The New York Assembly recently reintroduced the New York Privacy Act (the "Act" or "NY Privacy Law") which, if enacted, would severely restrict how businesses can collect, use and share consumer personal information throughout the State. An identical bill was introduced in the last legislative session, but it failed to make it out of committee. Given the new political landscape and the push for more stringent consumer protection laws, this reintroduced NY Privacy Law should be closely watched by the industry as it moves through the legislative process.
What Does the NY Privacy Act Require?
The Broad Scope of Compliance
The proposed NY Privacy Law applies to a wide range of businesses. The Act would apply to "legal entities that conduct business in New York state or produce products and services that are intentionally targeted to residents of New York state." There is an exception for state and local governments, but essentially all private entities (including non-profits) would be subject to its requirements.
The Act would require that consumers provide "specific, informed and unambiguous" consent before businesses can process or use their personal data. The Act's definition of personal data is incredibly broad, and only de-identified or publicly available data would be exempt from this consent requirement. Most importantly, the requirement for "specific" consent may make compliance difficult or impossible in some instances. In theory, businesses would need to obtain consumers' specific consent for each intended use of the data. Businesses would presumably also have to obtain consumers' specific consent for each intended third-party recipient of the data. For businesses in the marketing space, this could require separate check boxes for each of their respective marketing partners.
The proposed NY Privacy Law also mirrors various consumer rights now found in the California Consumer Privacy Act ("CCPA") and the EU's General Data Privacy Regulation ("GDPR"). For example, the Act affords consumers the right to request that a business correct any inaccurate personal information held by that business. The Act also creates a right for consumers to have their personal data deleted. Upon request from the consumer, a business must delete a consumer's personal data "without undue delay." That business must also take "reasonable steps" to inform certain third parties about the consumer's request.
Enforcing the NY Privacy Law
The Act grants enforcement authority to the New York Attorney General and creates a private right of action for affected consumers. Interestingly, this proposed NY Privacy Law does not provide for statutory damages, and it does not specify fines for violations. Consumers would need to prove actual damages, which can be exceedingly challenging. However, the Act does allow consumers to recover attorneys' fees.
As this proposed NY Privacy Law moves through the New York legislature, further amendments are likely. Indeed, both businesses and consumer advocates expressed concerns with an identical bill introduced in last year's legislative session. For example, at a hearing on last year's bill, business groups pushed back against the private right of action. By contrast, consumer advocacy groups tried to increase the scope of covered personal data. The Act would become effective six months after passage into law.
Similar Blog Posts:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.