New York Could Be the Next State to Adopt a Strict Data Privacy Law
Like California before it, New York could serve as the testing grounds for the next statewide consumer data privacy law.
Could New York state be the next California? Lines in the sand suggest the government is laying the groundwork for a robust privacy law - one that could mirror the California Consumer Privacy Act (CCPA) - by providing similar privacy rights to consumers and enacting regulations around how companies process individuals’ data.
Two weeks ago, when Governor Andrew Cuomo released the state's 2022 budget, it included a proposal for a comprehensive data privacy bill.
In his lengthy, 322-page (.PDF) State of the State report, Cuomo said he'd propose a law that would enable New Yorkers to better control and protect their data from attackers.
Similar to the CCPA, the goal of the law would be transparency. The CCPA of course affords consumers the right to know what type of data is being collected about them and for which purposes, and whether its being shared or sold to other businesses or third parties.
Cuomo's law, which would establish a Consumer Data Privacy Bill of Rights, would do a lot of the same; it would protect information of individuals like health, biometric, and location data, and allow any New Yorker the ability to access, control, or erase any data on them. It would also give them "the right to discrimination, and the right to equal access to services." Businesses that collect information on a large amount of New Yorkers - for instance, the CCPA applies to businesses that buy, receive or sell data of 50,000 consumers or more - would have to disclose the purpose of the data they collect and only collect data for that purpose.
While it’s just a proposal, Cuomo’s office claims the legislation will also include “strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data.”
At the surface, the concept of a privacy bill that can give consumers better control over their data certainly sounds like Cuomo wants to bring the state’s privacy protections up to par with the CCPA or even the European Union’s General Data Protection Regulation.
It’s not a complete surprise that things are trending in this direction; New York has passed a handful of data privacy-focused bills over the last several years.
The state’s SHIELD Act, an update to New York's data breach notification law also known as the Stop Hacks and Improve Electronic Data Security Act, designed to keep organizations accountable for the safe handling of data went into effect last year. That legislation was aimed around getting employers to implement and maintain safeguards to protect the security, confidentiality, and integrity of private information they may control. In order to be in compliance with the SHIELD Act, New York businesses need a data security program that can assess and identify risk, prevent intrusions, and protect against the unauthorized access of private data.
The New York State Department of Financial Services’ Cybersecurity Regulation, which imposes mandatory requirements for financials outfits like banks and insurance companies, also requires organizations to develop a cybersecurity policy.
One of the first of its kind for states, the regulation also requires financial entities to meet a series of requirements, submit cybersecurity notices to the NYDFS Superintendent, and adhere to data breach notification guidelines.
Those of course are regulations already on the books in New York; that doesn't cover legislation that's still working its way through the state's legislative session, including SB 567, which bears many similarities to the CCPA but includes a private right of action, Assembly Bill A680, or the New York Privacy Act, legislation some have called even bolder than CCPA, and Assembly Bill A405, which pertains to interest-based advertising.