Over the past several years, companies have been figuring out how to best adapt to new data privacy regulations that arose from the EU’s GDPR and California’s CCPA. If one of the nation’s largest legal and consumer markets has its way, however, in-house attorneys will have yet another major piece of privacy legislation to contend with.
NY State Senate Bill S6701, better known as the New York Privacy Act (NYPA), is currently winding its way through relevant senate committee approvals. The NYPA, which evolved from a similar bill introduced in 2019, will impose new data collection and processing restrictions on companies that conduct business in New York State or target New York State residents.
Organizations would also need to meet one or more of the following criteria to fall under the NYPA’s jurisdiction:
Much like the GDPR and CCPA, the NYPA would grant New York residents the right to access, delete, and correct data that companies collect on them.
They will also have the right to request a portable copy of their data.
Companies affected by the law would need to respond to verified consumer requests within 45 days (subject to some exceptions) and could face actions brought by the state attorney general or New York residents.
New York residents would be able to pursue the greater of $1,000 or actual damages, and could also seek attorney’s fees.
Private actions could also be brought on a class-wide basis—giving the law considerably more bite than California’s CCPA.
The NYPA mirrors its U.S. state and European counterparts in some aspects, while also imposing unique requirements to companies looking to do business with New Yorkers. These developments should keep in-house counsel busy should the law pass—as expected.
When analyzing the NYPA, in-house counsel should first assess is whether the act even applies to their organizations.
For example, organizations whose practices would otherwise be regulated by HIPAA, the GLBA, or certain FDA data collection regulations would be exempt from the law.
The NYPA also does not govern data such as employee records, patient safety work product, and personal data collected to determine an individual’s creditworthiness or credit rating. In-house counsel should consult § 1101(2) of the bill to assess whether any of the bill’s exemptions would apply to their organizations.
In-house attorneys, however, will likely be more focused on how their companies are structuring their internal data collection policies and responding to requests and subpoenas raised under the NYPA.
Some activities that could lead to NYPA liability include:
To respond to these concerns, in-house counsel should document their procedures in detail and produce these procedures to the AG’s office in a manner suitable to their defense strategies. As part of this, in-house counsel should thoroughly document their opt-in workflows, maintain detailed protocols and plans regarding their safeguard testing and data dissemination practices, and store their contracts with data brokers involved in the data collection process in an accessible manner.
Additionally, counsel will also need to work with IT personnel to ensure that any portable data meets the parameters of consumers’ requests and that this data is produced in a “structured, commonly used and machine-readable format” to either the consumer or the consumer’s designated representative.
They may also consider implementing separate opt-in, collection, storage, and dissemination procedures for enterprise customers and private individuals, as the bill’s current definitions of “consumer” and “natural person” exclude individuals acting in a “commercial or employment context.”
While the NYPA is not yet law, it does offer a preview of the potential scenarios businesses could face in a more privacy-conscious New York. In-house attorneys should plan to convene with pertinent stakeholders to determine how to best respond to the New York legislature’s desire to bolster consumer privacy protections.
As with any developing legislation, it is never too early to start preparing.