Finding a balance between the need to handle personal information and protecting the privacy of individuals can be challenging. Privacy is a significant element of freedom, “to be secure… against unreasonable searches and seizures” (according to the Fourth Amendment). Privacy laws hold accountable those who steal or misuse data, and are necessary to protect privacy rights. These laws drive stronger industry standards and prioritize privacy over other objectives.
The familiarity and comfort of tailor-made online experiences and sheer convenience of having our devices anticipate our every move take on a slightly darker twist with the popular belief that “Big Tech” is trying to exploit our personal data and various governments are trying to keep tabs on us. Whether or not this is the case, data protection acts are taking action to help us regain our privacy and control over our information.
NYPA is a comprehensive consumer privacy law that aims to protect the privacy of the citizens of New York by empowering them to exercise greater control over their personal information and by holding businesses accountable.
The New York Privacy Act, advocated by Senator Kevin Thomas (D-Nassau County), passed in the New York State Senate after its third reading on June 8, 2023, and was delivered to the New York State Assembly.
The 2023 bill is titled Senate Bill 365A and includes some notable provisions. We’ll review some of them below.
Key Takeaways From the New York Privacy Act
The proposed measures aim to empower consumers with greater control over their privacy and enhance accountability in data processing practices. The key provisions include:
- Mandatory Consent: Companies would be obligated to obtain explicit consent from consumers before processing their personal data. This requirement ensures that individuals have the choice and awareness regarding the use of their information.
- Transparency and Accountability: The legislation would establish robust transparency and accountability standards for businesses that handle substantial amounts of personal data. This ensures that companies are transparent about their data collection and processing practices, and are accountable for how they handle consumer information.
- Oversight of Data Brokers: The Office of the Attorney General would be granted authority to conduct oversight of data brokers. These are entities that collect personal information about consumers and sell that data to other controllers or third parties. This oversight ensures that data brokers adhere to privacy regulations and responsibly handle consumers’ personal information.
Who does it apply to?
It is yet to be determined in detail but the NY personal privacy protection law will apply to entities conducting business in New York and possibly those handling personal data of New York residents.
The projected criteria for the application of NYPA are said to be:
- If your yearly gross revenue is over $25,000,000.
- If you control the data of a minimum of 100,000 New Yorkers.
- If you control the data of a minimum of 500,000 people in general, with 10,000 that are New York residents.
- If you derive 50% or more of your gross revenue from the selling of personal data.
Targeted advertising and data sellers are not the only ones who need to take heed of the upcoming laws and regulations to ensure they won’t be in violation and open to penalties. Any business or company that processes, stores, handles or uses personal information of any kind will need to adhere to these laws.
As the global market becomes more and more interconnected, businesses around the world will need to take into account the NYPA if they want New York’s residents to use their websites or services.
Government bodies who are processing or storing data for reasons other than sales are exempt from the NYPA, as is data maintained for employment purposes, protected health information and data collected to research on human subjects. These exemptions will need to be examined in greater detail when the final version of NYPA is released.
Unique Aspects of NYPA versus Other Privacy Laws
NYPA has been noted to surpass its contemporaries, like the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA), in its stringencies. It is more specific than the CCPA, which has received criticism for being impractical due to its breadth and very general terms. Yet it is less broad than the GDPR.
There are plenty of common factors between the New York Privacy Act and other more established privacy laws, like Europe’s GDPR, including lawful processing, consent, individual rights to name a few.
The naming of third parties with whom a company does business is a requirement of NYPA in order to provide full transparency to consumers. The New York Privacy Act also refers to data fiduciary responsibilities. This can be compared to the GDPR’s Data Controller- the one who decides the purpose and process to handle personal data.
Yet unlike most other famous privacy laws, the NYPA does not include a category of “sensitive data” that usually requires many of its own unique controls and handling laws.
What happens if you don’t comply?
As is the case with the vast majority of privacy laws, failure to comply will lead to fines and penalties that can be financially crippling, or at least significant. Relative to laws like the GDPR, the penalties for non-compliance with NYPA are more modest, namely up to $15,000 per violation. This may at first sound moderate but we will need to establish what constitutes a single violation- it may well add up.
Steps to The New York Privacy Act Compliance
As with all privacy laws, the best place to start is by knowing where your company touches personal data and evaluating the flow of data from inception through the completion of your service or business. Take into account not only the networks and systems within your organization, but also the vendors with whom you do business. Do they receive personal data from you? Are your compliance demands incorporated into your SLA’s (Service Level Agreements)? Ensure your vendors will not be the downfall of your compliance with vendor risk assessments.
Create a privacy notice for your customers. Scope your organization to know where personal information is to be found and ensure all aspects are covered in the privacy notice- including the rights mentioned above.
Consider using an automated risk and compliance management platform that will prepare your organization for compliance with all of the major privacy laws. Schedule a demo to see how Centraleyes cutting-edge compliance tools will boost your company’s compliance with the upcoming NYPA privacy regulations.
