Since the passage of the California Consumer Privacy Act (CCPA) in 2018, many states have proposed sweeping data protection legislation, but only two others, Colorado and Virginia, have so far succeeded in passing such laws. That may soon change. In 2021, several states came close to enacting comprehensive privacy legislation and that momentum has continued into this year, with data protection bills being carried over, introduced, and reintroduced in state legislatures across the country. As the possibility of a federal privacy law dwindles—particularly during this midterm year—state legislatures are poised to be the source of major data protection developments in 2022. Throughout the year, Ropes & Gray will monitor and analyze these developments in state privacy laws, beginning with a discussion of the latest iteration of the proposed New York Privacy Act.
The New York Privacy Act
The New York State Legislature is considering companion bills—Senate Bill (SB) S6701A and Assembly Bill (AB) A680B—intended to implement the stalled New York Privacy Act (NYPA), which, if passed, would create extensive new requirements for businesses that process and share consumer data. The NYPA would, in short, require companies to disclose methods of de-identifying personal information and place certain safeguards around data sharing, among other obligations, and would enable consumers to obtain the names of entities with which their information is shared.[1] It would give New York consumers rights to access, correct, and delete the personal information that a data controller holds about them.[2] Subject to some limitations, controllers would also be required to obtain opt-in consent before processing personal data.[3]
The NYPA was first introduced in the state legislature in 2019 by Senator Kevin Thomas, who chairs the Committee on Consumer Protection, but was set aside in 2020 when New York’s legislative focus shifted to COVID-19. Last year, in January 2021, the NYPA reemerged in bills introduced in both houses of the legislature; by May, one bill was voted out of the Committee on Consumer Protection and, a month later, referred to the Rules Committee. After failing to progress further, the senate bill carried over into 2022 and was recently reprinted and recommitted to the Committee on Consumer Protection. The near-identical AB A680B similarly floundered in the Assembly last year and was recently recommitted to a consumer affairs committee.
As currently proposed in both SB S6701A and AB A680B, the NYPA closely tracks the CCPA—amended and expanded by the California Privacy Rights Act (CPRA)—and shares similarities with the Colorado Privacy Act and Virginia Consumer Data Protection Act (CDPA). Entities conducting business in New York—the fourth-most populated U.S. state, with over 19 million residents—should begin to consider operational challenges associated with the potential law, though companies that have achieved compliance under CCPA/CPRA and the Virginia and Colorado laws, which take effect in 2023, may have already made headway with respect to NYPA compliance.
Covered Entities and Consumers. The proposed NYPA has a fairly broad jurisdictional mandate, applying to any entity doing business in New York (presumably including non-profits unlike the laws in California and Virginia, which generally exempt non-profits), or that produces products or services targeting state residents, and that (1) has $25 million or more in annual gross revenue, or (2) controls or processes personal data of at least 100,000 New York consumers, or (3) controls or processes the personal data of at least 500,000 individuals nationwide and at least 10,000 New York consumers, or (4) derives at least 50 percent of gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 New York consumers.[4] An earlier draft of the NYPA featured a more extensive mandate: it applied to any legal entity conducting business in New York, or producing products and services to residents, without further limitations.[5] The jurisdictional scope of the current draft aligns the NYPA more closely with the CCPA, which applies to any for-profit entity that conducts business in California that either (1) has $25 million or more in annual gross revenue, or (2) buys, sells, receives, or shares the personal information of at least 50,000 California residents, households, or devices for commercial purposes, or (3) derives at least 50 percent of annual revenue from selling California residents’ personal information.[6]
Under the NYPA, covered consumers are New York residents “acting only in an individual or household context” and not persons acting in a professional or employment capacity.[7]
Personal Data. The NYPA broadly defines personal data as “any data that identifies or could reasonably be linked, directly or indirectly, with a specific natural person, household, or device.”[8] That includes names, identification numbers, location data, or online or device identifiers, but not de-identified data.[9] Moreover, like the CCPA, the NYPA exempts personal data governed by other privacy regimes, such as the Gramm-Leach-Bliley Act and implementing regulations, as well as protected health information collected pursuant to the Heath Insurance Portability and Accountability Act of 1996.[10]
Consumer Rights. Consumer rights under the NYPA are similar to those under existing state privacy laws and include GDPR-style rights, such as:
- The right to know the categories of personal data processed by controllers and third parties, and the right to know the purpose for such processing.[11]
- The right to access, correct, and delete personal information.[12]
- The right to data portability.[13]
Data controllers generally must communicate consumer requests for data correction or deletion to each third-party recipient to whom the personal data has been disclosed.[14] Controllers must also post a privacy notice that discloses the categories of personal data processed, the purposes for disclosing personal data, a description of consumers’ rights, categories of personal data shared with third parties, and the names of those third parties.[15]
Notably, data controllers under the NYPA must obtain opt-in consent before processing personal information for any purpose other than specified limitations.[16] Moreover, opt-in consent must be obtained before making any “changes to the existing processing or processing purpose,” such as using “less protective” methods of collection.[17] The proposed opt-in consent requirement differentiates the NYPA from California, Colorado, and Virginia laws, which provide consumers with the right to opt out of personal data processing (though, under the Virginia CDPA, businesses are required to obtain opt-in consent before collecting or processing “sensitive data”).
Fiduciary Obligations. While the bill no longer uses the term “data fiduciary,” it still employs the same concept. Data controllers must exercise duties of loyalty and care that would ultimately prevent them from using consumer information in a harmful way.[18] NYPA’s duty of loyalty requires controllers to notify consumers about data processing adverse to consumer interests,[19] and prohibits controllers from engaging in “unfair, deceptive, or abusive acts or practices with respect to obtaining consumer consent, the processing of personal data, and a consumer’s exercise of any [outlined] rights.”[20] Moreover, the duty of care compels the implementation of certain practices, including annual risk assessments and reasonable safeguards to protect personal information.[21] For businesses that suffer cybersecurity attacks, plaintiffs could attempt to bring claims based on an argument that businesses failed to meet these duties, but it is unlikely that such claims would be successful in the courts unless the plaintiff suffers identity theft or some other harm.
Liability and Enforcement. Finally, the Attorney General may bring actions to enforce the NYPA, and the act also provides New York consumers a private right of action for certain violations of the act.[22] By comparison, California provides only for a narrow private right of action while Virginia and Colorado do not provide for one at all. Notably, however, although there is a private right of action in the NYPA, it does not extend to statutory damages for private individuals. Plaintiffs bringing claims would need to establish actual damages.[23]
* * *
After the senate and assembly versions of the bill come out of committee, they will likely return to the floors of each chamber for a reading and a vote. As the possibility of a federal privacy law dwindles—particularly during this midterm year—state legislatures are poised to be the source of major data protection developments in 2022. Ropes & Gray will be monitoring for further developments in New York and other states’ privacy laws and providing our analysis here. Subscribe to RopesDataPhiles to receive alerts about new posts related to key state privacy laws.
[1] See the New York State legislative website for a summary and full PDF text of
Senate Bill S6701A, https://www.nysenate.gov/legislation/bills/2021/s6701/amendment/a;
and Assembly Bill A680B, https://www.nysenate.gov/legislation/bills/2021/a680/amendment/b.
[2] S6701A § 1102(3), (5), (6); A680B § 1102(3), (5), (6).
[3] S6701A § 1102(2)(a)(i); A680B § 1102 (2)(a)(i).
[4] S6701A § 1101(1); A680B § 1101(1).
[5] Earlier assembly bill draft: AB A8526 § 1101. See also 2019 Ropes & Gray article “New York Updates Privacy Laws” (“The NYPA would affect most companies that do business in New York or with New York residents, regardless of their location, size, or revenue. The law applies broadly to (i) any legal entity that conducts business in New York or (ii) produces products or services that target New York residents.”).
[6] Cal. Civ. Code §1798.140(c).
[7] S6701A § 1100(5); A680B § 1100(5).
[8] SB S6701A § 1100(14); A680B § 1100(14).
[9] S6701A § 1100(14),(15); A680B § 1100(14),(15).
[10] The GLBA exemption can be found at S6701A § 1101(2)(c)(i) and A680B §1101(2)(c)(i); the HIPAA exemption can be found at S6701A § 1101(2)(c)(vii) and A680B §1101(2)(c)(vii).
[11] S6701A § 1102(1)(a)(ii), (iv); A680B § 1102(1)(a)(ii), (iv).
[12] S6701A § 1102(3), (5), (6); A680B § 1102(3), (5), (6).
[13] S6701A § 1102(4); A680B § 1102(4).
[14] The Right of Correction in discussed in §1102(5)(c)(ii) in both bills; the Right of Deletion is discussed in §1102(6)(a) in both bills.
[15] S6701A §1102(1)(a); A680B §1102(1)(a).
[16] S6701A §1102(2)(a)(i); A680B §1102(2)(a)(1). Limitations are outlined in §1105 in both bills.
[17] S6701A §1102(2)(a)(ii); A680B §1102(2)(a)(ii).
[18] S6701A §1103(1)(b), (c); A680B §1103(1)(b), (c).
[19] S6701A §1103(1)(b)(i); A680B §1103(1)(b)(i).
[20] S6701A §1103(1)(b)(ii); A680B §1103(1)(b)(ii).
[21] S6701A §1103(1)(c); A680B §1103(1)(c).
[22] S6701A §1106; A680B §1106.
[23] S6701A §1106(6); A680B §1106(6).