CLS Blue Sky Blog

Patterson Belknap Discusses Consumer Data Privacy in New York

As the national landscape of data privacy laws evolves, New York may be poised to follow California in passing legislation that creates new data rights for New York consumers.  New York is no stranger to this field.  The New York Department of Financial Services’ cybersecurity regulation was the first of its kind in the nation, aimed specifically at the banking and insurance industries.  The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act continued the trend beyond the financial services industry, heightening breach disclosure requirements and imposing enhanced rules for businesses holding the personal data of New York residents.  And New York’s Governor, Andrew Cuomo, recently proposed a 2021 budget bill that contemplates a comprehensive data privacy law, the New York Data Accountability and Transparency Act (“NYDAT”), which would vastly expand the scope of New York’s privacy protections, creating an East Coast analogue to California’s CCPA.

In its current form, NYDAT would cover any company that conducts business in New York or produces goods or services that target New York residents, so long as the company “controls or processes” the personal information of at least one hundred thousand consumers, or derives over fifty percent of its gross revenue from the “sale, control, or processing” of personal information.  “Personal information” is defined broadly as “data relating to an identified or identifiable natural person.”

NYDAT would create an array of consumer privacy rights and, accordingly, impose substantial new requirements on covered businesses regarding data collection and maintenance.  The five most notable provisions of the current proposal are as follows:

Notably, in contrast to the CCPA, the current NYDAT proposal would not provide a private right of action to consumers for violations of the statute.  The Secretary of State, however, would be empowered to investigate potential violations and impose fines of up to $7,500 for each violation, which could accrue daily for continuing conduct.  The Department of State would also be required to create a “consumer data privacy bill of rights” delineating many of the law’s requirements and including “information on how a consumer may enforce such rights.”

While NYDAT’s journey from the drafting table to the Governor’s desk remains in its early stages, this is a story that businesses would be well-advised to watch with care.  Substantial privacy legislation from New York will have significant operational and compliance implications for businesses across the country, and will cement New York’s role as a primary player in the data security and privacy arena.  We will continue to report on NYDAT’s legislative process, and its potential implications for affected companies.

This post comes to us from Patterson Belknap Webb & Tyler LLP. It is based on the Firm’s blog post, “New York Has More to Say About Consumer Data Privacy,” dated February 9, 2021, and available here.

Exit mobile version