The concerns over protecting users’ data and privacy have become increasingly critical in today’s digital era. Many states across the US have enacted comprehensive data protection and privacy laws to govern the collection, processing, sharing, and selling of users’ data while giving users more rights and control over their data.
However, New York does not yet have a comprehensive consumer data privacy law. To stay updated on the progress of privacy-related bills across the US, visit our US State Privacy Laws Tracker.
Even without a comprehensive data privacy law, businesses in New York must maintain strict privacy operations. This ensures compliance with changing privacy standards and prepares them to adapt to future regulations.
The following guide provides an overview of the state’s current data protection laws and highlights primary considerations for businesses.
The Current State of the Data Protection Laws in New York
Although New York does not yet have a comprehensive consumer privacy law, organizations must comply with multiple state and federal requirements.
SHIELD Act - Breach notification (GBL § 899-aa): This law requires notification to affected residents and state regulators after unauthorized acquisition of “private information,”.
SHIELD Act: Reasonable security (GBL § 899-bb): According to this law, businesses that own or license New York residents’ private information must develop and maintain reasonable administrative, technical, and physical safeguards appropriate to their size and risk.
NYDFS Cybersecurity Regulation (23 NYCRR Part 500): As per this law, financial-services “Covered Entities” must maintain a risk-based cybersecurity program, report qualifying incidents to DFS, and meet governance and control requirements.
New York Child Data Protection Act (NYCDPA): In this law, New York restricts the collection, processing, and sale of minors’ data without appropriate consent and safeguards.
NYC biometric identifier law (Local Law 3 of 2021; NYC Admin. Code §§ 22-1201–1205): This law mandates commercial establishments in New York City to post notices when collecting biometric identifiers and prohibits them from selling biometric data.
Unfair or deceptive acts and practices (GBL § 349): As per this law, deceptive acts or practices (i.e. misleading privacy notices or representations) are deemed unlawful and may be enforced by the Attorney General and private litigants.
Employee electronic-monitoring notice (Civil Rights Law § 52-c): As outlined in this law, private employers are required to provide written notice upon hire and post conspicuous notice of monitoring employees’ calls, email, or internet use.
Applicable Federal Laws
Depending on your industry and data, federal frameworks continue to set the floor:
- Health Insurance Portability and Accountability Act HIPAA for protected health information handled by covered entities and business associates.
- Children Online Privacy Protection Act (COPPA) for online data about children under 13 (alongside NYCDPA for minors).
- Gramm-Leach-Bliley Act (GLBA) for financial institutions’ customer data.
Best Practices for Businesses
Businesses operating in New York are encouraged to ensure safe data protection and privacy practices. Regardless of the presence or absence of any comprehensive privacy law, strong data handling builds long-term compliance and customer trust. Businesses may consider the following when aligning with state, local, and federal laws:
- Create an inventory of all data assets and data locations. Identify what is collected, where it resides, who accesses it, and what rules apply, including cross-border restrictions.
- Enable data mapping automation to understand data flows across systems. This supports data quality, lineage, and lifecycle governance.
- Implement robust security controls by deploying administrative, technical, and physical safeguards appropriate to the organization’s risk profile.
- Provide clear, accurate privacy notices and obtain consent where required (especially for minors’ data under the NYCDPA).
Conclusion
Organizations can efficiently navigate the complex privacy legal landscape by adhering to best practices and investing time in understanding applicable laws. New York’s SHIELD Act (breach notice and reasonable security), NYDFS Cybersecurity Regulation, the Child Data Protection Act,, NYC’s biometric ordinance, and UDAP enforcement create real obligations today while the state continues to consider broader privacy legislation.
