On May 12, 2021, Senator Kevin Thomas reintroduced the New York Privacy Act (the “Act” or “NY Privacy Act”) before the New York Senate. In 2019, Senator Thomas had hoped to pass privacy legislation S5642 (the “Bill”) to amend the general business law to address the management and oversight of consumer personal information. The Bill was set aside during the 2019 coronavirus pandemic when priorities shifted to address COVID-related issues. The purpose of reintroducing the NY Privacy Act is to “help New Yorkers regain their privacy.” A similar bill has also been reintroduced in the New York Assembly.
What are the key provisions of the NY Privacy Act?
Elements of the NY Privacy Act
The NY Privacy Act applies to “legal persons that conduct business in New York or produce products or services that are targeted to residents of New York,” provided that businesses: 1) have annual gross revenues of at least twenty-five (25) million dollars; 2) control or process personal data of one hundred thousand consumers or more; 3) capture personal data of five hundred thousand people nationwide, and control or process personal data of ten thousand consumers; or 4) develop fifty percent of their gross revenue from the sale of personal data, and control or process personal data of twenty-five thousand consumers or more. Entities that are exempt from these requirements include state and local governments and municipal corporations.
Similar to the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Privacy Regulation (“GDPR”), the NY Privacy Act affords consumers the right to exercise more control over their personal data and “requires businesses to be responsible, thoughtful, and accountable managers” of that personal data. The Act provides New York consumers with the right to: 1) know how their data is being used, processed and shared; 2) access and obtain a copy of the data that is being collected about them; 3) correct inaccurate data; and 4) delete their data.
Data brokers would be required to register with the New York State Attorney General on or before January 31st following a year in which they meet the definition of data broker and pay a registration fee of $100.00. Under the Act, a data broker is defined as a person or legal entity “that does business in the state of New York and knowingly collects, and sells to controllers or third-parties, the personal data of a consumer with whom it does not have a direct relationship.” Failing to register as a data broker exposes the business to liability for civil penalties, fees and costs in any action brought by the Attorney General.
The NY Privacy Act imparts enforcement authority to the Attorney General and includes, significantly, a private right of action for New York State consumers. The Attorney General would be empowered to bring an action or special proceeding on behalf of New Yorkers who have been harmed by any violations of the NY Privacy Act. Pursuant to the proposed law, the New York Attorney General would be authorized to seek civil penalties of up to $15,000.00 per each violation of the Act. Additionally, any citizen whose consumer privacy rights had been violated would be able to bring a private right of action to recover actual damages or one $1,000.00, whichever is greater, together with attorneys’ fees.
Should the NY Privacy Act pass into law, the Senate is seeking to have it take effect immediately. We will continue to monitor the progress of the Act and update our readers on any changes to the legislation.