For the second year in a row, the New York State Legislature will consider whether to adopt its own version of the California Consumer Privacy Act ("CCPA"). We have written extensively about the CCPA, including a recent primer on CCPA basics. SB 567 (the "Act"), known colloquially as the NY CCPA, shares a lot in common with its California State counterpart, but it has some key differences. You can read the text of the Act here. Please note that we recently blogged about a competing New York consumer privacy bill which can be found here.
What does the NY CCPA require?
NY CCPA Requirements
Under the proposed legislation, certain businesses must alert consumers that they may sell consumer personal data, and that consumers have the right to opt-out of such sale. Businesses must create and maintain privacy policies that are easily accessible to consumers and include, as needed, New York-specific language to comply with the Act.
The proposed legislation would apply to the following businesses that collect consumer personal data and do business in New York:
- Businesses with gross revenue of over $50 million, regardless of the source;
- Companies that annually sell the personal data of 100,000 or more people or devices; or
- Businesses that derive 50% or more in revenue from selling consumer personal data.
The Act would provide consumers with more rights to control their personal data, including how businesses use it and what data businesses retain. For example, consumers would have the right to know, upon request, the categories of personal data that a company maintains, whether the company sold any of the data to third parties and, if so, the identities of such third parties.
Differences with the CCPA in California
The biggest and most consequential difference between the CCPA and the proposed NY CCPA is the creation of a private right of action with statutory damages equaling the greater of $1,000 or actual damages per violation, and $3,000 for willful violations. The CCPA affords individuals only a very narrow private right of action, limited to data security breaches and for violations involving the most personal of consumer data (e.g., social security numbers, bank account information, and medical information). By comparison, damages awarded under the California CCPA range from $100 to $750 per violation, significantly less than the proposed range for the NY CCPA. Beyond that narrow exception, California explicitly limits enforcement for other CCPA violations to the Office of the Attorney General. The NY CCPA, on the other hand, would create a right of action for individuals to sue companies that violate any part of the Act.
The NY CCPA would require that individuals first request that the Attorney General of New York bring suit against particular companies for violations of the act. If the Attorney General fails to file suit against an offending company within 90 days of the complaining party's notice, then the individual that complained may file suit itself against the alleged violator. If the private party brings an action, it would be entitled to between 25-50% of the resulting settlement or judgment amount for bringing the case.
Practically speaking, this broad private right of action would likely result in increased litigation against companies that collect, store, and sell New York consumer personal data. The NY CCPA brings into sharp focus the importance of consumer privacy and data protection policies and procedures.
Similar Blog Posts:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.