BILL NUMBER: S8102A
SPONSOR: GOUNARDES
TITLE OF BILL:
An act to amend the general business law, in relation to device-level
age assurance
PURPOSE OR GENERAL IDEA OF BILL:
To require devices to conduct commercially reasonable age assurance for
users under the age of 18 at the point of device activation, unlocking
the ability to enforce all other digital privacy and safety laws for
underage users
SUMMARY OF PROVISIONS:
Section one of this bill creates a new Article 45-A in the General Busi-
ness Law (GBL) to require all manufacturers of Internet-enabled devices,
operating systems, or application stores to conduct commercially reason-
able and technically feasible age assurance for users at the point of
device activation.
Device manufacturers would be able to rely on an age assurance method
previously identified by the Office of the Attorney General (OAG) under
the regulations for the SAFE for Kids Act in Article 45 of GBL, or a
method identified under new regulations promulgated by the OAG if OAG
believes that updated regulations for this law are necessary. Covered
manufacturers would be required to delete information collected for the
purposes of age assurance immediately after determining the user's age
and would not be able to favor their own apps over those of third
parties by imposing additional restrictions or conditions on the latter.
Applications (apps) would then be required to request the age signal
from the device manufacturer at the point of app download and launch by
a user. The age signal would be communicated to the app via a real-time
application programming interface (API) and would be encrypted. The age
signal would communicate whether a user is under the age of 13, between
13 and 15 years old, between 16 and 17 years old, or at least 18 years
old and a legal adult.
Apps would be able to treat the API signal as an authoritative indicator
of a user's age, but they would not be able to willfully disregard other
clear and convincing evidence available to an app developer that
conflicts with the API signal.
This act would be enforced by the Attorney General, who may pursue a
civil penalty of $10,000 per violation, and would apply when users
access a device, operating system, or app store within the state of New
York.
Section two of this bill makes a conforming edit to the New York Child
Data Protection Act in GBL Article 39-FF, which already requires online
operators under that law to treat a user as a minor if their device
signals as much
Section three of this bill sets a severability clause.
Section four of this bill creates the effective date.
JUSTIFICATION:
Concerns about digital well-being for underage users have grown exponen-
tially in recent years, with a 2020 Pew Research survey showing that 81%
of parents were worried about how much information advertisers could
glean about their child's behavior, and 72% of parents worried about
children's interaction with strangers online (Hogg, Luke, and Evan
Swarztrauber. On the Internet, No One Knows You're a Dog Examining the
Feasibility of Privacy- Preserving Age Verification Online. 2025.). A
2023 Mott Children's Hospital poll showed that overuse of devices,
social media, and Internet safety were the top three concerns for
parents, and American teens are currently spending the equivalent of a
40-hour workweek, or 8.5 hours a day, on social media, gaming, and
messaging and texting apps alone (Rosenberg, David. "Teens Are Spending
the Equivalent of a 40-Hour Work Week on Their Devices. Here's How to
Help Them Find the Right Balance." Fortune Well, 24 Oct. 2023,
fortune.com/wel1/2023/10/24/teens-too-much-screen-time-find-balance/.)
States and nations have passed a laundry list of laws in recent years
endeavoring to protect minors online, such as those restricting access
to mobile sports betting or laws requiring apps to curb particularly
dangerous or addictive features for users under the age of 18. All of
these efforts are contingent, however, upon the deployer of the app or
product being able to reasonably ascertain the age of the user, so that
they know whether or not they should be treated as a minor under the
law.
This is why, over the last few years, at least 19 US states have imple-
mented age assurance mandates, along with several European countries,
where implementation of such laws has already begun (Hogg, Luke, and
Evan Swarztrauber. On the Internet, No One Knows You're a Dog Examining
the Feasibility of Privacy- Preserving Age Verification Online. 2025).
Age assurance is already the law of the land for social media apps with
algorithmic feeds under Article 45 of GBL, the Stop Addictive Feeds
Exploitation (SAFE) for Kids Act, in New York State.
Assumptions that the only way to identify the age of a user online is by
requiring a government ID are outdated, as many other methods of age
assurance have developed since the early days of the Internet. While
opponents of age assurance claim that there is no method to ascertain a
user's age that does not compromise security and privacy, this argument
ignores the advancement of zero-knowledge proof methods in recent years,
which allow a user to verify one fact about themself without giving up
any other personally identifying information (PII) (Hogg, Luke, and Evan
Swarztrauber. On the Internet, No One Knows You're a Dog Examining the
Feasibility of Privacy- Preserving Age Verification Online. 2025.).
Device-based storage systems, such as a digital wallet that enables a
user to store identity credentials to verify age, can be locally stored
on a device, encrypted, and used to provide data to a third party with-
out disclosing any other PII, minimizing the risk of exposure as the age
verification cannot be tied to broader online activity to create a
profile (Hogg, Luke, and Evan Swarztrauber. On the Internet, No One
Knows You're a Dog Examining the Feasibility of Privacy- Preserving Age
Verification Online. 2025.).
Similarly, double-blind systems, where the receiving platform does not
receive any information about the user and the age data provider does
not receive any information about the platform, minimize the sharing of
PII while also reducing the risk of identity theft and data breaches.
Double-blind systems are so successful in preserving and advancing user
privacy, in fact, that Arcom, the French administrative agency in charge
of enforcing their age assurance law for mature adult websites, has
already mandated that the providers of such websites offer at least one
double-blind option to users (Hogg, Luke, and Evan Swarztrauber. On the
Internet, No One Knows You're a Dog Examining the Feasibility of Priva-
cy- Preserving Age Verification Online. 2025.). Where P11 is involved,
it is not necessarily newly collected: some companies conducting age
assurance use existing digital information such as email addresses,
phone numbers, or public banking information to estimate age with
remarkable accuracy, and many laws require that PII, where collected for
age assurance, be encrypted and deleted once a company has used it to
estimate a user's age.
This bill would require that all device manufacturers conduct commer-
cially reasonable age assurance at the point of device activation, and
that they then communicate if a user is a minor to apps and services on
the device, so that such services may be in compliance with laws and
regulations protecting kids online. While not the only effective means
of conducting age assurance, as many sophisticated apps are also capable
of (and indeed already know) their users' ages, requiring age assurance
at the operating system and app store level is one of the most effective
solutions as it streamlines compliance by-embedding-the information-on
the-device-itself (Hogg,Luke,and-Evan Swarztrauber. On the Internet, No
One Knows You're a Dog Examining the Feasibility of Privacy- Preserving
Age Verification Online. 2025.). This means that individual websites or
apps would not need to conduct age assurance anew, if they are already
receiving this signal from the device, burdening only the handful of
well-capitalized companies that are sophisticated and wealthy enough to
implement age assurance effectively.
Microsoft Windows holds a nearly 70% market share in the US for desktop
operating systems, for example, followed by Apple's macOS at 20% (Hogg,
Luke, and Evan Swarztrauber. On the Internet, No One Knows You're a Dog
Examining the Feasibility of Privacy- Preserving Age Verification
Online. 2025.). When it comes to smartphones, Apple and Google combine
for over 99% of market share - Apple with 55% and Google with 45% (Hogg,
Luke, and Evan Swarztrauber. On the Internet, No One Knows You're a Dog
Examining the Feasibility of Privacy- Preserving Age Verification
Online. 2025.). Additionally, implementing age assurance at the device
level would ensure that users would only need to verify their age once,
reducing friction in the online experience.
By requiring some of the best-resourced tech companies to conduct age
assurance on their devices, and then to communicate when a user is minor
to other apps and services, this bill holds tech actors to their exist-
ing legal obligations to protect kids online. This singular age data
point, which can be encrypted, decoupled from any other identifying
information, communicated via a token or credential, and then deleted,
unlocks the ability for policymakers and regulators to enforce all other
children's privacy laws, as the apps would no longer be able to claim
that they don't know when a user is a minor. In the absence of effective
age assurance, apps can treat minors like adults, exposing them to the
same predatory data collection, behavioral tracking, and targeted adver-
tising as any other user (Hogg, Luke, and Evan Swarztrauber. On the
Internet, No One Knows You're a Dog Examining the Feasibility of Priva-
cy- Preserving Age Verification Online. 2025.). This bill would leverage
advances in modern technology to close this egregious loophole, finally
giving teeth to New York and other jurisdictions' many valiant efforts
to protect children online and boost digital well-being.
PRIOR LEGISLATIVE HISTORY:
2025: Referred to Consumer Protection
FISCAL IMPLICATIONS:
None
EFFECTIVE DATE:
This act shall take effect one year after it shall have become a law.
Statutes affected: S8102A: 899-ii general business law, 899-ii(1) general business law