The New York legislature is currently in talks to implement a consumer privacy law, much like California and Virginia have done; however, the New York Privacy Act (NYPA), which died in committee last year, goes above and beyond the obligations of both those laws in a number of ways. The NYPA, currently S6701 in the Senate and A680A in the Assembly, is one of more than 50 privacy bills that have been introduced so far in the 2021-2022 legislative session and, as of this writing, has been advanced to a third reading and vote in the senate and assembly.
The NYPA looks similar to the only other state privacy laws – the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA) – in many ways. All three provide consumers with certain rights, such as the right to know, the right to access and the right to deletion. However, key differences include the private right to action and how consent is handled.
Like California and Virginia’s laws, if passed, the NYPA would have an extraterritorial scope, meaning a business would not have to be located in New York for it to fall within the scope of this law. Any business that provides goods or services to New York residents and has an annual gross revenue of at least $25 million must abide the NYPA.
The NYPA takes a page from the EU General Data Protection Regulation regarding consent and prohibits business from collecting or processing the personal data of a consumer unless and until the consumer consents to such activity; that is, the act requires “opt-in” as opposed to “opt-out” consent.
The NYPA specifically requires businesses to present a standalone disclosure when requesting consent and disallows the business from defaulting to consent for processing (a.k.a., no pre-ticked boxes). In fact, the option to decline consent must be clearly presented, as well as an option to consent to only the personal data necessary for the purpose of the processing. Ignoring the notice by either clicking away from the pop-up or closing it would not equal consent (something that I do more often than I would like to admit).
Additionally, a business would have to provide consumers with a mechanism to withdraw consent. Not only that, but if a business is merged into another or acquired, then consent is automatically withdrawn.
Data Subject Rights
The NYPA grants rights that will look familiar to any privacy professional: the right to know whether, how and for what purpose their personal information is being processed, right to access, portability, correction, deletion, and notice of automated decision making (in specified contexts). And businesses have a requirement to respond to the above requests within 45 days – as in CCPA.
Private Right of Action
Under the law, a New York consumer would be able to bring an action against a business for any violation of their privacy rights. This provides consumers with more opportunities for redress than both the other laws, as CDPR has no private right of action and CCPA’s is limited to data breach. If successful, a consumer would recover the greater of actual damages or $1,000, in addition to the possibility of attorneys’ fees.
The private right of action is perhaps the most contentious provision to include in a privacy bill. It has killed the likes of the Washington Privacy Act and the Florida Privacy Protection Act, so this will be an interesting element to watch.
Data Broker Rules and Obligations
If passed, New York would be the third state in which data brokers would need to register with the Attorney General’s office. Similar to Vermont and California, data brokers would pay an annual registration fee of at least $100. The New York bill has an added twist, however, requiring that controllers annually provide to the state Attorney General’s Office a list of brokers they provided personal information to, and businesses may not sell personal information to unregistered data brokers.
Other Obligations on Businesses
If passed, the NYPA would impose additional burdens on businesses, including annual audits and a requirement to delete personal information that is no longer needed. It also requires businesses to put in place data protection agreements with third parties with which they share personal information. All of these obligations will come at cost to businesses needing to comply with the act.
A Bridge too Far?
If passed, the NYPA would one-up the California Consumer Protection Act, providing for stronger consumer protections and imposing onerous (some say “likely impossible”) requirements on businesses. Between providing opt-in consent, having to keep up with data brokers registered in New York, and conducting annual audits and retention reviews, complying with the NYPA would have significant impact on businesses that operate in New York.
If history tells us anything, between the private right of action and opt-in consent (which caused Oklahoma’s bill to stall out), the NYPA’s chances of passing as-is are slim. Corporate interests are likely opposed to it with the cost it would take to continue to do business in New York while taking on the obligations under NYPA. Though the NYPA may not make it through, legislatures throughout the states are proposing more and more privacy bills, and the bills are seeking more and more transparency and rights for consumers.
Having a privacy program that can adapt quickly and effectively to laws such as the New York Privacy Act can go a long way to keep up with the changing landscape of privacy compliance.