New York’s SAFE for Kids Act: What the Proposed Rules Mean—and What to Do Now

New York’s Office of the Attorney General (OAG) has released  proposed rules to implement the SAFE for Kids Act, aimed at curbing “addictive” social media features that harm youth mental health. The rules would limit algorithmically personalized feeds and nighttime notifications (12–6am ET) for users under 18 unless platforms obtain verifiable parental consent (VPC). They also outline age assurance standards, privacy requirements, and operational processes (appeals, testing, documentation).

Public comments are open until December 1, 2025. Even with time before finalization and the 180-day grace period after final publication, companies should start planning now. Getting age assurance and parental consent right is complex—and doable.

PRIVO is ready to help with both.

What counts as an “addictive feed” and who’s covered?

• “Addictive feeds” = feeds personalized by algorithms using a user’s/device’s data to recommend/prioritize content in a way that extends time on platform.
• Covered operators may not provide addictive feeds to minors without either (a) determining the user is not a minor (via compliant age assurance), or (b) obtaining verifiable parental consent for minors.
• Nighttime notifications (12–6am ET) about addictive feeds are similarly restricted without VPC.
• Certain platforms may be exempt, but if exemptions lapse, operators get 180 days on the first instance (30 days on subsequent) to comply.

Age assurance: standards, accuracy, and options

Platforms must use commercially reasonable and technically feasible methods to determine adult status before serving addictive feeds/night alerts. Key points:

• Offer one or more age assurance methods; at least one must meet a “total accuracy minimum” via annual certification/testing.
• If methods are inconclusive (and no actual knowledge of minority), operators may presume adult only if all required methods were completed and one met total accuracy minimum.
• If using government ID, you must accept US and non-US IDs and provide at least one option that does not require government ID.
• Explain methods and data handling to users; design cannot discourage completion or facilitate circumvention.
• Monitor for circumvention, test accuracy annually, and keep records (including false positives/negatives, inconclusives, method attacks tested).
• Provide an appeals process for users classified as minors to prove adult status—without requiring gov ID as the only route.

Verifiable Parental Consent (VPC): flows and guardrails

To enable an addictive feed or nighttime notifications for a minor:

1. Minor approval to request parental consent (minor must first consent to you contacting the parent).
2. Parent notice: clear disclosure that the feature requires parental consent under NY law, that the minor can still access the platform without the feature, and that consent can be withdrawn anytime.
3. Parent method(s): at least one option without government ID (unless already held for other laws), and at least one without requiring parent account creation or purchase.
4. Accessibility: instructions in the 12 most commonly spoken languages in NY; easy withdrawal mechanism (no live-rep requirement if not used to grant consent).
5. COPPA alignment: for under-13 or child-directed services, COPPA methods may be used if they also meet NY’s additional requirements (notice, anti-circumvention, etc.).
6. Renewals: if a parent refuses consent, platforms can only re-request at the minor’s request.

Data use, retention, and privacy

• Collect minimum necessary data for compliance; use it only for compliance; encrypt in transit/at rest; delete promptly (with narrow retention for legal compliance + method metrics).
• Maintain 10-year records of method usage, outcomes, and testing results.
• Provide no additional parental access to a minor’s activity beyond what’s required. Notices must not reveal a minor’s personalized attributes, content selections, specific content, or other users’ identities.

Timelines & enforcement

• Comment deadline: December 1, 2025 (email: ProtectNYKidsOnline@ag.ny.gov).
• OAG has up to 1 year to finalize rules.
• Final rules take effect 180 days after publication.
• OAG may bring actions and seek penalties (up to $5,000 per violation), among other remedies.

What companies should do now (even before final rules)

1. Assess coverage & scope
   • Determine if your properties are covered; map NY user exposure; identify any exemptions and contingencies.
2. Design a compliant feed fallback
   • Build a non-algorithmic feed option (e.g., follows-only, chronological) accessible to minors without VPC—and ensure parity of access/quality per the rules.
3. Select & validate age assurance methods
   • Choose multiple methods (incl. a non-ID option).
   • Plan annual certification/testing (accuracy, false pos/neg, circumvention).
   • Prepare the appeals workflow.
4. Implement verifiable parental consent (VPC) flows
   • Minor pre-consent step → parent notice → parent method options.
   • Support withdrawal anytime; log events; localize to 12 languages.
5. Engineer privacy-by-design
   • Minimize data; encrypt; limit retention; segregate compliance data; document deletion timelines.
6. Update UX copy & notices
   • Draft clear, conspicuous notices for minors and parents (no hidden disclosures; no dark patterns).
7. Vendor governance
   • If you rely on third parties for age assurance/VPC, you remain responsible. Contract for accuracy, privacy, testing, and records.
8. Plan for 18th birthdays
   • Offer a path for minors to update age status when they turn 18.

How PRIVO can help (age assurance + VPC, end-to-end)

• Age Assurance: Multi-method approach with non-ID options, privacy-preserving flows, and support for annual accuracy testing and documentation.
• Verifiable Parental Consent: Proven, friction-reduced consent flows (pre-consent, parent notification, multi-method VPC, easy withdrawal), aligned with COPPA and proposed NY requirements.
• Jurisdiction-aware workflows: Automatically adapt pathways by region, age, feature, and consent status.
• Data minimization & security: Built to collect only what’s necessary, encrypt by default, and support compliant retention/deletion records.
• Rapid deployment: APIs and configurable UX to stand up compliant fallback feeds, notification controls, and consent dashboards.

👉 Want help assessing your exposure and building a compliance roadmap? Contact PRIVO to get started.