What is the New York Data Privacy Act?

New York’s Data Privacy Act has not yet been passed into law, but should it get approved, it would become the nation’s most sweeping and intensive protection of consumer data privacy rights.

Proposed in Senate Bill S6701 and the companion Assembly Bill A680A, NY’s Data Privacy Act proposes to help New York citizens control their personal data and privacy rights by requiring companies to:

• Collect opt-in consent from consumers prior to utilizing their personal data for any reason.
• Provide detailed disclosures on how 3rd parties are using the personal data that they provide.
• Respond and react to consumer requests to update, delete, or correct personal data they’ve collected.
• Provide disclosures explaining automated decision-making activities and giving consumers the ability to challenge any automated decisions.
• Run studies and publish assessments on how the automated decision-making processes impact consumers.
• Run an annual risk assessment of all data processing activities.

Many experts agree that the current form of the NY Privacy Act includes broader data and personal privacy protections rules than existing CCPA and CPRA laws recently introduced by the state of California.

Who Will Need to Comply with the NY Data Privacy Act?

The NY Data Privacy Act will apply to any organization that meets or exceeds the following thresholds: 

• Annual gross revenues of $25 million or more.
• Controlling or processing the personal data of at least 100,000 New York consumers.
• Controlling or processing the personal data of at least 500,000 individuals nationwide and 10,000 New York consumers.
• Deriving over 50% of gross revenue from the sale of personal data while controlling or processing the personal data of at least 25,000 New York consumers.
• Just like the CCPA and VCDPA do not define “doing” or “conduct[ing]” business in California or Virginia, the NYPA does not define “conduct[ing] business in New York”.  

The law allows exemptions for state and local government organizations, and for personal data that is already regulated by HIPAA, HITECH, FERPA, DPPA, GLBA, as well as any “data sets maintained for employment records purposes or for purposes other than sale.”

There are also exemptions for types of personal data too, including:

• Personal data collected, processed, sold, or disclosed in accordance with Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, U.S.C. Sec. 1232g, Farm Credit Act of 1971, section two-d of the education law.
• Data maintained for employment records, patient identifying information, protected health information, data collected for research on human subjects like clinical trials, etc., is exempt.

How Does the NY Privacy Act Differ from Other Data Privacy Laws?

The biggest difference between the NY Privacy Act and other recently introduced privacy laws is that the NY act goes much further in regulating organization’s ability to process, store, and utilize personal data.

The single-biggest and most important difference includes the requirement that an organization must receive opt-in consent from consumers before utilizing their data for any purpose. 

None of the current personal privacy laws proposed elsewhere require up-front opt-in consent, so this is a major deviation from the status quo.

Other significant differences between the NY Privacy Act and similar data privacy laws include requiring organizations to:

• Provide detailed disclosures about the activities of any third parties to whom they disclose personal data.
• Make disclosures about their automated decision-making activities, giving consumers the opportunity to challenge automated decisions, and conducting and publishing assessments on the impacts of their automated decision-making processes.
• Respond to consumer requests to correct personal data (though this is similar to the requirements introduced by California’s CCPA and CRPA).

This law goes much further than other similar legislation covering data privacy protections.

Accordingly, should the law be passed, it may require significant work to ensure that any organization trading in personal data is able to abide by the new restrictions and regulations.

What are the NY Privacy Act Penalties for Failure to Comply?

Violations can result in civil penalties, with fines of up to $15,000 per violation.

Under the written guidelines, penalties will be determined based on the nature, severity, duration, willfulness, and persistence of the misconduct.

Violations are counted per consumer, so it’s quite easy for any organization, especially one that trades in large volumes of data, to rack up expensive penalties should it fail to comply with the new regulations.

When does the NY Privacy Act Go into Effect?

To be clear, this law has not yet been passed, and there’s no telling exactly when it could officially go into law.

The NY Privacy Act will not go into effect until it is first passed by the NY Senate, and then signed into law by the Governor of New York.

How Can I Ensure That My Organization is In Compliance?

While the NY Privacy Act enters unprecedented territory due to issuing far more stringent legal restrictions than any other current data privacy protection legislation, there are solutions available for ensuring compliance.

To ensure that your organization operates in compliance with the NY Data Privacy act, we suggest:

• Running a comprehensive data mapping to understand how your organization acquires personal data, how it processes it, and who controls it.
• Performing a gap analysis to identify and close any data privacy gaps in your process, including: 
• Ongoing compliance management
• Efficient responses to privacy requests
• Training to ensure that your entire organization’s policies and procedures are up to date and compliant with the new law.
• Bi-annual audits to incorporate changes to your business practices and processes.

In the wake of other recent data privacy laws like GDPR and CCPA, MatrixPoint has developed a process that will ensure your organization is in compliance with all of the complex data privacy protections included in the NY Privacy Act.

Contact MatrixPoint for Assistance

For assistance in figuring out how to respond to the passing of the NY Data Privacy Act, schedule a free consultation with MatrixPoint. 

Call us at 800-683-6983, or simply fill out our contact form.