New York Considering Privacy Law – Right to Know Act
A new privacy bill was introduced into the New York State Senate last week to provide New York residents with the right to access their personal information held by businesses. NYS Senate Bill 224 is not as extensive as the requirements imposed by either the European Union General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). It only appears to include the right to access from the data subject access rights. It does not include the right to correct or delete personal information.
The law was introduced by New York State Senator Brad Hoylman. He is a Democrat representing the 27th District (Manhattan/New York City) and is the new chairman of the New York State Senate Judiciary Committee. He was first elected in 2012.
The law protects New York residents that are defined as “customers”. Businesses that retain personal information of customers shall make access to all of it available free of charge. If a businesses discloses personal information to a third party, they need to provide access to the categories of personal information disclosed, the names and addresses of the third parties that received the information.
The nonexhaustive list of categories of personal information set forth in the proposed bill includes:
1. Identity (name, alias, nickname, username).
2. Addresses (postal address or email).
3. Telephone Number
4. Account Name
5. Government issued Identification Numbers (social security number, driver’s license number, passport number)
6. Birthdate or age
7. Physical Characteristics (height and weight)
8. Sexual information (Sex, Sexual Orientation, Gender Information)
9. Race or ethnicity
10. Religious affiliation or activity
11. Political affiliation or activity
12. Professional or employment-related information
13. Educational information
14. Medical information (medical conditions, drugs, treatments)
15. Financial information (credit card numbers, debit card numbers, account numbers, account balances, payment history, general creditworthiness, assets, liabilities)
16. Commercial information (purchasing history)
17. Location information
18. Internet or mobile activity (IP addresses, website access/use, app use)
19. User Generated Content.
20. Any of the above with respect to the children of the customer.
A violation of the law can be enforced by the attorney general, a district attorney, a city attorney or a city prosecutor. A civil action can also be brought by the customer to recover penalties. The proposed bill states that a violation of the law constitutes an injury to a customer, but it does not identify a range of statutory damages. In contrast, the CCPA sets damages at $100 to $750 per customer for a cybersecurity data breach.
Potential Effective Date: There is no phase in period in the proposed legislation. Section 5 indicates that the act takes effect immediately.
The bill was introduced on January 9, 2019 and was referred to the New York State Senate Committee on Consumer Protection. We will be closely following it as it develops.
Other Blog Posts on Privacy Laws:
Chicago Considering Personal Data Collection and Protection Ordinance
Vermont Passes Data Broker Law – First in US!
New Mexico Privacy Bill Copies CCPA
New PIPEDA Rules for Data Breach Reporting in Canada
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.