For Email Campaign: NY Data Privacy Act

New York Privacy Act Introduced

May 10, 2019 • Estimated Reading Time: 4 minutes

May 10, 2019

New York Privacy Act Introduced

Yesterday, New York State Senator Kevin Thomas introduced legislation entitled the NY Privacy Act. The legislation would apply to all entities conducting business in New York and/or serving New York residents. The bill would establish a new set of consumer rights and mandate that every business collecting, processing, or selling personal data serve as a “data fiduciary” — meaning that businesses must exercise a duty of care with respect to securing the personal data of a consumer and act in the best interests of the consumer. The legislation incorporates provisions from Europe’s General Data Protection Regulation and the California Consumer Privacy Act. A more complete summary of the legislation is below.That being said, this is the most comprehensive NY privacy legislation introduced to date. As of now, this legislation does not have a companion bill in the Assembly.

Bill Summary:

  • The New York Privacy Act would apply to any entity conducting business in New York State or producing products/services targeted to New York residents.

  • The legislation establishes that personal data (defined extremely broadly), shall not be collected, used, processed, or transferred to a third party unless a consumer provides consent.

  • Every business that collects, sells, or licenses personal data will serve as a data fiduciary.

    • Accordingly businesses must exercise a duty of care with respect to securing the personal data of a consumer against a privacy risk and act in the best interests of the consumer.

    • Privacy risk is defined broadly, and established as any potential adverse consequences to consumers and society arising from the use of personal data (including anxiety, embarrassment, and significant inconvenience or expenditure of time).

  • The Act creates a new class of consumer rights and requires businesses to provide notice to consumers of these rights, the rights established include:

    • Businesses must provide the opportunity to opt in or opt out of personal data processing.

    • Upon consumer request, acknowledgment of whether business is collecting/processing personal data about the consumer, whether data is sold to brokers.

    • If data is collected/processed, the business must provide access to a copy of such personal data.

    • Businesses must correct inaccurate personal data upon request of the consumer.

    • Businesses must delete a consumer’s personal data upon the consumer’s request.

    • Businesses must cease processing of a consumer’s personal data upon their request.

    • A consumer shall not be subject to a decision based solely on automated processing of personal data when consumer is legally or significantly affected.  

    • Businesses must take measures to provide human review of decisions and allow consumers to contest significant decisions.

  • Businesses must make available a clear meaningful privacy notice, which includes: categories of personal data collected, the purposes for which data is used, the rights of consumers, the categories of data shared with third parties, the names and categories of third parties.  

    • Businesses that utilize automated tools to profile a person must disclose meaningful information about the logic involved and the significance of the profiling.

    • If a business collects/uses personal data for targeted marketing, it must disclose this to the consumer and inform the customer of their right to object to the processing.

  • Enforcement:

    • The legislation establishes that the attorney general may bring an action on behalf of New York residents AND it grants a private right of action to persons injured by violation.

    • The damages and civil penalties for businesses are to be determined by the number of affected individuals, the severity of the violation, and the size and revenues of the covered entity.

  • Exemptions:

    • The legislation makes exemptions for: any collection, processing, and transferring done to comply with local, state, or federal law and in other discrete cases.

If you have any questions email Tech:NYC's Policy Director, Zach Hecht.