On the heels of the California Consumer Privacy Act ("CCPA"), the state of New York has kicked off the New Year with proposed legislation in the same vein as the CCPA.

Sponsored by Sen. Brad Hoylman, New York Senate Bill 224 is premised on the idea that "[a]ll individuals have a right of privacy in information pertaining to them," and that businesses must provide consumers with transparency about how consumers' personal information has been shared with or sold to third parties. Accordingly, the proposed legislation would require any business that retains a customer's personal information to provide the customer, free of charge, with access to all of the customer's personal information that the business has retained. Additionally, businesses would be required to disclose:

  • All categories of the customer's personal information that were disclosed to a third party; and
  • the names and contact information of all of the third parties that received the customer's personal information from the business, including the third parties' designated request address if available.

"Categories of information" is defined relatively broadly to include a number of items, such as name, nickname, username, address, phone number, account name, social security number, religious or political affiliation, employment-related information, and medical and financial information, among other categories.

This information would have to be provided to customers within 30 days of a customer's "verifiable request," and would be applicable to the 12-month period prior to the request.

If passed, Senate Bill 224 would also change businesses' online privacy notices, as the legislation requires any business that has an online privacy policy to include a description of a customer's rights under the proposed law. Businesses with multiple online privacy policies must include a description of these rights in the privacy policy of each product or service that collects personal information that may be disclosed to a third party.

Because the legislation defines "customer" to include anyone who is a resident of the state of New York who provides personal information to a business, the bill's requirements would presumably apply to any entity that does business in New York, without regard to the location of the entity itself. CCPA caused waves in its nation-wide applicability as well.

North Carolina, for its part, has not proposed a CCPA or Senate Bill 224-esque law for the 2019 year. N.C. Attorney General Josh Stein and N.C. House Rep. Jason Saine have, however, unveiled legislation to strengthen North Carolina's breach notifications under the existing Identity Theft Protection Act. The proposed bill would expressly require notifications to consumers in the event of a ransomware attack, in which personal information is accessed but is not necessarily acquired. Additionally, it would require businesses to notify individuals and the Attorney General's Office of data breaches within 30 days of discovery of the incident. Finally, the bill would require businesses to maintain reasonable security procedures to protect personal information, the failure of which may result in a violation of the Unfair and Deceptive Trade Practices Act.

Though no other proposed law is as expansive as the CCPA, this is likely the beginning of a trend in data privacy legislation across the United States. Vermont, South Carolina, and Iowa have all proposed various data privacy laws aimed at transparency, albeit in specified industries. This potential patchwork of privacy legislation could create compliance issues for entities that do business in multiple states, which, in turn, could allow the movement for overarching federal data privacy regulations to gain steam. Still, preemptive federal legislation is unlikely in the near future, which will leave states with the ability to fill the gaps in the months, and probably years, ahead.