On May 12, 2021, Senator Kevin Thomas reintroduced the New York Privacy Act (the “Act” or “NY Privacy Act”) before the New York Senate. In 2019, Senator Thomas had hoped to pass privacy legislation S5642 (the “Bill”) to amend the general business law in order to address the management and oversight of consumer personal information. The Bill was set aside during the 2019 coronavirus pandemic when priorities shifted to address COVID-related issues. Recently, managing partner of the firm, David Klein, was quoted in Crain’s New York Businessexplaining that “the bill is based on a landmark California Law – the Consumer Privacy Act of 2018 – but offers several provisions that go beyond the Golden State bill.” A similar bill has also been reintroduced in the New York Assembly. On May 24, 2021, the Act advanced to a third reading in the Senate. The NY Privacy Act is now subject to debate, discussion and explanation.
What are the key provisions of the NY Privacy Act?
Elements of the NY Privacy Act
The NY Privacy Act applies to “legal persons that conduct business in New York or produce products or services that are targeted to residents of New York,” provided that businesses: 1) have annual gross revenues of at least twenty-five (25) million dollars; 2) control or process personal data of one hundred thousand consumers or more; 3) capture personal data of five hundred thousand people nationwide, and control or process personal data of ten thousand consumers; or 4) develop fifty percent of their gross revenue from the sale of personal data, and control or process personal data of twenty-five thousand consumers or more. Entities that are exempt from these requirements include state and local governments and municipal corporations.
Similar to the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Privacy Regulation (“GDPR”), the NY Privacy Act affords consumers the right to exercise more control over their personal data and “requires businesses to be responsible, thoughtful, and accountable managers” of that personal data. The Act provides New York consumers with the right to: 1) know how their data is being used, processed and shared; 2) access and obtain a copy of the data that is being collected about them; 3) correct inaccurate data; and 4) delete their data.
Data brokers would be required to register with the New York State Attorney General on or before January 31st following a year in which they meet the definition of data broker and pay a registration fee of $100.00. Under the Act, a data broker is defined as a person or legal entity “that does business in the state of New York and knowingly collects, and sells to controllers or third-parties, the personal data of a consumer with whom it does not have a direct relationship.” Failing to register as a data broker exposes the business to liability for civil penalties, fees and costs in any action brought by the Attorney General.
The NY Privacy Act imparts enforcement authority to the Attorney General and includes, significantly, a private right of action for New York State consumers. The Attorney General would be empowered to bring an action or special proceeding on behalf of New Yorkers who have been harmed by any violations of the NY Privacy Act. Pursuant to the proposed law, the New York Attorney General would be authorized to seek civil penalties of up to $15,000.00 per each violation of the Act. Additionally, any citizen whose consumer privacy rights had been violated would be able to bring a private right of action to recover actual damages or one $1,000.00, whichever is greater, together with attorneys’ fees.
Should the NY Privacy Act pass into law, the Senate is seeking to have it take effect immediately. We will continue to monitor the progress of the Act and update our readers on any changes to the legislation.
New York is one of many jurisdictions that are considering consumer data privacy legislation at this time. As Klein pointed out in the Crain’s article, “with laws already passed in California and Virginia, plus more than 25 under review in other states, companies are worried they will be left balancing a patchwork of regulations. It is very difficult and onerous for companies to tailor their data practices state by state unless you just tailor [them] to the most restrictive statute.”
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar Blog Posts: