As the national landscape of data privacy laws evolves, New York may be poised to follow California in passing legislation that creates new data rights for New York consumers. New York is no stranger to this field. The New York Department of Financial Services’ cybersecurity regulation was the first of its kind in the nation, aimed specifically at the banking and insurance industries. The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act continued the trend beyond the financial services industry, heightening breach disclosure requirements and imposing enhanced rules for businesses holding the personal data of New York residents. And New York’s Governor, Andrew Cuomo, recently proposed a 2021 budget bill that contemplates a comprehensive data privacy law, the New York Data Accountability and Transparency Act (“NYDAT”), which would vastly expand the scope of New York’s privacy protections, creating an East Coast analogue to California’s CCPA.
In its current form, NYDAT would cover any company that conducts business in New York or produces goods or services that target New York residents, so long as the company “controls or processes” the personal information of at least one hundred thousand consumers, or derives over fifty percent of its gross revenue from the “sale, control, or processing” of personal information. “Personal information” is defined broadly as “data relating to an identified or identifiable natural person.”
NYDAT would create an array of consumer privacy rights and, accordingly, impose substantial new requirements on covered businesses regarding data collection and maintenance. The five most notable provisions of the current proposal are as follows:
- Notice of Collection and Use: Covered businesses would be required to inform consumers of the type of personal information being collected, as well as the purposes for which that information would be used. With limited exceptions, companies would be prohibited from using or disclosing any personal information “for purposes other than those specified” at the time of collection. Similarly, businesses could not collect additional categories of personal information, or use the information collected for new or additional purposes, without providing the consumer with notice of the new collection, and the option to limit it. Covered businesses, moreover, could only collect personal information “relevant to the purposes for which they are intended to be used, and only to the extent necessary for those purposes.” Notably, the term “relevant” is not defined in the current version of the bill.
- Opt-Out: NYDAT’s focus, like the CCPA, is on notice and consumer choice, and it contains an opt-out provision. If a covered business intends to sell or share a consumer’s personal information, it would be required to provide a “clear and conspicuous link” on its internet homepage to enable consumers to opt-out of the sale or sharing of their personal information, and to limit the collection, use, or disclosure of their personal information.
- Consumer Requests: Businesses would also be required to provide consumers with the ability, upon receipt of an appropriate request:
- to confirm that the company possesses personal information about that consumer;
- to have personal information that was collected in the “last twelve months communicated to the consumer, within a reasonable time, at no charge, in a reasonable manner, and in a form that is readily intelligible to the consumer;”
- to “challenge” that data (presumably as to its accuracy or veracity) and, if the challenge is successful, to have the data returned, destroyed, rectified, completed or amended; and
- to have the consumer’s personal information returned or destroyed under certain circumstances, including when the “personal information is no longer necessary for the purposes for which it was collected or otherwise processed,” or when the “consumer affirmatively requests the covered entity stops the collection, storage, or processing of personal information.”
- Non-Discrimination: NYDAT would also prohibit covered companies from discriminating against consumers who exercise their rights under the law, for example, by denying goods or services to the consumer or charging those consumers different prices or rates for goods or services. On the other hand, covered businesses could charge a consumer a different price or rate, or provide a different level or quality of goods or services to the consumer if “that difference is reasonably related to the value provided to the business by the consumer’s personal information.” On this front, NYDAT, in its current form, also specifies that it would not prohibit the use of loyalty or similar reward and discount programs. Similarly, businesses could continue to offer financial incentives, including payments to consumers as compensation, for the collection, sale, sharing, or retention of a consumer’s personal information, but would have to “clearly and conspicuously” notify consumers of such incentives.
- Information Security Safeguards: From a security standpoint, the law would mandate that businesses implement safeguards to protect personal information from security risks “such as loss, unauthorized access, destruction, use, modification, or unauthorized disclosure.” While this type of requirement, in various forms, appears in both the SHIELD Act and (far more prominently) in DFS’s cybersecurity regulation, NYDAT could broaden this requirement’s coverage.
Notably, in contrast to the CCPA, the current NYDAT proposal would not provide a private right of action to consumers for violations of the statute. The Secretary of State, however, would be empowered to investigate potential violations and impose fines of up to $7,500 for each violation, which could accrue daily for continuing conduct. The Department of State would also be required to create a “consumer data privacy bill of rights” delineating many of the law’s requirements and including “information on how a consumer may enforce such rights.”
While NYDAT’s journey from the drafting table to the Governor’s desk remains in its early stages, this is a story that businesses would be well-advised to watch with care. Substantial privacy legislation from New York will have significant operational and compliance implications for businesses across the country, and will cement New York’s role as a primary player in the data security and privacy arena. We will continue to report on NYDAT’s legislative process, and its potential implications for affected companies.