On February 8, 2021, the New York Privacy Act (the “Act” or “NY Privacy Act”) was approved by the New York Senate Consumer Protection Committee. A similar bill was also introduced before the New York State Assembly. The Act, introduced by Senator Kevin Thomas in May 2021, aims to “strengthen consumer privacy rights by requiring companies to disclose their methods of de-identifying personal information, placing safeguards around data sharing, and allowing consumers to obtain the names of all entities with whom their information is shared.” The Act will now advance to the Internet and Technology Committee for review. While the Act is merely a bill at this time (and, therefore, subject to further review, discussion and revision), website operators and other business owners should be aware of the potential impact that it may have on their businesses should it pass in to law.
Key provisions of the NY Privacy Act
The NY Privacy Act applies to “legal persons that conduct business in New York State or produce products or services intentionally targeted to residents in New York State,” provided that businesses: (1) have annual gross revenues of at least 25 million dollars; (2) control or process personal data of 100,000 consumers or more; (3) capture personal data of 500,000 people nationwide, and control or process personal data of 10,000 consumers; or (4) develop 50% of their gross revenue from the sale of personal data, and control or process personal data of 25,000 thousand consumers or more . . . .” Entities that are exempt from these requirements include state and local governments and municipal corporations.
Similar to the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Privacy Regulation (“GDPR”), the NY Privacy Act affords consumers the right to exercise more control over their personal data and “requires businesses to be responsible, thoughtful, and accountable managers” of that personal data. Specifically, the Act provides New York State consumers with the right to: (1) know how their data is being used, processed and sold; (2) provide opt-in consent; (3) access and obtain a copy of the data that is being collected about them; (4) correct inaccurate data; (5) delete their data; and (6) challenge certain automated decisions.
Data brokers would be required to register with the New York State Attorney General’s Office on or before January 31, following the year in which they meet the definition of data broker and pay a registration fee of $100.00. Under the Act, a data broker is defined as a person or legal entity “that does business in the state of New York and knowingly collects, and sells to controllers or third-parties, the personal data of a consumer with whom it does not have a direct relationship.” Failing to register as a data broker exposes businesses to liability for civil penalties, fees, and costs in any action brought by the Attorney General.
NY Privacy Act Enforcement
The NY Privacy Act imparts enforcement authority to the Attorney General and includes, significantly, a private right of action for New York State consumers. The Attorney General would be empowered to bring an action or special proceeding on behalf of New Yorkers who have been harmed by any violations of the NY Privacy Act. Pursuant to the proposed law, the New York Attorney General would be authorized to seek civil penalties of up to $15,000.00 per violation of the Act. Additionally, any citizen whose consumer privacy rights had been violated would be able to bring a private right of action to recover actual damages or $1,000.00, whichever is greater, together with attorneys’ fees.
It bears repeating that the Act is just proposed legislation right now. If it continues through the legislative process, it will undergo changes and could look much different than it does today by the time it is up for a vote in Congress. For example, the Act includes some changes to the original bill. These include specific duties owed by controllers and third-parties to consumers (e.g., controllers must regularly conduct data protection assessments for high-risk activities, maintain reasonable safeguards to protect collected consumer data, and limit data use and retention).
Should the NY Privacy Act pass into law, the Senate is seeking to have it take effect immediately. We will continue to monitor the progress of the Act and update our readers on any changes to the legislation.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar Blog Posts: