NY Privacy Act

June 5, 2023

  • The NYS Senate and Assembly are actively considering the NY Privacy Act, and may vote to approve it before the legislative session ends on June 8.
  • The bill, while still under discussion and in flux, would impose strict new disclosure and licensing requirements on legal entities that access, collect, and/or sell data from online sources. A brief summary of key provisions is below.

Bill Summary:

  • The NY Privacy Act will require companies to obtain explicit consent from consumers before processing their personal and sensitive data.[1]
  • The law will apply to most for-profit and nonprofit businesses, with some exceptions, that conduct business in New York State or produce products or services targeted to residents in NYS.
  • Consumer rights include:
    • Notice of how their data is processed and sold
    • Right to opt-out
    • Ability to request access and obtain a copy of their data in an electronic format
    • Ability to ask for the deletion or correction of data
    • Private right of action against companies for violating their privacy
  • “Personal” data refers to any data that identifies or could be linked with a specific person or household.
  • “Sensitive” data refers to personal data that reveals:
    • Racial or ethnic origin
    • Religious beliefs
    • Mental or physical health condition
    • Sexual orientation or sex life
    • Citizenship or immigration status
    • Genetic or biometric information for the purpose of identifying a person
    • Precise geolocation data
    • Social security, financial account, passport, or driver’s license numbers.
  • Businesses will be obligated to regularly conduct data protection assessments for activities that present a heightened risk of harm to consumers, and must develop “reasonable safeguards” to protect the security of the consumer data.
  • Companies are also not permitted to discriminate against consumers for exercising their data rights, such as opting out of data sharing.
  • Companies will be required to register and pay an annual fee to the Attorney General and submit information regarding their use practices.
    • The AG will maintain a “data broker registry” on its website.
  • If passed, most aspects of the bill shall take effect two years after becoming law.
    • However, the private right of action will take effect three years after the law is passed.



  • Thomas has been the primary champion of this bill, and he also introduced it in the 2021-2022 and 2019-2020 legislative session.
    • AM Rozic is the Assembly sponsor in the 23-24 session.
    • AM Rosenthal sponsored the bill in 19-20 but has not sponsored it since.
  • Many other states are considering data privacy bills in the absence of a federal privacy law; however, New York’s is unique in the private right of action.[2]
    • At this point in 2023, 16 other states have proposed or passed data privacy laws with varying degrees of protection.[3]

[1] https://www.nysenate.gov/legislation/bills/2023/S365#:~:text=S365%20%2D%20Summary,whom%20their%20information%20is%20shared.

[2] https://www.politico.com/news/2023/02/22/statehouses-privacy-law-cybersecurity-00083775

[3] https://www.rila.org/blog/2023/04/states-continue-to-pass-major-privacy-legislation

Explore Articles and News

See All News