New York Consumer Privacy Bill is to be Reintroduced
On 13th May 2021, New York State Senator Kevin Thomas, the Chair of New York’s Consumer Protection Committee, reintroduced the New York Privacy Act (“NYPA”). The act is designed to be a comprehensive consumer privacy law. It is said to be similar in kind to the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and Virginia’s Consumer Data Protection Act (“CDPA”).
This latest version of the NYPA is less ambitious than its predecessor. The previous bill’s had a application to any “legal entities that conduct business in New York”. Application of the Bill also covered businesses that produce products or services that “intentionally target” New York residents. This section has now been removed. This would have meant that small-to-medium size businesses and potentially not-for-profit organisations would have been subject to the law.
the NYPA requires businesses to follow the “privacy before profits” approach. This is done via a concept known as the “data fiduciary”.
A fiduciary duty is the highest standard of care imposed by law. So, under the NYPA, businesses would have fiduciary duties to their consumers in terms of their data. The NYPA provides that within this fiduciary duty, legal entities shall not use, process, or transfer to a third party a data subject’s personal data without their express and documented consent. Each legal entity and their affiliates collecting, selling or licensing personal data shall be bound by the fiduciary duty.
However, the NYPA surpasses the aforementioned regulations in some important areas.
Data Controller Requirements
- collect opt-in consent from consumers before processing their personal data
- provide records of processing activities of outside parties to whom they disclose personal data.
- respond to data access requests to correct personal data; and
- make disclosures about their automated decision-making activities, afford consumers the opportunity to challenge automated decisions,
- conduct and publish assessments on the impacts of their automated decision-making processes.
The NYPA will impose on data controllers’ duties of loyalty and care. This means a requirement to carry out an annual risk assessment of all of the data controller’s data processing activities. This is focussed on advertising and data sales activities. It declares these activities “shall not be considered processing purposes that are necessary to provide services or goods requested by a consumer.”
New York Consumer Choice
“Consumers should have a right to choose how and if their personal information is collected and used by companies,” said Senator Thomas in his reintroduction of the NYPA. “New Yorkers deserve to know that businesses who are collecting, processing and protecting their personally identifiable information are doing so ethically and responsibly. The New York Privacy Act will set new, ground-breaking standards for comprehensive privacy legislation. It will advance consumer privacy rights and create stronger industry standards. This will empower businesses to enhance consumer confidence by putting privacy and security front-and-centre.”. If passed into law, it will be stronger than the GDPR.
The NYPA Components
The NYPA would apply to legal persons that conduct business in New York State. Or, those that produce products or services intentionally targeted to residents in New York State. They must also satisfy at least one of the following thresholds:
- Gross revenues annually of $25M or more.
- Control or process personal data of at least 100,000 New York residents.
- Control or process personal data of at least 500,000 persons nationwide, at least 10,000 of whom are New York residents; or
- Derives over 50% of gross revenue from the sale of personal data and controls or processes personal data of at least 25,000 New York residents.
- State and local governments
- Personal data that is regulated by HIPAA, HITECH, FERPA, DPPA, GLBA
- Data sets maintained for employment records purposes, for purposes other than sale
Personal Data and Consumers and their rights
Similar to the CCPA and CDPA, the NYPA defines personal data broadly. This includes“any data that is identified or could reasonably be linked, directly or indirectly, with a specific natural person, household, or device”. However, unlike the CPRA, CDPA or the GDPR, the New York bill does not include a category for “sensitive data” to which heightened protections apply.
The NYPA defines “consumer” as “a natural person who is a resident of New York acting only in an individual or household context.” The NYPA states that the definition of consumer does not include a “natural person acting in a commercial or employment context.”
The NYPA provides consumers a broad set of rights over their personal data, including the rights to:
- receive clear notice of how their data is being used, processed and shared;
- provide or withhold consent for the processing of their data for any purpose;
- access and obtain a copy of their data in a commonly used electronic format, making it transferable
- remedy any errors in personal data
- delete their data when asked
- the right to challenge certain automated decisions
New York Consumer and privacy Notices
Under the NYPA, data controllers must provide written notice to consumers when processing their personal data in an “easy-to-understand language at an eighth-grade reading level or below.” We assume that this is so Donald Trump can read it.
New York Privacy Notices must have an effective date and be updated every year. The previous six years must be available on demand. The notice must include declarations about the source of data, to third parties whom data is disclosed, This must include how the third party will process the data as well as retention periods.
There are rights around non-discrimination for those who exercise their rights under the law.
Data Security is covered and all controllers MUST conduct and document risk of all current processing activities. Data controllers must develop, implement, and maintain reasonable safeguards. This is to protect the security, confidentiality and integrity of the personal data of consumers.
Data Controllers must adopt reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal data. The NYPA also imposes requirements related to data retention, data disposal and vendor management.
Enforcement and right of Action
The NYPA authorises the Attorney General to bring an action or special proceeding. This is when it appears that a person has engaged or is about to engage in a violation of the law. There are civil penalties of not more than $15,000 per violation (each instance of unlawful processing counts as a separate violation). The NYPA would grant consumers a private right of action to enjoin violations of their rights under the law. They can seek the greater of actual damages or liquidated damages in the amount of $1,000, along with attorney’s fees.
An organisation found to have violated the NYPA does not have the opportunity to cure the violation before facing enforcement actions or litigation.
Whether this bill makes into law it demonstrates that the US is moving in the right direction when it comes to Data Protection. What is most striking is the requirement for plain English in public privacy notices and that they be updated every year. The older notices must be retained for accountability.
The data rights look very familiar with accountability evident throughout. However, the lack of sensitive data protection is a concern. This seems out of touch with modern thinking. However, a consumer who might describe themselves as self- employed or a sole trader seems not to have any protection whatsoever.
If you are a New York business or a business that targets New York, we can help you.
So, call us today on 03333 22 1011 or overseas on +1 44 1932 887889 or contact us here.