These days, everything is online—including private consumer data. Because the United States does not currently have a nationwide data privacy law, states may enact their own data privacy protections. New York is one of the latest states to follow suit.
Who is affected by New York data privacy laws?
The New York Privacy Act of 2021 governs companies who collect, store, and process personal consumer data. It is currently in the state legislature.
While the final text of the bill remains to be determined, the new regulations will apply to any entity conducting business in New York, and/or companies who collect, store, or process personal data from New York residents.
The thresholds are expected to include:
- Entities with gross revenue over $25 million;
- Entities controlling the data of 100,000 or more New York residents;
- Entities who control the data of 500,000 or more people, including at least 10,000 New York residents; or
- Entities who derive half or more of their gross revenue from selling personal data.
There are certain exceptions. Government agencies who process and store data for purposes other than sales are exempt. Similarly, data for employment purposes, research on human subjects, and protected health information will be exempted from the New York Privacy Act. However, because the bill may undergo changes before it’s ultimately passed, it’s important for businesses to stay up to date.
What’s the difference between privacy policies and privacy notices?
New York privacy law
The New York Privacy Act of 2021 governs companies who collect, store, and process personal consumer data. If passed, the law will require the following:
- Notice: Consumers must be notified about which data is being collected and processed. Companies will need to disclose who is collecting the data and for what purpose it will be used.
- Opt-in consent: Companies cannot automatically collect or process personal data. Instead, they must obtain affirmative, unambiguous, and informed consent. That is, consumers must be notified that their data could be collected, notified what it’s used for, and have the ability to opt in or out.
- Ability to access and correct data: Businesses must provide an easily accessible way for consumers to access the personal data collected, and to request corrections when necessary.
- Ability to delete: Companies must also provide the means for consumers to request their information be deleted in its entirety. This also applies to third-party companies who handle their data processing.
- Annual risk assessments: Businesses need to perform annual data risk assessments to ensure consumer data remains safe and protected. They must delete unneeded data annually.
- Disclosures regarding automated decision-making: Finally, companies will be required to create disclosures as to how automated decision making uses personal consumer data.
While you might be tempted to try a one-size-fits-all privacy notice and policy template, they often do not cover each applicable scenario. It’s important that your company keep up with changes to privacy laws, on both the state and federal level.
Our software pairs technology with real legal expertise, to deliver compliant New York privacy policies and notices in record time. Simply answer a series of questions, download the generated document and have your lawyer review. It’s a quick and easy way to stay compliant and avoid incurring penalties—all while saving money on legal guidance.