Bill Summary – FastDemocracy

BILL NUMBER: S8102
SPONSOR: GOUNARDES
 
TITLE OF BILL:
An act to amend the general business law, in relation to device-level
age assurance
 
PURPOSE OR GENERAL IDEA OF BILL:
To require devices to conduct commercially reasonable age assurance for
users under the age of 18 at the point of device activation, unlocking
the ability to enforce all other digital privacy and safety laws for
underage users
 
SUMMARY OF PROVISIONS:
Section one of this bill creates a new Article 45-A in the General Busi-
ness Law (GBL) to require all manufacturers of Internet-enabled devices,
operating systems, or application stores to conduct commercially reason-
able and technically feasible age assurance for users at the point of
account creation.
The Attorney General would promulgate regulations identifying acceptable
methods for age assurance, provided that user self-attestation of age
with no other supporting evidence (the current standard in federal law
under the Children's Online Privacy Protection Act (COPPA) of 1998),
shall not be one such acceptable method. Covered manufacturers would not
be required to delete information collected for the purposes of age
assurance immediately after determining the user's age and would not be
able to favor their own apps over those of third parties by imposing
additional restrictions or conditions on the latter.
Manufacturers would then be required to communicate if a user is under
the age of 18, and so a legal minor, to all apps and services on the
device via a real-time application programming interface (API).
This act would be enforced by the Attorney General, who may pursue a
civil penalty of $10,000 per violation, and would apply when users
access a device, operating system, or app store within the state of New
York.
Section two of this bill sets a severability clause.
Section three of this bill is the effective date.
 
JUSTIFICATION:
Concerns about digital well-being for underage users have grown exponen-
tially in recent years, with a 2020 Pew Research survey showing that 81%
of parents were worried about how much information advertisers could
glean about their child's behavior, and 72% of parents worried about
children's interaction with strangers online (Hogg, Luke, and Evan
Swarztrauber. On the Internet, No One Wm& You're a Dog Examining the
Feasibility of Privacy- Preserving Age Verification Online. 2025.). A
2023 Mott Children's Hospital poll showed that overuse of devices,
social media, and Internet safety were the top three concerns for
parents, and American teens are currently spending the equivalent of a
40-hour workweek, or 8.5 hours a day, on social media, gaming, and
messaging and texting apps alone (Rosenberg, David. "Teens Are Spending
the Equivalent of a 40-Hour Work Week on Their Devices. Here's How to
Help Them Find the Right Balance." Fortune Well, 24 Oct. 2023,
fortune.com/welV2023/10/24/teens-too-much-screen-time-find-balance/.)
States and nations have passed a laundry list of laws in recent years
endeavoring to protect minors online, such as those restricting access
to mobile sports betting or laws requiring apps to curb particularly
dangerous or addictive features for users under the age of 18. All of
these efforts are contingent, however, upon the deployer of the app or
product being able to reasonably ascertain the age of the user, so they
know whether or not they should be treated as a minor under the law.
This is why, over the last few years, at least 19 US states have imple-
mented age assurance mandates, along with several European countries,
where implementation of such laws has already begun (Hogg, Luke, and
Evan Swarztrauber. On the Internet, No One Knows You're a Dog Examining
the Feasibility of Privacy- Preserving Age Verification Online. 2025).
Age assurance is already the law of the land for social media apps with
algorithmic feeds under Article 45 of GBL, the Stop Addictive Feeds
Exploitation (SAFE) for Kids Act, in New York State.
Assumptions that the only way to identify the age of a user online is by
requiring a government ID are outdated, as many other methods of age
assurance have developed since the early days of the Internet.  While
opponents of age assurance claim that there is no method to ascertain a
user's age that does not compromise security and privacy, this argument
ignores the advancement of zero-knowledge proof methods in recent years,
which allow a user to verify one fact about themself without giving up
any other personally identifying information (PII) (Hogg, Luke, and Evan
Swarztrauber. On the Internet, No One Knows You're a Dog Examining the
Feasibility of Privacy- Preserving Age Verification Online. 2025.).
Device-based storage systems, such as a digital wallet that enables a
user to store identity credentials to verify age, can be locally stored
on a device, encrypted, and used to provide a binary yes/no response to
a third party without disclosing any other PII, minimizing the risk of
exposure as the age verification cannot be tied to broader online activ-
ity to create a profile (Hogg, Luke, and Evan Swarztrauber. On the
Internet, No One Knows You're a Dog Examining the Feasibility of Priva-
cy- Preserving Age Verification Online. 2025.).
Similarly, double-blind systems, where the receiving platform does not
receive any information about the user and the age data provider does
not receive any information about the platform, minimize the sharing of
Pll while also reducing the risk of identity theft and data breaches.
Double-blind systems are so successful in preserving and advancing user
privacy, in fact, that Arcom, the French administrative agency in charge
of enforcing their age assurance law for mature adult websites, has
already mandated that the providers of such websites offer at least one
double-blind option to users (Hogg, Luke, and Evan Swarztrauber. On the
Internet, No One Knows You're a Dog Examining the Feasibility of Priva-
cy- Preserving Age Verification Online. 2025.). Where Pll is involved,
it is not necessarily newly collected: some companies conducting age
assurance use existing digital information such as email addresses,
phone numbers, or public banking information to estimate age with
remarkable accuracy, and many laws require that PII, where collected for
age assurance, be encrypted and deleted once a company has used it to
estimate a user's age.
This bill would require that all device manufacturers conduct commer-
cially reasonable age assurance at the point of device activation, and
that they then communicate if a user is a minor to apps and services on
the device, so that such services may be in compliance with laws and
regulations protecting kids online. While not the only effective means
of conducting age assurance, as many sophisticated apps are also capable
of (and indeed already know) their users' ages, requiring age assurance
at the operating system and app store level is one of the most effective
solutions as it streamlines compliance by embedding the information on
the device itself (Hogg, Luke, and Evan Swarztrauber. On the Internet,
No One Knows You're a Dog Examining the Feasibility of Privacy- Preserv-
ing Age Verification Online. 2025.). This means that individual websites
or apps would not need to conduct age assurance anew, if they are
already receiving this signal from the device, burdening only the hand-
ful of well-capitalized companies that are sophisticated and wealthy
enough to implement age assurance effectively. Microsoft Windows holds a
nearly 70% market share in the US for desktop operating systems, for
example, followed by Apple's macOS at 20% (Hogg, Luke, and Evan Swarz-
trauber. On the Internet, No One Knows You're a Dog Examining the Feasi-
bility of Privacy- Preserving Age Verification Online. 2025.). When it
comes to smartphones, Apple and Google combine for over 99% of market
share - Apple with 55% and Google with 45% (Hogg, Luke, and Evan Swarz-
trauber. On the Internet, No One Knows You're a Dog Examining the Feasi-
bility of Privacy- Preserving Age Verification Online. 2025.). Addi-
tionally, implementing age assurance at the device level would ensure
that users would only need to verify their age once, reducing friction
in the online experience.
By requiring some of the best-resourced tech companies to conduct age
assurance on their devices, and then to communicate when a user is minor
to other apps and services, this bill holds tech actors to their exist-
ing legal obligations to protect kids online. This singular age data
point, which can be encrypted, decoupled from any other identifying
information, communicated via a binary token or credential, and then
deleted, unlocks the ability for policymakers and regulators to enforce
all other children's privacy laws, as the apps would no longer be able
to claim that they don't know when a user is a minor. In the absence of
effective age assurance, apps can treat minors like adults, exposing
them to the same predatory data collection, behavioral tracking, and
targeted advertising as any other user (Hogg, Luke, and Evan Swarztrau-
ber. On the Internet, No One Knows You're a Dog Examining the Feasibil-
ity of Privacy- Preserving Age Verification Online. 2025.). This bill
would leverage advances in modern technology to close this egregious
loophole, finally giving teeth to New York and other jurisdictions' many
valiant efforts to protect children online and boost digital well-being.
 
PRIOR LEGISLATIVE HISTORY:
None
 
FISCAL IMPLICATIONS:
TBD
 
EFFECTIVE DATE:
This act shall take effect one year after it shall have become a law.