N.Y.
General Business Law Section 1540
Privacy by default and parental approvals
1.
(a) The attorney general may promulgate rules and regulations identifying methods for reasonable and technically feasible age assurance, which may consider the size, financial resources, and technical capabilities of covered platforms, the costs and effectiveness of available age determination techniques for users of such platforms, the audience of such platforms, and prevalent practices of the industry of the operator. Such rules or regulations may also identify the appropriate levels of accuracy that would be considered reasonable for operators to achieve in determining whether a user is a covered minor. Such rules or regulations may specify that information collected under this article shall not be used for any purpose other than age assurance and shall be deleted immediately after an attempt to determine a user’s age, except where necessary for compliance with any applicable provisions of New York state or federal law or rule or regulation.(b)
Until such time as the rules or regulations referenced in paragraph (a) of this subdivision may have been promulgated and are in effect, an operator shall use age assurance methods that meet the requirements of article 45 (Safe For Kids Act)article forty-five of this chapter and its implementing rules or regulations, as amended, except that for purposes of this article, an operator may not use self-declaration of age or minor status to determine whether a covered user is a covered minor.(c)
To the extent rules or regulations referenced in paragraph (a) of this subdivision are not in effect and rules or regulations referenced in paragraph (b) of this subdivision regarding age assurance methods promulgated pursuant to article 45 (Safe For Kids Act)article forty-five of this chapter are not in effect, an operator shall rely on a determination of a covered user’s age made using a reasonable age assurance method that meets the following requirements:(i)
such age assurance method shall reasonably guard against circumvention and reasonably minimize the retention of information collected for age assurance purposes;(ii)
an operator may not use self-declaration of age or minor status to determine whether a covered user is a covered minor; and(iii)
an operator must make available more than one age assurance method to covered users, including at least one method that either does not rely on government issued identification or that allows a covered user to maintain anonymity as to the operator.2.
An operator may not offer or make available to a covered user the feature of communicating privately with a user within the covered platform or through platform integration, viewing the full profile of a user, responding to or downloading media created or posted by a user, tagging a user in posted media or viewing the geographic location information of a user, unless the operator has conducted age assurance to determine whether a covered user is a covered minor.3.
For all users determined by an operator to be a covered minor, such operator shall utilize the following settings by default for covered minors, which shall ensure that no user age eighteen or older who is not already connected to a covered minor may:(a)
communicate privately with such covered minor within the covered platform or through platform integration;(b)
view the full profile of such covered minor;(c)
respond to or download media created or posted by such covered minor;(d)
tag such covered minor in posted media; or(e)
view the geographic location information, where such information is derived from or captured by device or network signals, including but not limited to global position system, IP address or Wi-Fi positioning, of such covered minor.4.
If an operator provides a mechanism on the covered platform to suggest or recommend the profile of a user to another user to connect with, an operator may not suggest or recommend the profile of a covered minor to another user age eighteen or older who is not already connected to such covered minor. This subdivision shall not apply to profile suggestions or recommendations that are made as a result of a covered minor or other user syncing contacts with a covered platform. 4-a. Nothing in this subdivision is intended to prohibit actions reasonably necessary for platform safety, abuse prevention, customer support, legal compliance or emergency response, as may be further defined in rules or regulations promulgated by the attorney general.5.
(a) A parent of a covered minor may override the default privacy settings provided in subdivisions three and four of this section at such parent’s discretion. An operator shall allow a parent to override or maintain each setting provided in subdivision three of this section separately.(b)
An operator shall notify a parent of a covered minor whenever such covered minor requests that the operator obtain approval from a covered minor’s parent to consent to change a default setting provided in subdivision three or four of this section. Such notice shall include a statement that informs the parent that they are changing a default setting required under New York law. The parent may then either provide or withhold such consent to the request to change the settings for such minor, provided there is separate consent provided for each request by a covered minor.6.
A request by a user to connect with a covered minor may be sent simultaneously with a request by such user to communicate privately with such covered minor and a request by a covered minor to connect with a user may be sent simultaneously with a request by such covered minor to communicate privately with such user, provided, however, that no such private communication may be returned or responded to, until the connection has been approved and/or any parental consent required by subdivision eight of this section has been provided.7.
(a) An operator may not offer or make available to a covered user the use or access of an integrated AI companion, unless the operator has conducted age assurance to determine whether a covered user is a covered minor.(b)
An operator shall, by default, disable the access or use of any integrated AI companion for any covered minor.(c)
A parent of a covered minor may override the default disabled access or use of an integrated AI companion, provided in paragraph (b) of this subdivision, at such parent’s discretion. An operator shall allow a parent to override or maintain the setting provided for in paragraph (b) of this subdivision separately from any other mechanisms to override other default settings.(d)
An operator shall notify a parent of a covered minor whenever such minor requests that the operator obtain consent from such covered minor’s parent to change the default setting provided in paragraph (b) of this subdivision. Such notice shall include a statement that informs the parent that the parent is being asked to provide consent to change a default setting required under New York law. The parent may thereafter provide or withhold such consent.8.
(a) For any covered minor under the age of thirteen, an operator shall require the parent of such covered minor to provide consent before the account of such covered minor and the account of another user may be connected. For any covered minor under the age of thirteen, an operator shall also establish a mechanism by which a parent of such minor may easily view the list of all users or accounts currently connected with the account of the minor.(b)
For any covered minor, an operator shall establish a mechanism by which a parent of such minor may easily view a list of any covered platforms that have been linked to or requested to be linked to the account of the minor, if the covered platform offers a mechanism for platform integration.9.
(a) An operator of a covered platform that offers or provides the feature described in item two of clause (B) of subparagraph (ii) of paragraph (c) of subdivision twelve of § 1539 (Definitions)section fifteen hundred thirty-nine of this article, may not offer or make available such feature to a covered user unless the operator has conducted age assurance to determine whether a covered user is a covered minor.(b)
For all users determined by such operator to be a covered minor, such operator shall establish a mechanism that either:(i)
enables the parent of such covered minor to set a monthly limit on the spending of money, whether by charging a credit card or other means, in connection with the direct or indirect purchase or acquisition of anything on or via the covered platform, including but not limited to digital currency, relating to such covered minor’s account and where the amount of such limit is set at the parent’s discretion; or(ii)
enables the parent of such covered minor to opt out of setting such limits.(c)
Such an operator may establish a mechanism to enable the covered minor to request that the operator obtain consent from the parent of such covered minor for the further expenditure of money, such as charging the credit card associated with such covered minor’s account, once the limit set forth in subparagraph (i) of paragraph (b) of this subdivision is reached. In such an instance, the operator shall obtain such consent from such parent before any such charges may be processed by the operator.(d)
Such operator shall further establish a mechanism by which a parent of a covered minor may easily view a history of all financial transactions relating to such covered minor’s account at any time, which at a minimum, identifies the users involved in each such transaction, in addition to the covered minor, as well as the amounts of money or digital currency associated with each transaction. * NB Effective January 1, 2027
Source:
Section 1540 — Privacy by default and parental approvals, https://www.nysenate.gov/legislation/laws/GBS/1540 (updated May 29, 2026; accessed Jun. 27, 2026).
