The New York State legislature has passed updates to the state’s breach notification law, expanding the scope of “private information” protected under the law to include biometric information, email addresses, and their corresponding passwords or security questions and answers, and protected health information. It broadens the definition of a notifiable data breach to include unauthorized access to private information and applies the notification requirement to any person or entity with the private information of a New York resident, not just to those that conduct business in New York.
The law also creates reasonable data security requirements tailored to the size of a business, in accordance with high-level requirements enumerated in the new law aimed at verifying an organization’s safeguarding of private information.
The Governor of the State of Maine has signed into law an act that prohibits a provider of broadband Internet access from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. The ban covers customer information such as web browsing history, application usage history, geolocation information, and device identifiers – all of which are types of data that are often used to target consumers with ads.
The new law also prohibits broadband providers from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access. The act also requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access.
The law’s restrictions on using consumers' personal information are likely to be challenged on constitutional grounds. The law appears to be inconsistent with a federal law enacted by the Trump administration in 2017 which in itself repealed the Obama administrations' restrictions on broadband providers from monetizing consumer’s personal information.