On May 13, 2021, New York State Senator Kevin Thomas reintroduced the New York Privacy Act (S6701). With California, Virginia, and Colorado already having comprehensive state privacy laws, New York may be the next state to have one of its own. Having convened for the 2022 Legislative Session on January 5, 2022, New York lawmakers are again considering the New York Privacy Act (S6701A / A680B). As of February 8, 2022, the Senate version of the bill has been reported and committed to the Internet and Technology Committee.
Here are some of the essential details that businesses should know about the proposed legislation:
To whom does the New York Privacy Act apply?
The New York Privacy Act would apply to legal persons that conduct business in New York or produce products or services that are targeted to residents of New York and that satisfies one or more of the following thresholds:
Have annual gross revenue of $25 million or more;
Controls or processes personal data of 100,000 consumers or more;
Controls or processes personal data of 500,000 natural persons or more nationwide, and controls or processes personal data of 10,000 consumers or more; or
Derives over 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 consumers or more.
Which entities and types of information are exempted from the New York Privacy Act?
The New York Privacy Act recognizes several exemptions. For example, this act would not apply to personal data processed by state and local governments, personal data covered under the Gramm-Leach-Bliley Act (GLBA), personal data protected under the Driver’s Privacy Protection Act, personal data covered under the Family Educational Rights and Privacy Act (FERPA), personal data covered under the Farm Credit Act, protected health information covered under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH), and other similar federal laws. Data maintained as employment records (for purposes other than a sale) and data collected as part of human subjects research (such as clinical trials) would also be exempted. Furthermore, the New York Privacy Act would not apply to national securities associations regulated by the Securities Exchange Act of 1934.
How does the New York Privacy Act define “personal data”? Is there a separate category for “sensitive data”?
The New York Privacy Act defines “personal data” as “any data that identifies or could reasonably be linked, directly or indirectly, with a specific natural person, household, or device. Personal data does not include de-identified data.”
The bill does not address a defined category for “sensitive data” that would be subject to additional restrictions.
What consumer rights does the New York Privacy Act provide?
Under the New York Privacy Act, consumers have the right to notice, access data, correct, delete, and appeal automated decision-making. A controller that processes a consumer’s data must provide notice publicly and persistently available, conspicuous, and readily accessible manner. Such information must include:
A description of the consumer’s rights;
The categories of personal data processed by the controller and by any processor;
The sources from which personal data is collected;
The identity of each third party to whom the controller disclosed, shared, transferred, or sold personal data along with information regarding the specific categories of personal data, purposes, and retention periods;
The controller’s retention period for each category of personal data;
The average expected revenue per user (ARPU) – or a similar metric – for those controllers engaging in targeted advertising.
The New York Privacy Act requires that notices be written in easy-to-understand language at an 8th-grade reading level or below and updated at least annually.
What is the New York Privacy Act’s perspective on consent?
The New York Privacy Act defines “consent” as “a clear affirmative act signifying a freely given, specific, informed, and unambiguous indication of a consumer’s agreement to the processing of data relating to the consumer. Consumers can withdraw their consent at any time.
The following do NOT constitute consent:
An agreement obtained through fraud, deceit, or deception;
Any act that does not constitute a user’s intent to interact with another party, such as hovering over, pausing, or closing any content; or
A pre-checked box or similar default.
The New York Privacy Act takes an opt-in consent approach. Before processing, controllers must obtain freely given, specific, informed, and unambiguous opt-in consent.
What responsibilities do controllers, processors, and third parties have under the New York Privacy Act?
Controllers must regularly conduct and document data protection assessments. The New York Privacy Act also imposes a duty of loyalty and care commitment upon controllers. Controllers must also review their retention practices annually and may not discriminate against consumers for exercising their privacy rights. Controllers must also enter into written, signed contracts with any processors before disclosing, transferring, or selling personal data.
Processors must comply with these contracts (for which the New York Privacy Act lists several requirements and restrictions) and are under a continuing obligation to engage in reasonable measures to review their activities.
Third parties are only permitted to process data to the extent allowed and must generally comply with any exercise of a consumer’s privacy rights.
What about data brokers?
Data brokers must register with the attorney general on an annual basis, pay a registration fee of $100 (or some other amount determined by the attorney general), and provide identifying information and a statement describing the method for exercising consumers’ rights and whether they implement a purchaser credentialing process.
The New York Privacy Act would require the attorney general to maintain a statewide registry of data brokers.
Is there a private right of action?
Yes, the New York Privacy Act gives consumers a private right of action in the event of a violation of the opt-in consent, automated decision-making, and controller response sections.
If passed, when will the New York Privacy Act become effective?
Sections 1101 (Jurisdictional scope), 1102 (Consumer rights), 1103 (Controller, processor, and third-party responsibilities), 1105 (Limitations), 1106 (Enforcement and private right of action), and 1107 (Miscellaneous) will take effect two years after the New York Privacy Act becomes law.
The private right of action will have a three-year period to take effect.
The New York Privacy Act bill is currently under active committee consideration. On February 8, 2022, the New York Senate Consumer Affairs Committee voted the senate version of the bill out of committee (5 ayes, one nay). It is currently in the New York Senate Internet and Technology Committee. New York State’s current legislative session is open until early June.
Ocotillo continues to monitor updates to the New York privacy landscape actively. To learn more about the impact the New York Privacy Act may have on your business, please reach out to our team of highly experienced attorneys.