May 3, 2021
As states continue to enact various data privacy legislation in 2021 such as Virginia’s recent enactment of the Consumer Data Protection Act (“CDPA”) (for more information click here), New York State is poised to enact some of the most robust and stringent data privacy legislation yet. In January 2021, New York Governor Cuomo proposed to establish a comprehensive data privacy regime for New Yorkers’ personal data in the 2021 State of the State address. Under Governor Cuomo’s proposal, a comprehensive data privacy law in New York would be more protective of New York residents than the California Consumer Privacy Act (“CCPA”) is for California residents. Governor Cuomo’s vision of a New York comprehensive data privacy law may be reflected in the New York State legislature’s proposed trio of data privacy bills. The three proposed data privacy bills together focus on protection of New Yorkers’ biometric information (AB 27 – Biometric Privacy Act (“BPA”)), governance of personal data (AB 680 – New York Privacy Act (“NYPA”)), and protection of personal data (SB 567 – Consumer’s Right to Request Information).
Governor Cuomo announced that a comprehensive privacy law in New York “will provide New Yorkers with transparency and control over their personal data and will safeguard their privacy from bad actors.”1 Although Governor Cuomo's announcement did not specifically cite the proposed New York Privacy Act or other recently introduced data privacy bills, the recent proposed legislation serves as a guide for businesses preparing for compliance in anticipation of a new data privacy regime in New York. It is pertinent to note that requirements concerning consumer privacy laws outlined in Governor Cuomo’s proposal are yet to be added to the draft of the FY 2022 New York State Budget.
Below, we explore the bills and highlight some key provisions for businesses to consider in preparing for New York’s future data privacy landscape.
A. New York Privacy Act
In the 2021 State of the State address, Governor Cuomo emphasized how he wants to ensure significant protections for New Yorkers’ personal data, and the NYPA in its current form reflects that goal. The NYPA is more stringent than the CCPA in many respects. The proposed NYPA would apply to any legal entity that conducts business in New York or “produce[s] products or services that are intentionally targeted to residents of New York (“Consumers”). Like the Virginia CDPA, the proposed NYPA adopts the EU’s General Data Protection Regulation (“GDPR”) definition of “controller” and “processor”, instead of the “business” and “service provider” regime of CCPA.
However, the NYPA defines and protects “personal data”2 more similarly to “personal information” under the CCPA than the CDPA. The NYPA’s “personal data” also covers information categorized by existing data privacy laws (e.g., the GDPR) as “sensitive categories of personal data,” such as historical or real-time geolocation data, medical and health information, race, religion, sex, or disability information, but does not contain a separate “sensitive” category of personal data. Like the GDPR and CCPA, the NYPA’s definition of “personal data” is extremely broad and will encompass a significant amount of information as personal data, including any consumer “profiling” if an inference about the consumer can be drawn from it. Also like the CCPA, the NYPA exempts from the definition of personal data any data that is governed by other privacy regimes, such as HIPAA or the Gramm-Leach-Bliley-Act.
A unique feature of the NYPA is the “data fiduciary” concept. The “data fiduciary” obligation prohibits the use, processing, or transfer of a New Yorker’s personal data without express and documented consent; requires the business to “exercise the duty of care, loyalty and confidentially expected of a fiduciary with respect to” the security of a New Yorker’s data privacy even against the interest of the business, and requires a controller to push its NYPA compliance obligations downstream via contract to not only sub-contractors (e.g., processors) but also “data brokers” (a business or a unit of a business that earns its primary revenue from supplying data or inferences about people gathered from sources other than the New Yorkers themselves) who may “profile” consumers or receive profiled-data on New Yorkers from other entities for internet-based advertising. Significantly, the NYPA also grants New Yorkers a private right of action against the violator for injunctive relief, actual damages, or both, and in some cases reasonable attorney’s fees. Combined with the data fiduciary concept, this creates the potential for significant liability for covered businesses, particularly when it comes to vendors.
The NYPA as proposed grants New York consumers rights congruent to those under both the CDPA and GDPR such as the right to access, to correct, to delete, to restrict processing, and to non-discrimination. Further, the NYPA is similar to the CDPA in that it does not include any provisions authorizing the state Attorney General to promulgate rules to further interpret the law.
Compliance under the proposed NYPA will potentially be more challenging than other data privacy regimes in the U.S. Because the proposed NYPA embraces many of the lessons learned from CCPA regulations and adopts concepts from the GDPR, businesses that have sought compliance thereunder may be a step ahead of the game. Nonetheless, the breadth of personal data covered by the bill, and the set of stringent requirements including the “data fiduciary” obligation will necessitate comprehensive preparation in order to adequately comply with the NYPA.
NYPA COMPLIANCE CHECKLIST: As drafted, the NYPA would provide covered businesses only three months to implement the NYPA’s obligations. It would be prudent for businesses to prepare for the NYPA now by taking some basic steps:
- Undertake data mapping to determine the sources from which you are receiving personal data, the types of personal data you are receiving, how it is used, and to which outside entities it is disclosed. The proposed NYPA includes privacy notice requirements similar to those under the CCPA and CDPA but also requires that a controller list all third parties with whom the controller shares personal data. Such data mapping will be necessary to draft an accurate privacy notice.
- Examine the flow of data to vendors. A controller is also required to push its NYPA compliance obligations downstream via contract not only to processors but also to “data brokers” (businesses or units of a business that earn primary revenue from supplying data or inferences about people gathered from sources other than individuals themselves). By data mapping and understanding which third parties receive personal data, businesses can begin the process of reviewing and amending their contracts to push down necessary obligations or negotiate new limitations on the use of personal data by third parties to comply with the NYPA.
- Analyze data fiduciary obligations. As mentioned above, a unique feature of the NYPA is the “data fiduciary” concept. Data mapping will be key to determine if a business is complying with this data fiduciary obligation and if it needs to obtain consent from any New York consumers.
B. The Biometric Privacy Act
The proposed New York BPA is an extension of the protection afforded to New Yorkers’ biometric data provided under the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act,3 which was enacted in July 2019 and added biometric information to the types of private information businesses need to safeguard. Governor Cuomo has called for stronger protections of biometric data than provided by the SHIELD Act. The New York BPA provides those stronger protections. The bill aims to establish a comprehensive set of rules for businesses possessing and/or collecting “biometric identifiers,” which is broadly defined to include fingerprints, handprints, retina or iris scans, voiceprints, and other facial and hand recognition of a person. The bill also limits the use of biometric identifiers or biometric information of a customer, prohibiting any type of sale or profit from the biometric identifiers, and restricting disclosure of a customer’s biometric identifiers or information unless under statutorily limited situations (e.g., with consent).
The New York BPA requires compliance by a “private entity,” an individual or legal entity, however organized, in possession of a biometric identifier or biometric information. It does not allow a private entity to “disclose, redisclose, or otherwise disseminate a person’s biometric identifier or biometric information,” except under a limited set of circumstances including, among others, with consent by the subject or as required by law. A private entity would also be prohibited from collecting, capturing, or otherwise obtaining a subject’s biometric identifier or information unless the private entity informs the subject, in writing, that the biometric identifier/information is collected, stored, or used; and the specific purpose and length of collection, storage, or use; the private entity must also receive a written release from the subject. Similar to the Illinois Biometric Information Privacy Act (“BIPA”), the proposed BPA establishes a private right of action for affected individuals, who may have an action for even technical violations of the New York BPA (e.g., insufficient privacy notice). With the same penalties and other remedies available under BIPA, the New York BPA may also open the floodgates to class action lawsuits. If implemented, AB 27 would be the fourth enacted biometric-specific state law in the U.S.
NY BPA COMPLIANCE CHECKLIST: Businesses should be proactive and apply lessons learned not only from BIPA compliance, but also from other privacy laws related to biometric data, such as the CCPA. Businesses can start to think about implementing the following practices to ensure adherence:
- As with personal data, a business should understand what biometric data it collects, how it is used, and whether it discloses collected information to any third parties.
- Once a business understands what biometric data it is collecting and how it is using such data, start developing a public-facing written policy to disclose the collection and use practices, which should include the specific purpose and length of time the business will collect, store and use the biometric identifier or biometric information.
- Start developing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information;
- If relevant, develop a mechanism to seek an individual’s clear consent prior to selling, leasing, trading, or otherwise profiting from an individual’s biometric data.
C. SB 567 Consumer Right to Request Information
New York SB 567 is another CCPA-like proposed law, albeit less stringent than the proposed NYPA. The proposed bill would grant consumers CCPA-like privacy rights such as access and nondiscrimination rights in addition to the right to opt-out of sales of personal information, and would impose corresponding obligations on businesses that collect and process their personal information. In addition, many of the pertinent definitions in the bill—like “personal information” and “sale”—mirror the definitions under the CCPA. Like the NYPA, SB 567 protects “personal information” of a New Yorker (“consumer”), which covers the same set of personal data as the proposed NYPA, but adds an additional category of personal data called “psychometric information” which includes information derived or created from the use of any methods or models such as actions or events, which are then connected, measured and assessed to help determine a consumer’s attributes, including, but not limited to, psychological markers such as trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes and behavior. This introduces an additional layer of data markers for businesses to comply with. It also creates a separate category of “confidential and sensitive information” that covers any information that can uniquely identify the data subject, including genetic marker and genetic testing information. Reflecting the general trend of the trio of New York privacy bills, SB 567 also exempts from its purview personal information governed by other privacy regimes, such as HIPAA.
SB 567 establishes a similar set of consumer rights as the CCPA: the right to (1) request personal information collected by a business; (2) request categories of personal information sold or disclosed (and the business purpose of the sale or disclosure), and the identities of the third parties to whom the personal information was sold; (3) opt-out of sale; and (4) non-discrimination. Like its sister bill—the NYPA, SB 567 grants consumers a private right of action to bring suits based on violations of the law and provides for statutory damage awards of the greater of $1,000 per violation or actual damages, as well as up to $3,000 for knowing or willful violations. It also provides the New York Attorney General the authority to enforce the proposed bill. The New York Attorney General would also have the authority to promulgate regulations to further the purposes of the bill. Notably, SB 567 does not grant businesses a cure period for its alleged violations, which exists under the CCPA, creating greater vulnerabilities to enforcement action for covered businesses.
CONSUMER RIGHT TO REQUEST INFORMATION COMPLIANCE CHECKLIST: Businesses should start to think about implementing the following practices to ensure adherence:
- Taking similar steps as outlined for the NYPA with regard to data mapping to prepare for implementation.
- Creating a clear and conspicuous “Do Not Sell My Personal Information” link on the business’s homepage that enables the consumers to exercise certain rights under the bill, including but not limited to requesting deletion of their information.
If passed, New York State’s privacy legislative efforts will result in market-changing digital privacy protections that will require significant compliance efforts for New York businesses. Given the complexity of the issue and its constant evolution, Cuomo’s proposal empowers New York legislators to introduce privacy laws and regulators to implement stringent compliance rules that will maximize privacy protections for New York residents.
Until a federal privacy law is passed, businesses in New York and other states will continue to face significant compliance obligations, particularly under New York’s three privacy bills as proposed. Compliance with an assortment of federal and state data privacy laws that are constantly evolving continues to introduce challenges to businesses handling personal data.
Entities organized or doing business in New York should start the process of preparing their data privacy compliance efforts now. Important first steps include understanding what data a business collects, how it is used and to whom it is disclosed. Establishing an initial data map early and updating it will be crucial in creating a data privacy program that can adapt to these newly introduced and evolving laws.
Please reach out to Linda Malek (lmalek@MOSESSINGER.COM), Jason E. Johnson (jjohnson@MOSESSINGER.COM), Kiyong Song (ksong@MOSESSINGER.COM), and Pralika Jain (pjain@MOSESSINGER.COM) for any questions relating to the trio of proposed New York’s privacy legislative bills.
1 2021 State of the State, at 209; see also, N.Y. Gov., Governor Cuomo Announces Proposal to Safeguard Data Security Rights as Part of the 2021 State of the State (Jan. 15, 2021), https://www.governor.ny.gov/news/governor-cuomo-announces-proposal-safeguard-data-security-rights-part-2021-state-state.
2 The proposed NYPA governs “personal data,” including (1) personal identifiers including, but not limited to, real name, signature, date of birth, gender identity, sexual orientation, marital status, postal address, telephone number, unique personal identifier, IP address, email address, various identification cards and numbers (e.g., driver’s license number), and, notably, a consumer’s physical characteristics or description,; (2) other employment (e.g., employment history), financial (e.g., credit card number), medical and health information (e.g., mental health information and health insurance information); (3) commercial information (e.g., record of personal income or assets, and purchase history); (4) biometric information; (5) a generous set of “internet or other electronic network activity information”; (6) historical or real-time geolocation data; (7) “audio, electronic, visual, thermal, olfactory, or similar information”; (8) education records; (9) political information or criminal conviction history; (10) security codes related to access for the consumer’s accounts; (11) “characteristics of protected classes under the human rights law[,]” including race, religion, sex, age, or disability and a catch-all item of “an inference drawn from any of the information described [in the bill] to create a profile about an individual reflecting the individual’s preference, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.”
3 Stop Hacks and Improve Electronic Data Security Act (“SHIELD”) Act. N.Y. Gen Bus. Law § 899-bb. The SHIELD Act broadly requires that "any person or business" that owns or licenses computerized data which includes private information of a New York resident "shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information, including, but limited to, the disposal of the data." Id.