Finding a balance between the need to handle personal information and protecting the privacy of individuals can be challenging. Privacy is a significant element of freedom, “to be secure… against unreasonable searches and seizures” (according to the Fourth Amendment). Privacy laws hold accountable those who steal or misuse data, and are necessary to protect privacy rights. These laws drive stronger industry standards and prioritize privacy over other objectives. 

The familiarity and comfort of tailor-made online experiences and sheer convenience of having our devices anticipate our every move take on a slightly darker twist with the popular belief that “Big Tech” is trying to exploit our personal data and various governments are trying to keep tabs on us. Whether or not this is the case, data protection acts are taking action to help us regain our privacy and control over our information.

NYPA is a comprehensive consumer privacy law that aims to protect the privacy of the citizens of New York by empowering them to exercise greater control over their personal information and by holding businesses accountable.

The New York Privacy Act, advocated by Senator Kevin Thomas (D-Nassau County), passed in the New York State Senate after its third reading on June 8, 2023, and was delivered to the New York State Assembly. 

The 2023 bill is titled Senate Bill 365A and includes some notable provisions. We’ll review some of them below.

Key Takeaways From the New York Privacy Act

The proposed measures aim to empower consumers with greater control over their privacy and enhance accountability in data processing practices. The key provisions include:

1. Mandatory Consent: Companies would be obligated to obtain explicit consent from consumers before processing their personal data. This requirement ensures that individuals have the choice and awareness regarding the use of their information.
2. Transparency and Accountability: The legislation would establish robust transparency and accountability standards for businesses that handle substantial amounts of personal data. This ensures that companies are transparent about their data collection and processing practices, and are accountable for how they handle consumer information.
3. Oversight of Data Brokers: The Office of the Attorney General would be granted authority to conduct oversight of data brokers. These are entities that collect personal information about consumers and sell that data to other controllers or third parties. This oversight ensures that data brokers adhere to privacy regulations and responsibly handle consumers’ personal information.

Who does it apply to?

It is yet to be determined in detail but the NY personal privacy protection law will apply to entities conducting business in New York and possibly those handling personal data of New York residents.

The projected criteria for the application of NYPA are said to be:

• If your yearly gross revenue is over $25,000,000.
• If you control the data of a minimum of 100,000 New Yorkers.
• If you control the data of a minimum of 500,000 people in general, with 10,000 that are New York residents.
• If you derive 50% or more of your gross revenue from the selling of personal data.

Targeted advertising and data sellers are not the only ones who need to take heed of the upcoming laws and regulations to ensure they won’t be in violation and open to penalties. Any business or company that processes, stores, handles or uses personal information of any kind will need to adhere to these laws. 

As the global market becomes more and more interconnected, businesses around the world will need to take into account the NYPA if they want New York’s residents to use their websites or services. 

Government bodies who are processing or storing data for reasons other than sales are exempt from the NYPA, as is data maintained for employment purposes, protected health information and data collected to research on human subjects. These exemptions will need to be examined in greater detail when the final version of NYPA is released.

The Latest in New York Privacy: Child Data Protection and SAFE for Kids Act

While the NYPA remains stuck in legislative limbo, New York has taken a different route to strengthen privacy protections—this time with a focus on children. Two newly passed bills, the New York Child Data Protection Act (S7695) and the SAFE for Kids Act (S7694), are now awaiting Governor Kathy Hochul’s signature. Together, these bills represent a significant push to protect minors online.

Here’s an overview of these developments and what they could mean for businesses and consumers.

The New York Child Data Protection Act (S7695)

This act is aimed squarely at operators of websites, online services, and applications that collect personal data from minors under 18. It introduces strict rules to ensure minors’ data is handled responsibly:

• Operators must obtain parental consent for users under 13 and informed consent for users aged 13-17, unless the data is necessary for limited purposes like fraud prevention or compliance with the law.
• Businesses will be required to delete data of minors within 30 days of learning their age unless specific exceptions apply.
• The sale or purchase of minors’ personal data will be outright prohibited.
• Contracts with third-party vendors must reflect the new rules governing minors’ data.

If signed, this law will take effect one year after its passage. For businesses, that means a ticking clock to overhaul policies and systems to comply with these strict standards.

The SAFE for Kids Act (S7694)

While the Child Data Protection Act focuses on data collection, the SAFE for Kids Act takes aim at the addictive nature of social media platforms. It regulates services that use algorithms to prioritize content based on user data and imposes specific obligations on platforms offering “addictive feeds.”

Under the SAFE for Kids Act:

• Platforms must verify that users are not minors or secure parental consent before delivering addictive feeds.
• Notifications to minors are restricted between 12 a.m. and 6 a.m. ET unless parents explicitly allow them.

This act has a faster timeline, taking effect 180 days after the Attorney General establishes the rules for implementation. Businesses that rely on algorithm-driven content delivery will need to make swift adjustments.

Implications for Businesses

If these bills become law, businesses operating in New York will face significant compliance challenges. To prepare, companies should focus on:

1. Implementing Age Verification: Adopting methods to confirm users’ ages accurately.
2. Revising Data Policies: Aligning data collection, processing, and deletion practices with these new requirements.
3. Updating Contracts: Ensuring agreements with third-party vendors handling minors’ data comply with the law.
4. Limiting Notifications: Redesigning notification systems for social media platforms to avoid violations.

Stakeholder Reactions

These bills have received mixed responses. Governor Kathy Hochul has endorsed them as essential to protecting children in an increasingly digital world. On the other hand, groups like NetChoice, an internet trade association, have criticized the bills as unconstitutional. NetChoice has likened these measures to California’s controversial Age-Appropriate Design Code Act, which is already the subject of legal battles.

Unique Aspects of NYPA versus Other Privacy Laws

NYPA has been noted to surpass its contemporaries, like the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA), in its stringencies. It is more specific than the CCPA, which has received criticism for being impractical due to its breadth and very general terms. Yet it is less broad than the GDPR.

There are plenty of common factors between the New York Privacy Act and other more established privacy laws, like Europe’s GDPR, including lawful processing, consent, individual rights to name a few. 

The naming of third parties with whom a company does business is a requirement of NYPA in order to provide full transparency to consumers. The New York Privacy Act also refers to data fiduciary responsibilities. This can be compared to the GDPR’s Data Controller- the one who decides the purpose and process to handle personal data.

Yet unlike most other famous privacy laws, the NYPA does not include a category of “sensitive data” that usually requires many of its own unique controls and handling laws.  

What happens if you don’t comply?

As is the case with the vast majority of privacy laws, failure to comply will lead to fines and penalties that can be financially crippling, or at least significant. Relative to laws like the GDPR, the penalties for non-compliance with NYPA are more modest, namely up to $15,000 per violation. This may at first sound moderate but we will need to establish what constitutes a single violation- it may well add up. 

Steps to The New York Privacy Act Compliance

As with all privacy laws, the best place to start is by knowing where your company touches personal data and evaluating the flow of data from inception through the completion of your service or business. Take into account not only the networks and systems within your organization, but also the vendors with whom you do business. Do they receive personal data from you? Are your compliance demands incorporated into your SLA’s (Service Level Agreements)? Ensure your vendors will not be the downfall of your compliance with vendor risk assessments.

Create a privacy notice for your customers. Scope your organization to know where personal information is to be found and ensure all aspects are covered in the privacy notice- including the rights mentioned above.
Consider using an automated risk and compliance management platform that will prepare your organization for compliance with all of the major privacy laws. Schedule a demo to see how Centraleyes cutting-edge compliance tools will boost your company’s compliance with the upcoming NYPA privacy regulations.

The post Everything You Need To Know About The New York Privacy Act appeared first on Centraleyes.