain and verify parental consent for protected categories of activity. The consent infrastructure must satisfy 'verified parental consent' requirements. The available methods include credit-card verification, government-ID verification, signed-form submission, and similar approaches consistent with the federal COPPA framework that New York's legislation borrows from.

Fourth, feed configuration. The platform needs to be able to deliver non-addictive feeds to users for whom parental consent has not been verified. The default-feed configuration may require engineering work for platforms whose entire product architecture has been built around algorithmically curated feeds.

Fifth, audit and recordkeeping. The platform needs to maintain records of the consent obtained, the age and location determinations made, and the feed configurations delivered. The records support the platform's compliance posture in any enforcement inquiry.

The contractual implications for upstream and downstream parties

The New York framework has implications for the contractual relationships among the platform and its upstream service providers and downstream advertisers.

Upstream service providers (including platforms that provide age-verification services, identity-verification services, and content-recommendation algorithms) face new requirements under the platform's compliance program. The platform may need contractual representations from these providers regarding the providers' methodologies, accuracy rates, and compliance with the relevant standards. The standard data processing addendum may need amendment to address the age-verification and minor-protection categories specifically.

Downstream advertisers and partners who receive data from the platform face restrictions on the use of that data when minors are involved. The platform's advertiser agreements may need amendment to restrict targeted-advertising use of minor data, to require advertiser compliance with the minor-protection framework, and to allocate liability for violations.

The cross-state coordination problem

Platforms operating across multiple states face the patchwork problem. California's age-appropriate design code, New York's CDPA and SAFE for Kids Act, Colorado's Privacy Act amendments addressing minors, Texas's recent platform legislation, and parallel frameworks in other states impose overlapping but not identical obligations.

The most workable compliance posture is to implement the most restrictive framework as the operational default, with state-specific variations where the differences are material. This is operationally expensive but reduces the risk of compliance failure in any particular jurisdiction. The alternative (state-specific compliance with the relevant framework for each user) is more efficient but more error-prone.

The federal-level response (the Kids Online Safety Act or similar federal legislation) has been repeatedly proposed but not enacted as of 2026. Federal preemption of the state frameworks would simplify the compliance landscape but is not on the immediate legislative horizon.

The Section 230 interaction

Section 230 of the Communications Decency Act has historically provided platforms with immunity from liability for user-generated content. The New York framework, like the California framework, regulates the platform's own conduct (data collection, feed curation, age verification) rather than the content posted by users. The Section 230 defense does not apply to the platform's own conduct in the same way it applies to user-posted content.

The case law on Section 230's application to algorithmic recommendation continues to develop. The Supreme Court's decision in Moody v. NetChoice LLC, 603 U.S. ___ (2024), addressed the First Amendment status of platform content moderation but did not directly resolve the Section 230 questions. The Ninth Circuit's decisions in Calise v. Meta Platforms Inc. and related matters have continued to refine the analysis of when Section 230 immunity applies to algorithmic decisions. Counsel should expect continued case law development in this area.

What I would not assume

The constitutional litigation against the New York framework is ongoing. The framework as currently written may be modified, narrowed, or partially enjoined as the litigation proceeds. Counsel advising platforms should treat the current framework as the operational reference point but should be prepared to adjust as the constitutional questions are resolved. The compliance moves I describe address the framework as written; they may need to be refined as enforcement guidance develops and as the constitutional litigation produces controlling precedent. The doctrinal status of platform regulation of minors is genuinely unsettled at the constitutional level; the practical compliance obligation is much more clearly defined. Outcomes in specific matters depend on the platform's user base, the platform's product architecture, and the enforcement environment.

Sergei Tokmakov, Esq., CA Bar #279869. This memo is attorney commentary on legal questions and is not legal advice. Reading it does not create an attorney-client relationship. Past matter outcomes depend on facts and the responding party; nothing here is a prediction of result.