In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon have to gear up for this new data privacy law. If enforced, the law may severely impact businesses, restricting their operations in the way how they collect, use and share consumer’s personal information throughout the State.

1. What to expect from the
New York Privacy Act
In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon
have to gear up for this new data privacy law. If enforced, the law may severely impact businesses,
restricting their operations in the way how they collect, use and share consumer’s personal information
throughout the State.
Earlier to this, a similar bill was introduced in the last legislative session but had failed to pass in the
assembly. However, with New York Privacy Act now re-introduce in a more refined version. This bill
should be closely watched by the industry as it moves through the legislative process. The New York
Privacy Act is very similar to California’s Consumer Privacy Act (CCPA) but is more expansive in its
approach and requirements. The regulation if enforced will provide consumers with much greater control
over their personal information, and make businesses more accountable for their operations and
business processes.
In today’s article, we have covered details on the proposed New York Privacy Act bill and its possible
impact on businesses. So, before summarizing the proposed bill let us first understand what the
Regulation is all about.
What is the New York Privacy Act?
The proposed New York Privacy Act is a law which if enforced will apply to a wide range of businesses. It
is an Act that may apply to entities that conduct business in New York pertaining to personal information
of residents of New York State. While there are exceptions for the state and local governments, but the
law may apply to all private entities (including non-profits) subject to the requirements.

2. The proposed NY Privacy Law mirrors various other Privacy regulations like the California Consumer
Privacy Act (“CCPA”) and the EU’s General Data Privacy Regulation (“GDPR”). This would be in line with
consumer’s right to request for businesses to correct any inaccurate personal information or delete the
personal information held with them.
What does the proposed New York Privacy Act say about Consumer Rights, Consent, & Business
obligations?
Data Subjects
Data subjects or consumers are defined as “a natural person who is a New York resident.” Employees
and contractors are specifically excluded from the definition of consumer. Job applicants are not explicitly
excluded from the definition of consumer, however, “data sets maintained for employment records
purposes” are excluded. Again there is no “business-to-business” exemption.
Personal Information-
The New York Privacy Act broadly defines personal data and excludes only de-identified or publicly
available data from this law.
Business in Scope
Similar to the GDPR and CCPA Regulation, the scope of NYPA is quite broad. It would apply to any legal
entity that conducted business in the New York States or Businesses that produce or provide services
that are intentionally targeted to residents of New York State. However, there are no thresh holds set on
revenue or minimum amounts of personal data a company processes to be subject to the law. Further, it
is important to note that there is no exemption for individuals or non-profit organizations but purely
household activities are exempted from the law.
Business Obligation
The NYPA law creates a fiduciary obligation on the businesses to abide by the law and act in a way that
benefits data subjects of whom they collect store or process personal data. This would simply mean that
businesses will be held to a higher standard of compliance for the data collected and used of data
subjects. It would also mean that businesses must act in the best interest of their consumers irrespective
of it not being in the best interest of their business.
Consumer Consent-
Speaking about consumer consent, the Act clearly states that businesses will require consumers to
provide “specific, informed and unambiguous” consent before they process or use their personal data.
Businesses will have to obtain consumer’s consent specific to each intended use of their data. They
would further require consumer-specific consent for each intended third-party receiving the data. Again
for businesses in the marketing space will require separate checkboxes for each of their respective
marketing partners.
Consumer Rights-
The proposed privacy act which is very similar to the CCPA and the GDPR provides consumers the right
to access, rectification/correction, deletion, restriction of processing, and portability. Businesses are
expected to act upon the request of the consumers without any undue delay. They are also expected to
take “reasonable steps” to inform third parties about the consumer’s request.
Violation & Fines–
The NYPA law specifies that a consumer who suffers a loss may recover statutory damages of $1,000 or
more or actual damages, and $3,000 or actual damages for an intentional violation. However, the law
limits the scope of recovery to violations of the Act in the form of injunctive relief and actual
damages. This means that the consumer must prove that they suffered a loss due to the failure of

3. © VISTA InfoSec ®
© VISTA InfoSec ®
© VISTA InfoSec ®
business to comply with the NYPA to be able to recover. Further, any person who is aware, based on
non-public information, that a person or business has violated this section may file a civil action for civil
penalties. This provision would allow for suits to be filed by competitors, vendors, and consumer groups
based on violations of the law.
What Should Businesses Do?
The New York Privacy Act is still a proposed bill and not a legislation in effect that has passed the
assembly. Further, as the law moves through the legislative process, businesses can expect
amendments in the law. Businesses should have a close watch over the legislative process to see how
and when the law comes into effect. But, this brings us to a very common question asked by most
businesses as to how should they approach the data privacy law going forward.
Ideally, an organization should initially start with conducting the basic assessment of their operations to
identify the kind of data collected and classify them based on their level of sensitivity. Understanding
what data is collected, processed, and identify the law that impacts the data is the key to your compliance
journey.
Once your business gains a basic understanding, the road ahead will be much easier for establishing a
privacy program that fits with your organizational blueprint. Waiting for the legislation to come into effect
isn’t really an option. For your business to stay ahead of the curve and gain a better business stand-point
preparation for the law is what is advisable.
After all, be it the GDPR Regulation CCPA or the proposed New York Privacy Act all of the regulations
are more or less similar and are established with the common agenda of protecting the rights and privacy
of consumer’s personal data. So, the faster and earlier your organization takes steps towards initiating a
data privacy program, the better it is for them at the later stage for achieving compliance. Your business
will be in a far better position to deal with any such data privacy regulation that comes into effect in the
future.
facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC
Dowritetousyourfeedback,commentsandqueriesor,ifyouhaveanyrequirements:
info@vistainfosec.com
You can reach us on:
USA
+1-415-513 5261
INDIA
+91 73045 57744
SINGAPORE
+65-3129-0397