On May 13th, the New York Privacy Act (“NYPA”) was introduced in the state’s Senate; if passed this comprehensive consumer privacy law would be similar to the California Consumer Privacy Act (“CCPA”) and Virginia’s Consumer Data Protection Act (“VCDPA”), and includes some elements that aligns it with Europe’s General Data Protection Regulation (“GDPR”). A version of NYPA was previously introduced in 2019, and the 2021 version contains a few changes that are reflective of the evolving data privacy landscape.
Who is subject to NYPA?
If passed, the NYPA would apply to organizations conducting business or targeting consumers in New York, and that satisfy at least one of the following thresholds (it’s important to note that only one of the below criteria needs to be exceeded for application):
- have annual gross revenue of $25M or more;
- control or process personal data of at least 100,000 New York residents;
- control or process personal data of at least 500,000 persons nationwide, at least 10,000 of whom are New York residents; or
- derives over 50% of its gross revenue from the sale of personal data, and controls or processes personal data of at least 25,000 New York residents.
What rights does the NYPA grant to consumers?
The NYPA provides consumers a broad set of rights over their personal data, including the rights to:
- receive clear notice of how their data is being used, processed and shared;
- provide or withhold consent for the processing of their data for any purpose;
- access and obtain a copy of their data in a commonly used electronic format, with the ability to transfer it between services;
- correct inaccuracies in their data;
- delete their data; and
- challenge certain automated decisions.
What other provisions does the NYPA include?
Under the NYPA, data controllers must provide written notice to consumers when processing their personal data in an “easy-to-understand language at an eighth-grade reading level or below.” This notice must include a description of the consumers’ rights, the categories of personal data processed, the sources of that data, the purposes for which the data is processed, and the identities of all outside parties to whom the data is disclosed, as well as information about how those parties will use the data and how long they will retain it. The notice must be dated with its effective date and updated at least annually. The notice (as well as each version of the notice dating back six years) must be made readily available to consumers.
The NYPA prohibits discrimination against a consumer who exercises their rights under the law. For example, a business may not target the consumer by denying goods or services or charging a higher price.
The NYPA requires data brokers to register, pay an annual fee to the Attorney General, and submit information regarding their data use practices and contact information. The Attorney General must maintain a data broker registry on its website. Additionally, controllers must annually submit a list of all known data brokers or persons reasonably believed to be data brokers with whom the controller provided personal data in the preceding year and can only share personal data with data brokers that are properly registered.
Data controllers are required to conduct and document annual risk assessments of all current processing of personal data. They must also develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal data of consumers including adopting reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal data at issue.
Is NYPA different than CCPA or VCDPA?
Yes, in fact the NYPA imposes more stringent rules than the CCPA and VCDPA in some important aspects, including by requiring data controllers to:
- collect opt-in consent from consumers before processing their personal data for any purpose (which means it is more similar to GDPR);
- perform an annual risk assessment of all of the data controller’s processing activities
- provide detailed disclosures about the activities of outside parties to whom they disclose personal data;
- respond to consumer requests to correct personal data; and
- make disclosures about their automated decision-making activities, afford consumers the opportunity to challenge automated decisions, and conduct and publish assessments on the impacts of their automated decision-making processes.
What are the penalties for NYPA violations?
Under the NYPA, the New York Attorney General may bring an action to enforce violations of the law, with civil penalties of not more than $15,000 per violation (each instance of unlawful processing counts as a separate violation). Additionally, the NYPA would grant consumers a private right of action to seek the greater of actual damages or liquidated damages in the amount of $1,000, along with attorney’s fees. Importantly, an organization found to have violated the NYPA does not have the opportunity to cure the violation before facing enforcement actions or litigation.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with NYPA, GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.