NY Privacy Act

• The NYS Senate and Assembly are actively considering the NY Privacy Act, and may vote to approve it before the legislative session ends on June 8.
• The bill, while still under discussion and in flux, would impose strict new disclosure and licensing requirements on legal entities that access, collect, and/or sell data from online sources. A brief summary of key provisions is below.

Bill Summary:

• The NY Privacy Act will require companies to obtain explicit consent from consumers before processing their personal and sensitive data.[1]
• The law will apply to most for-profit and nonprofit businesses, with some exceptions, that conduct business in New York State or produce products or services targeted to residents in NYS.
• Consumer rights include:
  • Notice of how their data is processed and sold
  • Right to opt-out
  • Ability to request access and obtain a copy of their data in an electronic format
  • Ability to ask for the deletion or correction of data
  • Private right of action against companies for violating their privacy
• “Personal” data refers to any data that identifies or could be linked with a specific person or household.
• “Sensitive” data refers to personal data that reveals:
  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition
  • Sexual orientation or sex life
  • Citizenship or immigration status
  • Genetic or biometric information for the purpose of identifying a person
  • Precise geolocation data
  • Social security, financial account, passport, or driver’s license numbers.
• Businesses will be obligated to regularly conduct data protection assessments for activities that present a heightened risk of harm to consumers, and must develop “reasonable safeguards” to protect the security of the consumer data.
• Companies are also not permitted to discriminate against consumers for exercising their data rights, such as opting out of data sharing.
• Companies will be required to register and pay an annual fee to the Attorney General and submit information regarding their use practices.
  • The AG will maintain a “data broker registry” on its website.
• If passed, most aspects of the bill shall take effect two years after becoming law.
  • However, the private right of action will take effect three years after the law is passed.

Background:

• Thomas has been the primary champion of this bill, and he also introduced it in the 2021-2022 and 2019-2020 legislative session.
  • AM Rozic is the Assembly sponsor in the 23-24 session.
  • AM Rosenthal sponsored the bill in 19-20 but has not sponsored it since.
• Many other states are considering data privacy bills in the absence of a federal privacy law; however, New York’s is unique in the private right of action.[2]
  • At this point in 2023, 16 other states have proposed or passed data privacy laws with varying degrees of protection.[3]

[1] https://www.nysenate.gov/legislation/bills/2023/S365#:~:text=S365%20%2D%20Summary,whom%20their%20information%20is%20shared.

[2] https://www.politico.com/news/2023/02/22/statehouses-privacy-law-cybersecurity-00083775

[3] https://www.rila.org/blog/2023/04/states-continue-to-pass-major-privacy-legislation

Share

Share this...

Facebook

Pinterest

Twitter

Linkedin