New York lawmakers have proposed several consumer privacy protection bills in 2021. Amongst these, Senate Bill S6701 and its companion Assembly Bill A680A are two prominent bills that propose the enactment of the New York Privacy Act 2021.
Senate Bill S6701, introduced on May 12 in the State of New York 2021-2022 Regular Sessions, had advanced to the Third Reading on May 24 and is now on Floor Calendar for final voting. Likewise, Assembly Bill A680A was amended and recommitted to the Committee on Consumer Affairs and Protection on May 27 and is slated to appear for voting on the Floor Calendar.
The passing of these bills will result in the enactment of the New York Privacy Act that will focus on protecting consumers' personal data and privacy. The NY Privacy Act obligates companies to disclose their methods of de-identifying personal data and install safeguards for personal data sharing. It also empowers consumers with the right to know the details of the entities having access to their data.
New York Senate Privacy Act 2021— Purpose & Key Provisions
As per S6701 (ACTIVE) – SPONSOR MEMO, the NY Senate Privacy Act is focused on helping New York citizens regain their privacy by obligating companies to acquire the consumers' consent before processing their personal data. The Law imparts New York consumers to exercise greater control over their personal information and sets forth provisions for businesses to manage personal data responsibly and lawfully.
The following are the key provisions to protect consumer data privacy in NY Privacy Act 2021:
1. Right to Notice
The Law requires companies to notify the consumers of the following:
- Consumers' rights, including withdrawal of consent, concerning their data
- Categories of personal data processed by the company or any third-party entity
- Identity of all parties to whom the company discloses, shares, transfers, or sells the personal data
- The source and purpose of data collection & processing
- The retention period for each category of personal data collected & processed
- Whether the personal data is used for targeted advertising and the expected Average Revenue Per User (ARPU) generated through targeted advertising
2. Opt-in Consent
The New York Privacy Act mandates the companies to seek unambiguous and informed opt-in consent from consumers to allow the following:
- Processing of personal data
- Changes in the purpose, method, or scope of collecting personal data
The company's request for opt-in consent must clearly describe the category and purpose for collecting & processing the data. It should clearly present the option to provide only the consent necessary for particular services or goods and provide a clear option to deny consent. The Law also requires the opt-in consent request to include the details of any third party involvement for sharing, disclosing, transferring, or selling the personal data. Additionally, the consent request must comprise the categories and retention period of such data.
3. Right to Access, Port, & Correct Data
As per New York Privacy Act, companies need to process the following action on receipt of a valid request from a consumer:
- Confirm whether the personal data is processed
- Provide access to the consumer's personal data in a structured and machine-readable format
- Provide the identity of each processor, including third parties to whom personal data is disclosed, transferred, or sold
- The category of personal data shared and its purpose
- Freely transmit the data to another person as per the consumer's specification
- Investigate any inaccuracies brought up in the personal data by a consumer and correct those as necessary within a defined timeframe.
4. Right to Delete
The NY Privacy Act empowers consumers to request permanent deletion of their personal data in possession of companies. The "Right to Delete" lays down the following mandates for companies:
- A company or controller must delete the consumer's personal data upon receipt of a verified request for deletion
- The company should communicate the deletion request to all the third parties to whom it had shared or disclosed the personal data.
- The company should delete the personal data associated with deleted user accounts.
- A company must establish procedures to avoid any reoccurrence of the deleted data in its systems.
Other provisions under the Consumer Rights section of the New York Privacy Act 2021 include automated decision-making, responding to requests, and implementation and non-waiver of rights.
NY Privacy Act [Section 1103]: A Note on Personal Data Protection
Section 1103 of the New York Privacy Act obligates companies to develop, implement, and maintain adequate measures to protect the security, confidentiality, and integrity of consumers' personal data. It categorically states that companies collecting personal data should restrict its use and retention to the extent necessary to provide the service and only until the opt-in consent duration.
The Law states that companies must dispose of all the redundant personal data at least annually or latest by the end of the consent duration. While meeting the obligations, the companies must not discriminate against consumers exercising their rights in accordance with the New York Privacy Act.
Jurisdictional Scope & Exemptions
The New York Privacy Act applies to all legal entities that conduct business in New York or target products or services to New York residents and meet the following conditions:
- Have annual gross revenue of US$25 million or more
- Control or process the personal data of 100,000 consumers or more
- Control or process the personal data of 500,000 natural personal or more nationwide, and controls or processes the personal data of 10,000 consumers
- Generate more than 50% of gross revenue by selling personal data and control or process the personal data of 25,000 consumers or more.
The following types of personal data is exempt under the NY Privacy Act:
- Personal data processed by government bodies for processes other than sale
- Personal data collected, processed, sold, or disclosed in accordance with Gramm-Leach-Bliley Act, Driver's Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, U.S.C. Sec. 1232g, Farm Credit Act of 1971, section two-d of the education law.
- Data maintained for employment records, patient identifying information, protected health information, data collected for research on human subjects like clinical trials, etc., is exempt.
New York Privacy Act: Know the Penalties
Violation of the NY Privacy Act can result in a civil penalty of up to $15,000 per violation based on nature, severity, duration, willfulness, and persistence of the misconduct. The Law counts unlawful processing of every consumer's personal data individually, i.e., for every 10 instances, the penalty could sum up to $150,000.
NY Privacy Act, SHIELD Act, CCPA, & GDPR— Quick Comparison
In recent years, the world has seen the emergence of many data protection laws like GDPR, CCPA, & the like. The below table summarizes their similarities and differences:
|
Points of Consideration
|
NY Privacy Act
|
SHIELD Act
|
CCPA
|
GDPR
|
|
Official Title
|
New York Privacy Act –Senate Bill S6701
|
Stop Hacks and Improve Electronic Data Security Act – Senate Bill S5575B
|
California Consumer Privacy Act of 2018
|
General Data Protection Regulation (EU) 2016/679
|
|
Official Summary
|
"Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared." Source
|
"Relates to notification of a security breach; includes credit and debit cards; increases civil penalties." Source
|
"The California Constitution provides for the confidentiality of personal information & requires a business or person that suffers a breach of security of computerized data to disclose that breach, as specified." Source
|
"The toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU." Source
|
|
Key Objective
|
Help New Yorkers regain their privacy
|
Widen the scope of information covered under the data breach notification law
|
Give consumers more control over their personal data collected by businesses
|
Protect the personal data of natural persons in the EU
|
|
Territorial Scope
|
New York
|
New York
|
California
|
European Union
|
|
Jurisdictional Scope
|
Entities conducting business in New York and meet specific criteria
|
Companies holding the data of New York residents
|
For-profit businesses operating in California and meet specific conditions
|
Company or entity that processes personal data and has a branch in EU, or companies outside of EU monitoring the behavior of EU residents or selling to them
|
|
Key Provisions
|
- Right to Notice
- Opt-in consent
- Right to access, port, & correct data
- Right to delete
|
Notification of data breach to the affected individuals, Attorney General, New York Department of State, and the Office of IT Services
|
- Right to know
- Right to delete
- Right to opt-out
- Right to non-discrimination
|
- Right to access
- Right to restriction of processing
- Right to portability
- Right to rectification
- Right to object
- Right to erasure
|
|
Max. Penalty
|
Up to $15,000 per violation
|
Up to $250,000
|
Up to $7,500 per intentional violation
Up to $2500 per unintentional violation
|
€20 Million or 4% of global revenue
|
New York Privacy Act— the Era of Localized Laws Has Arrived
In the past two years, the proposal of several new bills has led to the shaping of a more stringent and localized data privacy landscape in the US. Regulations like CCPA, SHIELD, Nevada Privacy Law, and Maine Privacy Law are some of these state-level laws, heralding an era that prioritizes the resident consumers' privacy and the need for securing their personal data (at all times). A standout action for businesses and other entities in the purview of these laws is to install policies, practices, and ethics that enable data privacy as a supreme denominator of their commercial operations. "Playing by the rulebook" is crucial for businesses to sustain and thrive in the markets governed by data privacy laws.
The New York Privacy Law is no different in that it obligates companies to handle consumer data responsibly, in line with the mandates, to ensure total data privacy. Failing to comply can lead to significant penalties— and, in-depth know-how and timely action are imperative for attaining compliance!
