Written By Pravin Mehta
Updated on Jun 23, 2021
Min Reading 3 Min
New York lawmakers have proposed several consumer privacy protection bills in 2021. Amongst these, Senate Bill S6701 and its companion Assembly Bill A680A are two prominent bills that propose the enactment of the New York Privacy Act 2021.
Senate Bill S6701, introduced on May 12 in the State of New York 2021-2022 Regular Sessions, had advanced to the Third Reading on May 24 and is now on Floor Calendar for final voting. Likewise, Assembly Bill A680A was amended and recommitted to the Committee on Consumer Affairs and Protection on May 27 and is slated to appear for voting on the Floor Calendar.
The passing of these bills will result in the enactment of the New York Privacy Act that will focus on protecting consumers’ personal data and privacy. The NY Privacy Act obligates companies to disclose their methods of de-identifying personal data and install safeguards for personal data sharing. It also empowers consumers with the right to know the details of the entities having access to their data.
As per S6701 (ACTIVE) – SPONSOR MEMO, the NY Senate Privacy Act is focused on helping New York citizens regain their privacy by obligating companies to acquire the consumers’ consent before processing their personal data. The Law imparts New York consumers to exercise greater control over their personal information and sets forth provisions for businesses to manage personal data responsibly and lawfully.
The following are the key provisions to protect consumer data privacy in NY Privacy Act 2021:
1. Right to Notice
The Law requires companies to notify the consumers of the following:
2. Opt-in Consent
The New York Privacy Act mandates the companies to seek unambiguous and informed opt-in consent from consumers to allow the following:
The company’s request for opt-in consent must clearly describe the category and purpose for collecting & processing the data. It should clearly present the option to provide only the consent necessary for particular services or goods and provide a clear option to deny consent. The Law also requires the opt-in consent request to include the details of any third party involvement for sharing, disclosing, transferring, or selling the personal data. Additionally, the consent request must comprise the categories and retention period of such data.
3. Right to Access, Port, & Correct Data
As per New York Privacy Act, companies need to process the following action on receipt of a valid request from a consumer:
4. Right to Delete
The NY Privacy Act empowers consumers to request permanent deletion of their personal data in possession of companies. The “Right to Delete” lays down the following mandates for companies:
Other provisions under the Consumer Rights section of the New York Privacy Act 2021 include automated decision-making, responding to requests, and implementation and non-waiver of rights.
Section 1103 of the New York Privacy Act obligates companies to develop, implement, and maintain adequate measures to protect the security, confidentiality, and integrity of consumers’ personal data. It categorically states that companies collecting personal data should restrict its use and retention to the extent necessary to provide the service and only until the opt-in consent duration.
The Law states that companies must dispose of all the redundant personal data at least annually or latest by the end of the consent duration. While meeting the obligations, the companies must not discriminate against consumers exercising their rights in accordance with the New York Privacy Act.
The New York Privacy Act applies to all legal entities that conduct business in New York or target products or services to New York residents and meet the following conditions:
The following types of personal data is exempt under the NY Privacy Act:
Violation of the NY Privacy Act can result in a civil penalty of up to $15,000 per violation based on nature, severity, duration, willfulness, and persistence of the misconduct. The Law counts unlawful processing of every consumer’s personal data individually, i.e., for every 10 instances, the penalty could sum up to $150,000.
In recent years, the world has seen the emergence of many data protection laws like GDPR, CCPA, & the like. The below table summarizes their similarities and differences:
Points of Consideration |
NY Privacy Act |
SHIELD Act |
CCPA |
GDPR |
Official Title |
New York Privacy Act –Senate Bill S6701 |
Stop Hacks and Improve Electronic Data Security Act – Senate Bill S5575B |
California Consumer Privacy Act of 2018 |
General Data Protection Regulation (EU) 2016/679 |
Official Summary |
“Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.” Source |
“Relates to notification of a security breach; includes credit and debit cards; increases civil penalties.” Source |
“The California Constitution provides for the confidentiality of personal information & requires a business or person that suffers a breach of security of computerized data to disclose that breach, as specified.” Source |
“The toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.” Source |
Key Objective |
Help New Yorkers regain their privacy |
Widen the scope of information covered under the data breach notification law |
Give consumers more control over their personal data collected by businesses |
Protect the personal data of natural persons in the EU |
Territorial Scope |
New York |
New York |
California |
European Union |
Jurisdictional Scope |
Entities conducting business in New York and meet specific criteria |
Companies holding the data of New York residents |
For-profit businesses operating in California and meet specific conditions |
Company or entity that processes personal data and has a branch in EU, or companies outside of EU monitoring the behavior of EU residents or selling to them |
Key Provisions |
|
Notification of data breach to the affected individuals, Attorney General, New York Department of State, and the Office of IT Services |
|
|
Max. Penalty |
Up to $15,000 per violation |
Up to $250,000 |
Up to $7,500 per intentional violation |
€20 Million or 4% of global revenue |
In the past two years, the proposal of several new bills has led to the shaping of a more stringent and localized data privacy landscape in the US. Regulations like CCPA, SHIELD, Nevada Privacy Law, and Maine Privacy Law are some of these state-level laws, heralding an era that prioritizes the resident consumers’ privacy and the need for securing their personal data (at all times). A standout action for businesses and other entities in the purview of these laws is to install policies, practices, and ethics that enable data privacy as a supreme denominator of their commercial operations. “Playing by the rulebook” is crucial for businesses to sustain and thrive in the markets governed by data privacy laws.
The New York Privacy Law is no different in that it obligates companies to handle consumer data responsibly, in line with the mandates, to ensure total data privacy. Failing to comply can lead to significant penalties— and, in-depth know-how and timely action are imperative for attaining compliance!
BitRaser is NIST Certified
Related Articles
![]() |
NIST Clear |
![]() |
NIST-ATA Purge |
![]() |
US Department of Defense, DoD 5220.22-M (3 passes) |
![]() |
US Department of Defense, DoD 5200.22-M (ECE) (7 passes) |
![]() |
US Department of Defense, DoD 5200.28-STD (7 passes) |
![]() |
Russian Standard – GOST-R-50739-95 (2 passes) |
![]() |
B.Schneier’s algorithm (7 passes) |
![]() |
German Standard VSITR (7 passes) |
![]() |
Peter Gutmann (35 passes) |
![]() |
US Army AR 380-19 (3 passes) |
![]() |
North Atlantic Treaty Organization-NATO Standard (7 passes) |
![]() |
US Air Force AFSSI 5020 (3 passes) |
![]() |
Pfitzner algorithm (33 passes) |
![]() |
Canadian RCMP TSSIT OPS-II (4 passes) |
![]() |
British HMG IS5 (3 passes) |
![]() |
Zeroes |
![]() |
Pseudo-random |
![]() |
Pseudo-random & Zeroes (2 passes) |
![]() |
Random Random Zero (6 passes) |
![]() |
British HMG IS5 Baseline standard |
![]() |
NAVSO P-5239-26 (3 passes) |
![]() |
NCSG-TG-025 (3 passes) |
![]() |
5 Customized Algorithms & more |
Listening...