Relates to social media open application programming; requires social media platforms to implement and maintain a standards-based application programming interface that permits third-party applications to retrieve data at no cost to be used for the user's benefit and to provide certain information to users; requires social media companies to submit a report to the attorney general.
STATE OF NEW YORK
________________________________________________________________________
10416
IN SENATE
May 15, 2026
___________
Introduced by Sen. GONZALEZ -- read twice and ordered printed, and when
printed to be committed to the Committee on Internet and Technology
AN ACT to amend the general business law, in relation to social media
open application programming
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new arti-
2 cle 42-A to read as follows:
3 ARTICLE 42-A
4 SOCIAL MEDIA OPEN APPLICATION PROGRAMMING
5 INTERFACE ACCESS
6 Section 1120. Definitions.
7 1121. Required open API access with social media for third-party
8 development tools.
9 1122. API access report.
10 1123. Violations and remedies.
11 1124. Application.
12 § 1120. Definitions. As used in this article:
13 1. "Application programming interface" or "API" means a standards-
14 based interface that permits third-party applications to retrieve data
15 and send instructions through the use of non-proprietary technologies
16 that are commonly used and recognized by businesses on behalf of a user
17 or authorized representative with no special effort.
18 2. "Authorized representative" means a person who has received written
19 authorization from a user to take actions on behalf of a user on a
20 social media platform.
21 3. "Content" means statements or comments made by users and media that
22 are created, posted, shared, or otherwise interacted with by users on an
23 internet-based service or application. "Content" does not include media
24 put on a service or application exclusively for the purpose of cloud
25 storage, transmitting files, or file collaboration.
26 4. "Public or semipublic internet-based service or application"
27 excludes a service or application used to facilitate communication with-
28 in a business or enterprise among employees or affiliates of the busi-
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD08368-01-5
S. 10416 2
1 ness or enterprise, provided that access to the service or application
2 is restricted to employees or affiliates of the business or enterprise
3 using the service or application.
4 5. "Social media company" means a person or entity that owns or oper-
5 ates one or more social media platforms.
6 6. "Social media platform" means a public or semipublic internet-based
7 service or application that has users in New York and that meets both of
8 the following criteria:
9 (a) A substantial function of the service or application is to connect
10 users in order to allow users to interact socially with each other with-
11 in the service or application. A service or application that provides
12 email or direct messaging services shall not be considered to meet this
13 criterion on the basis of that function alone.
14 (b) The service or application allows users to do all of the follow-
15 ing:
16 (i) construct a public or semipublic profile for purposes of signing
17 into and using the service or application;
18 (ii) populate a list of other users with whom an individual shares a
19 social connection within the system; and
20 (iii) create or post content viewable by other users, including, but
21 not limited to, on message boards, in chat rooms, or through a landing
22 page or main feed that presents the user with content generated by other
23 users.
24 § 1121. Required open API access with social media for third-party
25 development tools. 1. A social media platform must implement and main-
26 tain a standards-based application programming interface that permits
27 third-party applications to retrieve data specified in subdivision two
28 of this section at no cost, and for a user or a user's authorized repre-
29 sentative, to be used for the user's benefit.
30 2. A social media platform must provide the following information to
31 its current users or their authorized representatives through the API
32 consistent with subdivision one of this section:
33 (a) The user's personal data that the social media platform controls,
34 including, without limitation:
35 (i) data generally available to account holders, including user's
36 name, username or handle, profile photo, bio, and location;
37 (ii) user data or data based on actions taken by the user generated by
38 a user collected by the social media platform that forms the basis for
39 social recommendations, including without limitation user follows and
40 publicly available follower data, as well as the social recommendations,
41 groups, topics, boards, and hashtags, users may follow;
42 (iii) third-party data which is either (A) generally available to all
43 account holders, or (B) made available to the user by the action of that
44 third-party, and which is collected by the social media company to make
45 content decisions that directly or indirectly impact a user; and
46 (iv) user settings, including notification and privacy settings,
47 muted/blocked accounts and keywords.
48 (b) Social media platform produced or recommended data that is avail-
49 able to the user, including without limitation:
50 (i) content that is directed or recommended to the user by the social
51 media platform in surface areas, including direct messages, comments on
52 user posts, mentions, tagged comments, and tagged stories;
53 (ii) social media platform produced data or compilations of data that
54 is visible in personalized surface areas, including timeline and recom-
55 mendations;
S. 10416 3
1 (iii) content freely available to a user as a result of a user's
2 actions, including content generally available to groups, servers, and
3 communities joined by the user; and
4 (iv) notifications regarding actions on the social media platform.
5 (c) Data that is generally available to all account holders about the
6 user's friends or followers that the social media platform uses to make
7 filtering or ranking decisions relating to a user, including, without
8 limitation, data that is available to the user about other accounts on
9 the platform, including name, username or handle, profile photo and
10 number of followers or persons following.
11 3. A social media platform must provide access through the API neces-
12 sary to allow third-party applications on behalf of any current user to
13 write, update or take action on:
14 (a) The user's personal data that the social media platform controls,
15 including, without limitation:
16 (i) data that is generally available to all account holders, including
17 user's name, username or handle, profile photo, bio, and location;
18 (ii) user data and data generated by a user and collected by the
19 social media platform that forms the basis for social recommendations,
20 including user follows and follower data, as well as the topics users
21 may follow;
22 (iii) third-party data which is either (A) generally available to all
23 account holders, or (B) made available to user by the action of the
24 third-party, and which is collected by the social media company to make
25 user safety decisions, including who users block and mute; and
26 (iv) user settings, including notification and privacy settings, and
27 muted/blocked keywords.
28 (b) All safety or preference controls that can be applied to other
29 users and content, including, without limitation, muting, blocking,
30 reporting, hiding comments or replies, accepting user requests, or
31 related controls.
32 4. A social media platform must conduct routine testing, conducted not
33 less than quarterly, conduct ongoing monitoring, and make all updates
34 necessary to ensure the API functions properly, including:
35 (a) Assessments to verify that the API is fully and successfully
36 implementing privacy and security features.
37 (b) A status dashboard to allow developers to determine the operation-
38 ality of the API.
39 (c) Functionality to enable piecewise retrieval of large data sets,
40 including filtering, sorting, and pagination, or ability to query deltas
41 since a given timestamp.
42 (d) Maximum latency thresholds necessary to allow developers to access
43 any required data in a reasonable manner.
44 (e) Reasonable error handling, including standard error codes.
45 (f) Versioning of the API.
46 5. A social media platform must make publicly accessible, by posting
47 directly on its website or via a publicly accessible hyperlink or hyper-
48 links, complete accompanying documentation reasonably necessary for
49 developers to access the API. This documentation shall include, without
50 limitation:
51 (a) API syntax, function names, required and optional parameters
52 supported and their data types, return variables and their
53 types/structures, exceptions and exception handling methods and their
54 returns, as well as sample data for each data type.
S. 10416 4
1 (b) The software components and configurations an application must use
2 in order to successfully interact with the API and process its response
3 or responses.
4 (c) All applicable technical requirements and attributes necessary for
5 an application to be registered with any authorization server or servers
6 deployed in conjunction with the API.
7 (d) Change logs for any updates to the API.
8 6. A social media platform may deny or discontinue any user or author-
9 ized representative's application's access to the API if:
10 (a) the social media platform reasonably determines, consistent with
11 access requirements clearly established in its terms and conditions,
12 that allowing a user or authorized representative to connect or remain
13 connected to the API would present an unacceptable level of risk to the
14 security of the social media platform or its users; and
15 (b) the social media platform makes this determination using objec-
16 tive, verifiable criteria that are applied fairly and consistently
17 across all applications and developers through which users may seek
18 access to the platform; provided that the social media platform must
19 retain records of any decision to restrict API access to any user or
20 authorized representative, including the user, date, time, documented
21 misuse and record of notification of violation.
22 § 1122. API access report. 1. On a semiannual basis in accordance with
23 subdivision two of this section, a social media company shall submit to
24 the attorney general an API access report. The API access report shall
25 include, for each social media platform owned or operated by the compa-
26 ny, information on API utilization and access decisions made pursuant to
27 section eleven hundred twenty-one of this article, including all of the
28 following:
29 (a) the current features included in the API;
30 (b) if a social media company has filed its first report, a complete
31 and detailed description of any changes to the API since the previous
32 report;
33 (c) a detailed description of how the social media company has
34 responded to additional features added to the platform since the previ-
35 ous API access report; and
36 (d) any denials or discontinuations of any person to the API, includ-
37 ing a complete and detailed description of the bases for such denial or
38 discontinuation.
39 2. (a) A social media company shall electronically submit a semiannual
40 API access report pursuant to subdivision one of this section, covering
41 activity within the third and fourth quarters of the preceding calendar
42 year, to the attorney general no later than April first of each year,
43 and shall electronically submit a semiannual API access report pursuant
44 to subdivision one of this section, covering activity within the first
45 and second quarters of the current calendar year, to the attorney gener-
46 al no later than October first of each year.
47 (b) Notwithstanding paragraph (a) of this subdivision, a social media
48 company shall electronically submit its first API access report pursuant
49 to subdivision one of this section, covering activity within the third
50 quarter of two thousand twenty-six, to the attorney general no later
51 than January first, two thousand twenty-seven, and shall electronically
52 submit its second API access report pursuant to subdivision one of this
53 section, covering activity within the fourth quarter of two thousand
54 twenty-six, to the attorney general no later than April first, two thou-
55 sand twenty-seven. A social media platform shall submit its third report
S. 10416 5
1 no later than October first, two thousand twenty-seven, in accordance
2 with paragraph (a) of this subdivision.
3 3. The attorney general shall make all API access reports submitted
4 pursuant to this section available to the public in a searchable reposi-
5 tory on its official internet website.
6 § 1123. Violations and remedies. 1. (a) A social media company that
7 violates the provisions of this article may be enjoined in any court of
8 competent jurisdiction.
9 (b) A social media company shall be considered in violation of the
10 provisions of this article if the social media company does any of the
11 following:
12 (i) fails to provide or maintain open API access in accordance with
13 section eleven hundred twenty-one of this article;
14 (ii) fails to timely submit to the attorney general reports required
15 pursuant to section eleven hundred twenty-two of this article; or
16 (iii) materially omits or misrepresents required information in a
17 report submitted pursuant to section eleven hundred twenty-two of this
18 article.
19 2. Actions for relief pursuant to this article shall be prosecuted
20 exclusively in a court of competent jurisdiction by the attorney general
21 in the name of the people of the state of New York or a city corporation
22 counsel on behalf of a locality upon their own complaint or upon the
23 complaint of a board, officer, person, corporation, or association.
24 § 1124. Application. This article shall not apply to a social media
25 company that generated less than one hundred million dollars in gross
26 revenue during the preceding calendar year or to an internet-based
27 service or application for which interactions between users are limited
28 to direct messages, commercial transactions, consumer reviews of
29 products, sellers, services, events, or places, or any combination ther-
30 eof.
31 § 2. This act shall take effect on the one hundred eightieth day after
32 it shall have become a law.
