New York City has become a pilot testing site for new businesses and technologies that rely heavily on data privacy collection. As a result, there has been a steady increase in consumer complaints about data breaches and corporate use of personal data. These consumer complaints have been answered with a corresponding increase in privacy and cybersecurity legislation. New York has successfully enacted two comprehensive privacy laws in the last four years with another one pending in 2021.
The New York Privacy Act (NYPA) is becoming the golden goose of data privacy regimes in the United States by setting higher standards and inspiring other states to follow suit. Governor Cuomo claimed that the new regime will mandate those companies collecting New Yorkers’ information to disclose the purposes for the data collection and to collect only data needed to satisfy those purposes.
For years, countless businesses took advantage of public ignorance and captured personal data unbeknownst to their users. Many business owners themselves are unaware that their businesses are collecting data on New York consumers in ways that would violate existing data privacy law or the NYPA, if enacted. The combined characteristics of the NYPA are so novel—and the bar for consumer consent is so high—that compliance would not be an easy task. In the absence of proper preparation, it may be close to impossible for certain businesses to survive, especially if their primary source of revenue is the sale of consumer data to third parties.
The NYPA will expand consumer protections and create more responsibilities for businesses that collect data on New York residents. In anticipation of the new law, companies must prepare to review their longstanding practices and consider how they may need to change.
Existing New York Law
New York’s data privacy policies have been one step ahead of the masses in the US. For example, the New York State Information Security Breach and Notification Act has been active since December 2005.
Soon after, other privacy laws have passed. In March 2017, the New York Department Of Financial Services (NYDFS) Cybersecurity Regulation, Part 500 (Part 500) went into effect. The law applies to all financial institutions operating under NYDFS licensure and to these institutions’ third-party service providers. Such institutions must have cybersecurity policies and protections that meet certain standards. Notably, financial institutions must also comply with various federal laws.
Part 500 requires covered entities to adopt robust cybersecurity regimes, which include designating a chief information officer and conducting periodic risk assessments.
Three years later, in March 2020, the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act passed. The SHIELD Act requires any businesses that collect private information about New York residents to implement reasonable administrative, technical and physical security measures that meet specific standards. This provides businesses with a certain degree of flexibility in deciding how these characteristics may apply to their data capture methods in their specific industry.
Under the SHIELD Act, if a business collects or maintains the private information of a New York resident (even if it is based or operates outside of the state), the company is likely “doing business” in New York and must comply with the Act. Additionally, New York residents have the right to be notified when their private information is revealed in a breach.
Proposed New York Privacy Act
The NYPA expands on existing law and introduces provisions similar to the California Consumer Privacy Act (CCPA) and the E.U.’s General Data Protection Regulation (GDPR). It requires companies to disclose their purpose in collecting data and only collect data necessary for that purpose. In addition, they must keep personal data “reasonably secure” from unauthorized access. Consumers have the right to know what information a company has on them, request that it be corrected or deleted, and opt out of sharing of their data with third parties. The bill also includes the following provisions:
- Personal Data Definition. “Personal data” is defined as any information relating, directly or indirectly, to a living individual. This includes personal identifying information such as:
- Identifiers, such as name, date of birth, and addresses.
- Information, such as employment history and financial information.
- Biometric information, such as face recognition.
- Online information, such as browsing history and user-generated content.
- Covered Entities. The NYPA imposes no minimum threshold on covered entities. This means that the law would apply to any legal entity that conducts business in New York or produces products or services that are intentionally targeted to New York residents.
- Opt-In Requirement. Consumers must explicitly and affirmatively “opt-in” to the collection of their data. Like the GDPR, consent must be affirmative, freely given, specific, informed and unambiguous. Companies cannot rely on implied consent.
- Private Right of Action. Consumers have the right to sue companies that violate the NYPA but can only obtain actual damages and injunctive relief. A private right of action means that a private person can bring forth a lawsuit if they are a victim of the breach of the statute. If enacted, the NYPA may also lead to increased litigation by consumers. The Act also allows consumers to recover attorneys’ fees.
- Data Fiduciary Obligation. A fiduciary duty is the requirement that a person in a position of trust act in good faith on behalf of the party anticipating that trust. It is the highest standard of care and consists of both ethical and legal responsibilities. The NYPA’s data fiduciary obligation requires businesses that collect or store New Yorkers’ personal data to act in those New Yorkers’ best interests—regardless of how that impacts the interests of the business.
In addition to the NYPA, other bills are in discussion. These include the Biometric Privacy Act (imposes additional requirements on entities collecting biometric information); the Online Consumer Protection Act (regulates online preference marketing by websites and advertising networks); and the Right to Know Act of 2021 (requires businesses to disclose what categories of data they give to third parties and identify those third parties).
What If You Are “Doing Business” in New York?
Forward-looking companies should act now and adopt certain measures to avoid fees and other hardships later. The first steps include:
- Determining what personal information your business collects and maintains.
- Evaluating the purposes of data collection and data minimization practices in your business.
- Preparing or updating your Privacy Policies and Terms and Conditions.
For comprehensive analysis and protection, those “doing business” in New York should consult with a New York licensed attorney.
Will the NYPA Actually Pass?
The NYPA has been introduced three times already. Its heightened obligations for “doing business” in New York have led to strong opposition to the bill. Nonetheless, Governor Cuomo placed data privacy legislations on high priority for 2021. As businesses continue to collect, use and store the personal data of New Yorkers, data privacy legislation will only become more pressing.
Regardless of whether the NYPA is enacted in its present form, new privacy legislation is likely to evolve in the upcoming year to keep up with fast growing technology. Meanwhile, other states continue to consider their own laws. As a result, businesses must be prepared to develop or update their data collection, cybersecurity and privacy policies. Companies should understand what data is collected from whom, and how data is stored, processed and protected. An experienced attorney can then assist in determining what laws apply to the busine