The New York Privacy Act introduced Jan. 6 includes a private right of action and other data-sharing safeguards for consumers.
01/14/2022 9:00 A.M.
3 minute read
New York is revisiting data privacy legislation this year with a bill that includes a private right of action allowing consumers to sue for violations by businesses.
The New York Privacy Act, reintroduced in the state Senate and Assembly Jan. 6, would “require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.”
New York’s proposed law carries more weight in its enforcement actions than other states with laws on the books—such as Virginia, California and Colorado—because it includes a private right of action.
The proposal’s requirements include:
- Providing consumers a notice on how their data is being used, processed and shared;
- Providing consumers the ability to access and obtain a copy of their data in a commonly used electronic format, with the ability to transfer it between services;
- Providing consumers the ability to correct inaccurate data and to delete their data as well as the ability to challenge certain automated decisions.
The New York Privacy Act would also impose obligations on businesses to maintain reasonable data security for personal data, to notify New York consumers of foreseeable harms arising from use of their data and to obtain specific consent for that use, and to conduct regular assessments to ensure that data is not being used for unacceptable purposes.
These data assessments can be obtained and evaluated by the New York attorney general, who is empowered to obtain penalties for violations of the act and prevent future violations. The act would also grant New York consumers who have been injured as the result of a violation a private right of action, which includes reasonable attorneys’ fees to a prevailing plaintiff.
The act would apply to legal persons that conduct business in New York or produce products or services that are targeted to residents of New York, and that satisfy one or more of the following thresholds:
- An annual gross revenue of $25 million or more.
- Controls or processes personal data of 100,000 or more consumers.
- Controls or processes personal data of 500,000 or more natural persons nationwide or controls or processes personal data of 10,000 or more consumers; or
- Derives over 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
All About Timing in New York
“While this legislation has been introduced before, it’s a different environment during an election year,” said ACA International’s Vice President of State Unit and Government Affairs Andrew Madden.
Madden said New York’s proposed budget is due Jan. 18, which will impact legislative proposals being released early in the month.
If the bill is signed into law during New York’s legislative session, it will take effect immediately except for sections on jurisdiction, consumer rights, third-party responsibilities, limitations and enforcement and private right of action. Those sections would be recognized two years after the law’s effective date and the private right of action would take effect three years after that date.
State vs. Federal Data Privacy Legislation
According to a report from Bloomberg Law, the Uniform Law Commission released a “standardized data protection bill” in July 2021 with the goal of it being a template privacy bill for states.
Colorado and Virginia’s laws will likely also encourage more activity on data privacy in other states, according to the article.
While Washington state’s privacy act has failed to pass for three consecutive years based on disagreements on a private right of action, the report says it is still a state to follow this year, as well as Florida and Oklahoma.
ACA will continue to follow these state activities and keep members updated in ACA Daily.
For more state updates, members are invited to join the weekly ACA Huddle at 11 a.m. CDT on Wednesdays.
Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to [email protected]. Visit our publications page for news submission guidelines and information about ACA Daily, Collector magazine and Pulse. From there, subscriptions are available in your online profile under subscriptions. Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar for a listing of upcoming CORE Courses and Hot Topics featuring critical educational opportunities for your company.