New York State Considers NY Privacy Act

A group of New York State Senators led by Senator Kevin Thomas has introduced Senate Bill S5642, the NY Privacy Act, into the state Senate to provide consumers with a new comprehensive privacy law. Wired called this privacy bill “even bolder than California’s” in a recent article. In addition to its data subject access rights (a core part of the California Consumer Privacy Act), it also has a duty of care provision and a consent requirement for processing.

Another privacy bill, the Right to Know Act, was introduced early in the legislative session in New York to permit consumers to monitor how their information is collected and disclosed. It required businesses to disclose personal information retained about the consumer as well as the third parties to whom the information was provided.

The New York Privacy Act goes well beyond the limited Right to Know Act as well as the California Consumer Privacy, since it applies to all businesses.

If passed, the New York Privacy Act imposes a duty of care provision on controllers. Every legal entity which collects, sells or licenses personal information of consumers shall exercise the duty of care, loyalty and confidentiality as a fiduciary. It would require the entity to act in the best interests of the consumer in a manner expected by a reasonable consumer and without regard to the interests of the entity. It also requires every entity to take reasonable steps to ensure that its affiliates and third-parties fulfill the duty of care, loyalty and confidentiality, including by auditing on a regular basis their data security and information practices.

Entities subject to the law must inform consumers of their rights and give consumers the opportunity to opt-in or opt-out of the processing of their personal data.

Under the data subject access rights, controllers will need to confirm whether processing of an individual’s personal data is happening and provide a copy of the personal data free of charge up to twice a year. Controllers must correct inaccurate personal data concerning the consumer without undue delay. Additionally, a controller must delete personal data where, among other things, it is no longer necessary for the purpose it was collected or otherwise processed, or the consumer requests that it is deleted.

The bill would be enforced by the New York State Attorney General as well as any person who has been injured by a violation. For the private right of action, they would be allowed to recover actual damages or get an injunction, as well as reasonable attorney’s fees.

Each individual whose information is unlawfully processed is a separate violation and each provision violated counts as a separate violation. An action for damages and a civil penalty may be brought against any controller or processor in violation of the law. If more than one controller or processor, or both a controller and processor are in violation in the same processing, liability is allocated according to comparative fault.