In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon have to gear up for this new data privacy law. If enforced, the law may severely impact businesses, restricting their operations in the way how they collect, use and share consumer’s personal information throughout the State.
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
What to expect from the New York Privacy Act
1. What to expect from the
New York Privacy Act
In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon
have to gear up for this new data privacy law. If enforced, the law may severely impact businesses,
restricting their operations in the way how they collect, use and share consumer’s personal information
throughout the State.
Earlier to this, a similar bill was introduced in the last legislative session but had failed to pass in the
assembly. However, with New York Privacy Act now re-introduce in a more refined version. This bill
should be closely watched by the industry as it moves through the legislative process. The New York
Privacy Act is very similar to California’s Consumer Privacy Act (CCPA) but is more expansive in its
approach and requirements. The regulation if enforced will provide consumers with much greater control
over their personal information, and make businesses more accountable for their operations and
business processes.
In today’s article, we have covered details on the proposed New York Privacy Act bill and its possible
impact on businesses. So, before summarizing the proposed bill let us first understand what the
Regulation is all about.
What is the New York Privacy Act?
The proposed New York Privacy Act is a law which if enforced will apply to a wide range of businesses. It
is an Act that may apply to entities that conduct business in New York pertaining to personal information
of residents of New York State. While there are exceptions for the state and local governments, but the
law may apply to all private entities (including non-profits) subject to the requirements.
2. The proposed NY Privacy Law mirrors various other Privacy regulations like the California Consumer
Privacy Act (“CCPA”) and the EU’s General Data Privacy Regulation (“GDPR”). This would be in line with
consumer’s right to request for businesses to correct any inaccurate personal information or delete the
personal information held with them.
What does the proposed New York Privacy Act say about Consumer Rights, Consent, & Business
obligations?
Data Subjects
Data subjects or consumers are defined as “a natural person who is a New York resident.” Employees
and contractors are specifically excluded from the definition of consumer. Job applicants are not explicitly
excluded from the definition of consumer, however, “data sets maintained for employment records
purposes” are excluded. Again there is no “business-to-business” exemption.
Personal Information-
The New York Privacy Act broadly defines personal data and excludes only de-identified or publicly
available data from this law.
Business in Scope
Similar to the GDPR and CCPA Regulation, the scope of NYPA is quite broad. It would apply to any legal
entity that conducted business in the New York States or Businesses that produce or provide services
that are intentionally targeted to residents of New York State. However, there are no thresh holds set on
revenue or minimum amounts of personal data a company processes to be subject to the law. Further, it
is important to note that there is no exemption for individuals or non-profit organizations but purely
household activities are exempted from the law.
Business Obligation
The NYPA law creates a fiduciary obligation on the businesses to abide by the law and act in a way that
benefits data subjects of whom they collect store or process personal data. This would simply mean that
businesses will be held to a higher standard of compliance for the data collected and used of data
subjects. It would also mean that businesses must act in the best interest of their consumers irrespective
of it not being in the best interest of their business.
Consumer Consent-
Speaking about consumer consent, the Act clearly states that businesses will require consumers to
provide “specific, informed and unambiguous” consent before they process or use their personal data.
Businesses will have to obtain consumer’s consent specific to each intended use of their data. They
would further require consumer-specific consent for each intended third-party receiving the data. Again
for businesses in the marketing space will require separate checkboxes for each of their respective
marketing partners.
Consumer Rights-
The proposed privacy act which is very similar to the CCPA and the GDPR provides consumers the right
to access, rectification/correction, deletion, restriction of processing, and portability. Businesses are
expected to act upon the request of the consumers without any undue delay. They are also expected to
take “reasonable steps” to inform third parties about the consumer’s request.
Violation & Fines–
The NYPA law specifies that a consumer who suffers a loss may recover statutory damages of $1,000 or
more or actual damages, and $3,000 or actual damages for an intentional violation. However, the law
limits the scope of recovery to violations of the Act in the form of injunctive relief and actual
damages. This means that the consumer must prove that they suffered a loss due to the failure of