New York Privacy Act Reintroduced

Life And Privacy

The New York Privacy Act (NYPA) was recently reintroduced in the State legislature for the 2021 – 2022 legislative session. Previous versions were introduced in earlier legislative sessions but did not move forward.

If enacted into law, the NYPA could potentially be the most comprehensive state privacy law in the country, even broader than similar laws in California, Virginia, and Colorado. It would create an expansive set of consumer rights and impose obligations on data controllers (those who determine the purposes and means of processing personal data) and third parties. Similar to other states’ laws, consumer rights under the NYPA would include the right to know the categories of personal data collected, sources, and purposes of collection; identities of outside parties to whom the data is disclosed; info about how data will be used and for how long it will be retained; the right to access, correct and delete their personal information; the right to data portability; and anti-discrimination rights. Data controllers would need to obtain opt-in consent instead of opt-out consent (which other comprehensive state laws provide) prior to using personal data or making processing changes. The State Attorney General would have enforcement authority.

The NYPA would also provide consumers with a broad private right of action (the ability to bring an action themselves for violation of the law), unlike other comprehensive state laws.

In addition, the NYPA would impose upon a data controller a strict legal obligation or “duty of loyalty” not to use consumers’ personal information in a way that would harm them.

Data controllers would also be required to institute certain practices, for example, conduct annual risk assessments and implement reasonable safeguards to protect personal data. The NYPA does not provide for a “cure” period, contained in other comprehensive state laws, during which a violation can be cured before enforcement commences.

At present, the U.S. does not have one comprehensive national law that governs data privacy of all kinds of data (unlike the EU where personal data is governed by the General Data Protection Regulation). The U.S. has national sectoral laws governing specific types of data (for example, certain health data, data relating to consumer financial products, children under 13, credit report data, etc.). In addition, many states have laws regulating specific aspects of data privacy (including biometric data, data brokers, employee monitoring, security breach). These laws differ and often present compliance challenges for companies doing business across state lines.

It will be interesting to see what the NYPA morphs into over the course of the legislative process if it moves forward. If enacted as written, it will be yet another diverse patch in the growing patchwork of conflicting state laws, making comprehensive national privacy legislation all the more logical and likely.

The information contained in this column is provided for informational purposes only and should not be construed as legal advice.

 By Gille Ann Rabbin, Esq., CIPP/US, CIPP/E

Sign up via our free email subscription service to receive notifications when new information is available.