On May 13, 2021, New York State Senator Kevin Thomas reintroduced the New York Privacy Act (S6701). With California, Virginia, and Colorado already having comprehensive state privacy laws on the books, New York may be the next state to have one of its own.
Having convened for the 2022 Legislative Session on January 5, 2022, New York lawmakers are once again considering the New York Privacy Act ( S6701A / A680B ). As of February 8, 2022, the Senate version of the bill has been reported and committed to the Internet and Technology Committee.
Here are some of the important details that businesses should know about the proposed legislation:
The New York Privacy Act would apply to legal persons that conduct business in New York or produce products or services that are targeted to residents of New York, and that satisfies one or more of the following thresholds:
The New York Privacy Act recognizes a number of exemptions.
For example, this act would not be applicable to personal data processed by state and local governments, personal data covered under the Gramm-Leach-Bliley Act (GLBA), personal data covered under the Driver’s Privacy Protection Act, personal data covered under the Family Educational Rights and Privacy Act (FERPA), personal data covered under the Farm Credit Act, protected health information covered under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH), and other similar federal laws.
Data maintained as employment records (for purposes other than sale) as well as data collected as part of human subjects research (such as clinical trials) would also be exempted.
Furthermore, the New York Privacy Act would not apply to national securities associations regulated by the Securities Exchange Act of 1934.
The New York Privacy Act defines “personal data” as “any data that identifies or could reasonably be linked, directly or indirectly, with a specific natural person, household, or device. Personal data does not include de-identified data.”
The bill does not address a defined category for “sensitive data” that would be subject to additional restrictions.
Under the New York Privacy Act, consumers have the right to notice, access, portable data, correct, delete, and appeal automated decision-making.
A controller that processes a consumer’s personal data must provide notice in a publicly and persistently available as well as a conspicuous and readily accessible manner. Such notice must include:
The New York Privacy Act requires that notices be written in easy-to-understand language at an 8 th grade reading level or below and updated at least annually.
The New York Privacy Act defines “consent” as “a clear affirmative act signifying a freely given, specific, informed, and unambiguous indication of a consumer’s agreement to the processing of data relating to the consumer. Consumers can withdraw their consent at any time.
The following do NOT constitute consent:
The New York Privacy Act takes an opt-in consent approach. Controllers must obtain freely given, specific, informed, and unambiguous opt-in consent prior to processing.
Controllers must regularly conduct and document data protection assessments. The New York Privacy Act also imposes a duty of loyalty and duty of care upon controllers. Controllers must also review their retention practices at least annually and may not discriminate against a consumer for exercising his or her privacy rights. Notably, controllers must also enter into written, signed contracts with any processors prior to making any disclosure, transfer, or sale of personal data.
Processors must comply with these contracts (for which the New York Privacy Act lists several requirements and restrictions) and are under a continuing obligation to engage in reasonable measures to review their activities.
Third parties are only permitted to process data to the extent permitted and must generally comply with any exercises of a consumer’s privacy rights.
Data brokers must register with the attorney general on an annual basis, pay a registration fee of $100 (or some other amount determined by the attorney general), and provide identifying information and a statement describing the method for exercising consumers’ rights and whether they implement a purchaser credentialing process.
The New York Privacy Act would require the attorney general to maintain a statewide registry of data brokers.
Yes, the New York Privacy Act gives consumers a private right of action in the event of a violation of the opt-in consent, automated decision-making, and/or controller response sections.
Sections 1101 (Jurisdictional scope), 1102 (Consumer rights), 1103 (Controller, processor, and third-party responsibilities), 1105 (Limitations), 1106 (Enforcement and private right of action), and 1107 (Miscellaneous) will take effect 2 years after the New York Privacy Act becomes law.
The private right of action will have a three-year period to take effect.
The New York Privacy Act bill is currently under active committee consideration. On February 8, 2022, the New York Senate Consumer Affairs Committee voted the senate version of the bill out of committee (5 ayes, 1 nay). It is currently in the New York Senate Internet and Technology Committee. New York State’s current legislative session is open until early June.
Octillo continues to actively monitor updates to the New York privacy landscape. To learn more about the impact the New York Privacy Act may have on your business, please reach out to our team of highly experienced attorneys.
*Attorney advertising: prior results do not guarantee similar outcomes.
