Newyork Privacy Act

In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon have to gear up for this new data privacy law. If enforced, the law may severely impact businesses, restricting their operations in the way how they collect, use and share consumer’s personal information throughout the State.

Earlier to this, a similar bill was introduced in the last legislative session but had failed to pass in the assembly. However, with New York Privacy Act now re-introduce in a more refined version. This bill should be closely watched by the industry as it moves through the legislative process. The New York Privacy Act is very similar to California’s Consumer Privacy Act (CCPA) but is more expansive in its approach and requirements. The regulation if enforced will provide consumers with much greater control over their personal information, and make businesses more accountable for their operations and business processes.

In today’s article, we have covered details on the proposed New York Privacy Act bill and its possible impact on businesses. So, before summarizing the proposed bill let us first understand what the Regulation is all about.

What is the New York Privacy Act?

The proposed New York Privacy Act is a law which if enforced will apply to a wide range of businesses. It is an Act that may apply to entities that conduct business in New York pertaining to personal information of residents of New York State. While there are exceptions for the state and local governments, but the law may apply to all private entities (including non-profits) subject to the requirements.

The proposed NY Privacy Law mirrors various other Privacy regulations like the California Consumer Privacy Act (“CCPA”) and the EU’s General Data Privacy Regulation (“GDPR”). This would be in line with consumer’s right to request for businesses to correct any inaccurate personal information or delete the personal information held with them.

What does the proposed New York Privacy Act say about Consumer Rights, Consent, & Business obligations? 

Data Subjects

Data subjects or consumers are defined as “a natural person who is a New York resident.” Employees and contractors are specifically excluded from the definition of consumer. Job applicants are not explicitly excluded from the definition of consumer, however, “data sets maintained for employment records purposes” are excluded. Again there is no “business-to-business” exemption.

Personal Information-

The New York Privacy Act broadly defines personal data and excludes only de-identified or publicly available data from this law. 

Business in Scope 

Similar to the GDPR and CCPA Regulation, the scope of NYPA is quite broad. It would apply to any legal entity that conducted business in the New York States or Businesses that produce or provide services that are intentionally targeted to residents of New York State. However, there are no thresh holds set on revenue or minimum amounts of personal data a company processes to be subject to the law. Further, it is important to note that there is no exemption for individuals or non-profit organizations but purely household activities are exempted from the law. 

Business Obligation

The NYPA law creates a fiduciary obligation on the businesses to abide by the law and act in a way that benefits data subjects of whom they collect store or process personal data.  This would simply mean that businesses will be held to a higher standard of compliance for the data collected and used of data subjects. It would also mean that businesses must act in the best interest of their consumers irrespective of it not being in the best interest of their business.

Consumer Consent- 

Speaking about consumer consent, the Act clearly states that businesses will require consumers to provide “specific, informed and unambiguous” consent before they process or use their personal data. Businesses will have to obtain consumer’s consent specific to each intended use of their data. They would further require consumer-specific consent for each intended third-party receiving the data. Again for businesses in the marketing space will require separate checkboxes for each of their respective marketing partners. 

Consumer Rights-

The proposed privacy act which is very similar to the CCPA and the GDPR provides consumers the right to access, rectification/correction, deletion, restriction of processing, and portability. Businesses are expected to act upon the request of the consumers without any undue delay. They are also expected to take “reasonable steps” to inform third parties about the consumer’s request. 

Violation & Fines

The NYPA law specifies that a consumer who suffers a loss may recover statutory damages of $1,000 or more or actual damages, and $3,000 or actual damages for an intentional violation. However, the law limits the scope of recovery to violations of the Act in the form of injunctive relief and actual damages. This means that the consumer must prove that they suffered a loss due to the failure of business to comply with the NYPA to be able to recover. Further, any person who is aware, based on non-public information, that a person or business has violated this section may file a civil action for civil penalties. This provision would allow for suits to be filed by competitors, vendors, and consumer groups based on violations of the law.

What Should Businesses Do?

The New York Privacy Act is still a proposed bill and not a legislation in effect that has passed the assembly. Further, as the law moves through the legislative process, businesses can expect amendments in the law. Businesses should have a close watch over the legislative process to see how and when the law comes into effect. But, this brings us to a very common question asked by most businesses as to how should they approach the data privacy law going forward.

Ideally, an organization should initially start with conducting the basic assessment of their operations to identify the kind of data collected and classify them based on their level of sensitivity. Understanding what data is collected, processed, and identify the law that impacts the data is the key to your compliance journey.

Once your business gains a basic understanding, the road ahead will be much easier for establishing a privacy program that fits with your organizational blueprint. Waiting for the legislation to come into effect isn’t really an option. For your business to stay ahead of the curve and gain a better business stand-point preparation for the law is what is advisable.

After all, be it the GDPR Regulation CCPA or the proposed New York Privacy Act all of the regulations are more or less similar and are established with the common agenda of protecting the rights and privacy of consumer’s personal data. So, the faster and earlier your organization takes steps towards initiating a data privacy program, the better it is for them at the later stage for achieving compliance. Your business will be in a far better position to deal with any such data privacy regulation that comes into effect in the future. 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.