New York Privacy Act Advances Past First Committee

Written By Haley Metteauer

On February 8, 2021, the New York Privacy Act (“Act”) was approved by the New York Senate Consumer Protection Committee and reported and committed to the Internet and Technology Committee for Review and approval.  

The purpose of the Act is to “strengthen consumer privacy rights by requiring companies to disclose their methods of de-identifying personal information, placing safeguards around data sharing, and allowing consumers to obtain the names of all entities with whom their information is shared.”

Provisions of the Act

The Act applies to legal persons conducting business in New York State or producing products or services which intentionally target New York State residents, provided that business:

  • Has an annual gross revenue of 25 million dollars or more;

  • Controls or possesses the personal information of 100,000 consumers or more;

  • Receives personal data of 500,000 people nationwide and controlling or processing the personal information of 100,000 consumers or more; or

  • Develops 50% of the gross revenue from selling, controlling, or processing the personal data of 25,000 consumers or more.

The provisions of the Act are similar to those found in many of the privacy legislations Kennedy Sutherland LLP has recently covered. Specifically, the Act will permit a “covered consumer” to:

  • Request a report of the consumer's personal information that businesses are collecting, storing, using, processing, or selling;

  • Consent to the use of the consumer's personal information via “opt-in” measures; and

  • Review the consumer's personal information that businesses are storing and correct any data deemed inaccurate.

However, there are certain provisions which have not been included in the other privacy regulations currently being legislated, such as:

  • Customers are permitted to review and challenge “automated decisions” made by “machine learning, artificial intelligence, or any other automated process” that amounts to a denial of “financial or lending services, housing, public accommodation, insurance, health care services, or access to basic necessities, such as food and water” on the basis of their stored personal information;  and

  • Data brokers—entities knowingly collecting and selling to controllers or third parties the personal data of a consumer without a direct relationship to them—are required to register with and pay a registration fee to the New York Attorney General’s Office or face possible enforcement action under the Act.

Enforcement of the Act includes civil penalties of up to $15,000 per violation, actual damages or $1,000, whichever is greater, or the costs associated with an action brought by the Attorney General, as well as a private right of action for New York State consumers. Providing consumers a private right of action is a feature that has been inconsistent among proposed state privacy legislation.

Considerations for Covered Businesses

If the Act is passed, the New York Senate is proposing that it take effect immediately. Considering the substantial amount of state privacy legislation that is being reviewed and implemented, covered businesses would be best served by reviewing these potential legislative efforts and comparing their current policies and procedures against these provisions.  

Haley Metteauer
Previous

Florida Privacy House Bill Unanimously Passes First Committee
Next

SEC Proposes Buy-Side Cybersecurity Hygiene Rules