Over the past several years, companies have been figuring out how to best adapt to new data privacy regulations that arose from the EU’s GDPR and California’s CCPA. If one of the nation’s largest legal and consumer markets has its way, however, in-house attorneys will have yet another major piece of privacy legislation to contend with.
NY State Senate Bill S6701, better known as the New York Privacy Act (NYPA), is currently winding its way through relevant senate committee approvals. The NYPA, which evolved from a similar bill introduced in 2019, will impose new data collection and processing restrictions on companies that conduct business in New York State or target New York State residents.
Organizations would also need to meet one or more of the following criteria to fall under the NYPA’s jurisdiction:
- Have annual gross revenues of $25 million or more
- Control or process the personal data of 100,000 New York consumers or more
- Control or process the personal data of 500,000 or more natural persons, and of at least 10,000 New York consumers
- Derive over 50% of its gross revenue from the sale of personal data, and controls or processes the personal data of at least 25,000 New York consumers
Much like the GDPR and CCPA, the NYPA would grant New York residents the right to access, delete, and correct data that companies collect on them.
They will also have the right to request a portable copy of their data.
Companies affected by the law would need to respond to verified consumer requests within 45 days (subject to some exceptions) and could face actions brought by the state attorney general or New York residents.
New York residents would be able to pursue the greater of $1,000 or actual damages, and could also seek attorney’s fees.
Private actions could also be brought on a class-wide basis—giving the law considerably more bite than California’s CCPA.
How to Prepare for the New York Privacy Act
The NYPA mirrors its U.S. state and European counterparts in some aspects, while also imposing unique requirements to companies looking to do business with New Yorkers. These developments should keep in-house counsel busy should the law pass—as expected.
When analyzing the NYPA, in-house counsel should first assess is whether the act even applies to their organizations.
For example, organizations whose practices would otherwise be regulated by HIPAA, the GLBA, or certain FDA data collection regulations would be exempt from the law.
The NYPA also does not govern data such as employee records, patient safety work product, and personal data collected to determine an individual’s creditworthiness or credit rating. In-house counsel should consult § 1101(2) of the bill to assess whether any of the bill’s exemptions would apply to their organizations.
In-house attorneys, however, will likely be more focused on how their companies are structuring their internal data collection policies and responding to requests and subpoenas raised under the NYPA.
Some activities that could lead to NYPA liability include:
- Publishing misleading web design and user interface obstacles that interfere with consumers’ ability to provide clear affirmative opt-in consent
- Drafting consumer notices using language above an eighth-grade reading level
- Responding to verified requests for portable data by producing inaccessible and unreadable files
- Failing to provide users with complete information about third parties
- Not calculating and disclosing your organization’s average expected revenue per user (ARPU) to users during the opt-in process if you are collecting personal information for targeted advertising
- Failing to use safeguards that are commensurate with the types of data your organization collects, engage in annual evaluations of those safeguards, and keep those evaluations on file for at least six years
- Engaging in discriminatory activity against users who do not affirmatively opt in, such as charging different pricing or limiting access to offered products and services
- Not providing reasonable grounds for declining to comply with a NYPA subpoena in connection with an AG investigation, as this would toll the proposed six-year statute of limitations the AG’s office would have to file suit
Compliance and Discovery Tactics In-House Counsel Should Consider
To respond to these concerns, in-house counsel should document their procedures in detail and produce these procedures to the AG’s office in a manner suitable to their defense strategies. As part of this, in-house counsel should thoroughly document their opt-in workflows, maintain detailed protocols and plans regarding their safeguard testing and data dissemination practices, and store their contracts with data brokers involved in the data collection process in an accessible manner.
Additionally, counsel will also need to work with IT personnel to ensure that any portable data meets the parameters of consumers’ requests and that this data is produced in a “structured, commonly used and machine-readable format” to either the consumer or the consumer’s designated representative.
They may also consider implementing separate opt-in, collection, storage, and dissemination procedures for enterprise customers and private individuals, as the bill’s current definitions of “consumer” and “natural person” exclude individuals acting in a “commercial or employment context.”
While the NYPA is not yet law, it does offer a preview of the potential scenarios businesses could face in a more privacy-conscious New York. In-house attorneys should plan to convene with pertinent stakeholders to determine how to best respond to the New York legislature’s desire to bolster consumer privacy protections.
As with any developing legislation, it is never too early to start preparing.
