Everything You Need To Know About The New York Privacy Act 2021

Finding a balance between the need to handle personal information and protecting the privacy of individuals can be challenging. Privacy is a significant element of freedom, “to be secure… against unreasonable searches and seizures” (according to the Fourth Amendment). Privacy laws hold accountable those who steal or misuse data, and are necessary to protect privacy rights. These laws drive stronger industry standards and prioritize privacy over other objectives. 

The familiarity and comfort of tailor-made online experiences and sheer convenience of having our devices anticipate our every move takes on a slightly darker twist with the popular belief that “Big-Tech” is trying to exploit our personal data and various governments are trying to keep tabs on us. Whether or not this is the case, data protection acts are taking action to help us regain our privacy and control over our information.

In May 2021, the Consumer Protection Committee brought an updated version of the New York Privacy Act back into the senate. NYPA is a comprehensive consumer privacy law that aims to protect the privacy of the citizens of New York by empowering them to exercise greater control over their personal information and by holding businesses accountable.

The law has not yet been finalized but is “under construction” and is predicted to go live within 2022.

The New York Privacy Act 2021

What is the The New York Privacy Act?

The New York Privacy Law sets forth provisions for companies to manage personal data responsibly and lawfully. NY data protection laws will obligate companies to acquire consumer’s consent, disclose their de-identification processes, and install controls and safeguards to protect personal information. Consumers will also have more control over their personal data, for example, the right to know details of the companies who hold their data.

Central conditions of this data privacy regulation include:

  • Right to Notice – Consumers will have the right to be notified of what data is being processed, by whom and for what purpose, amongst other details.
  • Opt-In Consent – Before collecting or processing any personal data, the data subject must give their consent, via an unambiguous and informed route.
  • Right to Access, Correct Data – Companies will be obligated to provide easily accessible ways for data subjects to access details of their personal data being held and request corrections.
  • Right to Delete – Companies will be obligated to provide accessible routes for data subjects to request that companies dispose of their personal data and delete it in its entirety. This will also include ensuring that third parties dispose of it too, under the same restrictions.

The new law will involve annual risk assessments, as well as demand disclosures regarding automated decision making driven by personal data. An annual data deletion is required for data that is no longer needed.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Who does it apply to?

It is yet to be determined in detail but the NY personal privacy protection law will apply to entities conducting business in New York and possibly those handling personal data of New York residents.

Projected criteria for the application of NYPA is said to be:

  • If your yearly gross revenue is over $25,000,000.
  • If you control the data of a minimum of 100,000 New Yorkers.
  • If you control the data of a minimum of 500,000 people in general, with 10,000 that are New York residents.
  • If you derive 50% or more of your gross revenue from the selling of personal data.

Targeted advertising and data sellers are not the only ones who need to take heed of the upcoming laws and regulations to ensure they won’t be in violation and open to penalties. Any business or company who processes, stores, handles or uses personal information of any kind will need to adhere to these laws. 

As the global market becomes more and more interconnected, businesses around the world will need to take into account the NYPA if they want New York’s residents to use their websites or services. 

Government bodies who are processing or storing data for reasons other than sales are exempt from the NYPA, as is data maintained for employment purposes, protected health information and data collected to research on human subjects. These exemptions will need to be examined in greater detail when the final version of NYPA is released.

Unique Aspects of NYPA versus Other Privacy Laws

NYPA has been noted to surpass its contemporaries, like the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA), in its stringencies. It is more specific than the CCPA, which has received criticism for being impractical due to its breadth and very general terms. Yet it is less broad than the GDPR.

There are plenty of common factors between the New York Privacy Act and other more established privacy laws, like Europe’s GDPR, including lawful processing, consent, individual rights to name a few. 

The naming of third parties with whom a company does business is a requirement of NYPA in order to provide full transparency to consumers.The New York Privacy Act also refers to data fiduciary responsibilities. This can be compared to the GDPR’s Data Controller- the one who decides the purpose and process to handle the personal data.

Yet unlike most other famous privacy laws, the NYPA does not include a category of “sensitive data” that usually requires many of its own unique controls and handling laws.  

What happens if you don’t comply?

As is the case with the vast majority of privacy laws, failure to comply will lead to fines and penalties that can be financially crippling, or at least significant. Relative to laws like the GDPR, the penalties for non-compliance with NYPA are more modest, namely up to $15,000 per violation. This may at first sound moderate but we will need to establish what constitutes a single violation- it may well add up. 

Steps to The New York Privacy Act Compliance

As with all privacy laws, the best place to start is by knowing where your company touches personal data and evaluate the flow of data from inception through completion of your service or business. Take into account not only the networks and systems within your organization, but also the vendors with whom you do business. Do they receive personal data from you? Are your compliance demands incorporated into your SLA’s (Service Level Agreements)? Ensure your vendors will not be the downfall of your compliance with vendor risk assessments.

Create a privacy notice for your customers. Scope your organization to know where personal information is to be found and ensure all aspects are covered in the privacy notice- including the rights mentioned above.
Consider using an automated risk and compliance management platform that will prepare your organization for compliance with all of the major privacy laws. Schedule a free demo to see how Centraleyes cutting edge compliance tools will boost your company’s compliance with the upcoming NYPA privacy regulations.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days