I. Introduction
New York does not yet have a comprehensive data privacy law in effect, but it is among several U.S. states actively working toward establishing comprehensive consumer data privacy protections. While existing laws in the state already address specific aspects of data protection, such as data breach notification and biometric data. New York lawmakers have introduced proposals to implement broader privacy regulations that would align with modern data rights expectations.
These proposed laws aim to empower New York residents with more control over their personal data and impose greater accountability on businesses that collect, use, or share such data. This overview highlights key themes commonly seen across privacy proposals in New York and how organizations can prepare in anticipation of future legislation.
II. Who Might Be Required to Comply
Pending legislation in New York typically applies to entities that:
- Conduct business in the state or target products/services to New York residents,
- Collect and process large volumes of personal data (e.g., 100,000+ consumers or devices), or
- Derive a significant portion of revenue from selling personal data.
Small businesses may be excluded unless they meet certain revenue or data-processing thresholds.
III. Definitions of Key Terms
Personal Information: Broadly defined to include identifiers like name, address, IP address, geolocation, biometric data, browsing history, employment details, financial records, and more.
Biometric Data: Includes iris scans, fingerprints, facial recognition data, voiceprints, and behavioral traits such as gait or typing patterns when used to identify individuals.
IV. Anticipated Obligations for Businesses
While specific language may vary across drafts, organizations can expect the following types of obligations:
A. Lawful Basis for Data Processing
Data collection and use must be limited to what is necessary and proportionate to the purpose stated. Processing without a valid legal basis may be restricted or prohibited.
B. Consent and Transparency
Organizations may need to:
- Obtain explicit consent before selling or sharing personal data;
- Provide clear, concise, and accessible privacy notices outlining data practices; and
- Allow consumers to opt out of data sales or targeted advertising.
C. Non-Discrimination
Entities cannot discriminate against consumers who exercise their privacy rights (e.g., by charging different prices or denying services).
D. Security Measures
Companies must implement reasonable safeguards to protect personal data from unauthorized access, disclosure, or loss.
V. Anticipated Consumer Rights
Proposed legislation generally includes rights such as:
- Right to Access: View what data is collected and how it's used.
- Right to Delete: Request deletion of personal data.
- Right to Opt-Out: Prevent the sale or sharing of personal information.
- Right to Correct: Amend inaccurate personal information.
- Rights for Minors: Special protections for users under the age of 16, often requiring opt-in consent.
VI. Enforcement & Penalties
New York privacy proposals often grant enforcement authority to the State Attorney General, who may:
- Investigate violations;
- Seek civil penalties (up to $7,500 per violation in some proposals); and
- Issue guidance on compliance expectations.
Some bills also propose granting consumers the right to bring private lawsuits under certain conditions.
VII. How Businesses Can Prepare
Even though privacy legislation is still under consideration, businesses should take a proactive approach:
- Map personal data collected, stored, and shared across systems.
- Establish governance frameworks to handle consumer rights requests.
- Review vendor relationships and data-sharing practices.
- Update privacy policies for transparency and compliance readiness.
- Conduct risk assessments and ensure adequate security controls.
VIII. How Securiti Can Help
Securiti’s Data Command Center enables organizations to future-proof their data privacy programs. It helps operationalize compliance across evolving regulations by:
- Automating data subject rights fulfillment,
- Managing data inventories and flows,
- Generating real-time privacy and security posture insights, Offering robust controls for consent, data classification, and breach response.
With unified data intelligence across cloud and on-prem environments, Securiti ensures you're prepared for New York’s privacy future, whatever shape it takes.
Request a demo to see how Securiti can help you stay ahead of emerging state-level privacy regulations.
