The latest version of the New York (“NY”) State Privacy Law (“S365B”) is continuing to make its way through the NY State Assembly. As readers of this blog know, members of the NY State Senate have been trying to get a version of S365B enacted dating back to 2019. On June 8, 2023, the NY Privacy Law was passed by the Senate after its third reading and was then delivered to the NY State Assembly for consideration.
In addition to the 14 states that have already enacted state privacy laws, an additional 17 are currently in the process of doing so. Given the number of other jurisdictions that are considering and/or have already enacted similar laws, it is expected that 2024 will be the year for New York.
Senator Kevin Thomas, Chair of the Committee on Consumer Protection, supports S365B, explaining that New York State consumers “should have a right to choose if and how their personal information is collected and used by companies.”
If enacted, certain provisions of the NY Privacy Law will take effect immediately, while others will not take effect until one year after it is signed into law.
Key Provision of the NY Privacy Law
The proposed legislation applies to “legal persons” that conduct business in New York and meet one of the following criteria:
- Have annual gross revenue of $25 million dollars or more;
- Control or process the personal data of 50,000 consumers or more; or
- Derive over 50% of gross revenue from the sale of personal data.
It is worth noting that, originally, S365B had no revenue threshold and the second prong applied to the control or processing of data related to 100,000 or more consumers, not 50,000. The resulting changes seem to be a compromise, affording a small win to both businesses and consumers alike.
Under S365B, consumers have the right to:
- Know how their data is being used;
- Opt-out of the processing of their personal data;
- Access their data;
- Delete their data; and
- Correct their data.
Similar to other state regulations, the NY Privacy Law does not contain a private right of action and may only be enforced by the Attorney General of the State.
Impact of the NY Privacy Law
It should come as no surprise that in prior versions of S365B, both businesses and consumers expressed concerns about its substance. For example, businesses have communicated their fear of regulatory investigation and associated penalties should the bill be written into law. One small business owner in New York strongly opposes S365B because, she believes, it would hinder her ability to deliver “relevant ads to the right people” which would ultimately “increase costs and hurt . . . growth.”
As NY is only one of 18 states currently working to enact consumer data privacy laws, it is important that businesses stay up to date with the legislative process for each. This is especially crucial in light of the fact that each state privacy law is different in some (or many) respects.
[View source.]