December 8, 2021

New York Privacy Act - What you need to know

Event Date:
Hosted By:
Register Now
Mark Rowan

The New York Privacy Act, presented by state senator Kevin Thomas earlier this year, would offer New York citizens greater control over personal data than people in any other state. It would also oblige firms to prioritize the privacy of their clients before their own profits. The bill is still being amended, but Thomas says he is certain that he has a majority of senators' support and intends to approve it in 2022.

New York is set to become the next battleground in the struggle for state privacy legislation as a result of it. With the passage of the California Consumer Protection Act in 2020, California became the first state to do so. Since then, industry organizations and consumer activists have been battling over its wording. Businesses claim that the CCPA is extremely broad and that complying with multiple rules in each state is impractical, preferring instead a more light-touch federal regulation.

The New York Privacy Act is comparable to the California statute in certain ways. It would let consumers view what data corporations are collecting on them, see who they're sharing it with, request that it be rectified or destroyed, and opt-out of having their data shared with or sold to third parties entirely, similar to the CCPA. 

So what exactly is this new potential law, and what makes it so important for businesses? Let’s break it down.

Everything You Need to Know About the New York Privacy Act

We don’t know for sure if the act will go into effect in 2022, but there is a very good chance it will. Let’s start by breaking down what the New York Privacy Act is.

What is the New York Privacy Act?

Bill SS6701, or the New York Privacy Act, is a bill currently in the process of being revised that could go live in 2022. This potential law would essentially compel data controllers to get customers' opt-in consent before processing their personal data for any reason. Data controllers would also be required to give thorough disclosures regarding the activities of third-party recipients of personal data.

Businesses will also be required to respond to consumer requests for personal data correction, make disclosures about their automated decision-making activities, allow consumers to end automated decisions, and conduct assessments based on the impacts of a company’s automated decision-making processes, according to the NYPA bill.

The NYPA, like the CCPA and CDPA, defines personal data broadly to encompass any information that may be connected to a specific natural person, household, or device, directly or indirectly. However, unlike the CPRA, CDPA, or GDPR, the New York law does not include a category of"sensitive data" that is subject to additional safeguards. 

The NYPA would also impose duties of loyalty and care on data controllers, the latter of which would necessitate an annual risk assessment of the relevant data controller's data processing actions. Regulators would then take direct aim at targeted advertising and data sales, declaring that these activities are not considered processing purposes necessary to provide services or goods requested by a consumer.

To summarize, the New York Privacy Act of 2021 requires companies to provide notification of consumers’ rights, opt-in consent, the right to access and correct consumers’ own data, and the right to delete one’s own data. It also requires businesses to destroy redundant data yearly. There are similar laws and regulations in place on a global scale, such as the General Data Protection Regulation (GDPR).

What is the Purpose of the New York Privacy Act?

To put it as simply as possible: This act was created to protect consumer data and data privacy in New York. Businesses globally will have to be compliant with this act, should it be passed, if they plan on having New York consumers use their websites or use any consumer data from New York consumers.

How Can Businesses Remain Compliant with this New Law?

Luckily, breaking down the basics of staying compliant with the New York Privacy Act is quite simple.

To start, conduct data mapping to discover the sources of personal data you get, the sorts of personal data you receive, how it is utilized, and to whom it is given. The proposed NYPA includes privacy notice requirements comparable to those found in the CCPA and CDPA, as well as a requirement that a controller name all third parties with whom it shares personal data. Data mapping will be necessary when creating a privacy notice.

Investigate the data flow to suppliers. Not only processors, but also "data brokers" must be notified of the data controller's NYPA compliance requirements through contract. Essentially, this applies to companies or units of a specific business that earn revenue from selling data or inferences about individuals gathered from sources other than individuals alone. Businesses may begin the process of analyzing and changing their contracts to push down essential requirements or negotiate additional constraints on third-party use of personal data in order to comply with the NYPA by mapping data and identifying which third parties obtain personal data.

Just as well, you’ll also need to examine facts to determine fiduciary responsibilities. The "data fiduciary" idea, as previously stated, is a unique aspect of the NYPA. Data mapping will be crucial in determining if a company is meeting its data fiduciary obligations and whether it needs to get consent from any New York residents.

Lastly, examine your current privacy policy, or design one if you don't currently have one, and make any necessary changes to comply with the NYPA's disclosure obligations. The bill's"profiling" provision includes more stringent disclosure and opt-out requirements for routine internet-based advertising, which your privacy policy should address.

It’s also worth noting that you might not even be required to be compliant with this potential law. In order for the NYPA to apply to you, you would need to meet one of the following criteria:

  • Yearly gross revenue of over $25,000,000.
  • Control of data from a minimum of 100,000 New Yorkers.
  • Control of data a minimum of 500,000 people in general, with 10,000 that are New York residents.
  • You derive 50% or more of your gross revenue from the selling of personal data.
How Data Sentinel Can Help

This new law seems intimidating. However, you have some options.

Data Sentinel is a sensitive data management company that works to help businesses organize and secure their data via the cloud, on-premise, and anywhere else it can be stored. Our team of experts understands that businesses tend to change a lot, and with that comes changes in your valuable data. With real-time data management, you can keep track of your data, organize it where it needs to be, secure sensitive customer data, and manage the overall system that gathers information for different use cases. With Data Sentinel, you won’t have to constantly fight with your data and suffer as a result. If the New York Privacy Act is passed, we’ll be able to help your business to be compliant and as accurate as possible.

December 8, 2021

New York Privacy Act - What you need to know

Date:
Hosted By:
Register Now

The New York Privacy Act, presented by state senator Kevin Thomas earlier this year, would offer New York citizens greater control over personal data than people in any other state. It would also oblige firms to prioritize the privacy of their clients before their own profits. The bill is still being amended, but Thomas says he is certain that he has a majority of senators' support and intends to approve it in 2022.

New York is set to become the next battleground in the struggle for state privacy legislation as a result of it. With the passage of the California Consumer Protection Act in 2020, California became the first state to do so. Since then, industry organizations and consumer activists have been battling over its wording. Businesses claim that the CCPA is extremely broad and that complying with multiple rules in each state is impractical, preferring instead a more light-touch federal regulation.

The New York Privacy Act is comparable to the California statute in certain ways. It would let consumers view what data corporations are collecting on them, see who they're sharing it with, request that it be rectified or destroyed, and opt-out of having their data shared with or sold to third parties entirely, similar to the CCPA. 

So what exactly is this new potential law, and what makes it so important for businesses? Let’s break it down.

Everything You Need to Know About the New York Privacy Act

We don’t know for sure if the act will go into effect in 2022, but there is a very good chance it will. Let’s start by breaking down what the New York Privacy Act is.

What is the New York Privacy Act?

Bill SS6701, or the New York Privacy Act, is a bill currently in the process of being revised that could go live in 2022. This potential law would essentially compel data controllers to get customers' opt-in consent before processing their personal data for any reason. Data controllers would also be required to give thorough disclosures regarding the activities of third-party recipients of personal data.

Businesses will also be required to respond to consumer requests for personal data correction, make disclosures about their automated decision-making activities, allow consumers to end automated decisions, and conduct assessments based on the impacts of a company’s automated decision-making processes, according to the NYPA bill.

The NYPA, like the CCPA and CDPA, defines personal data broadly to encompass any information that may be connected to a specific natural person, household, or device, directly or indirectly. However, unlike the CPRA, CDPA, or GDPR, the New York law does not include a category of"sensitive data" that is subject to additional safeguards. 

The NYPA would also impose duties of loyalty and care on data controllers, the latter of which would necessitate an annual risk assessment of the relevant data controller's data processing actions. Regulators would then take direct aim at targeted advertising and data sales, declaring that these activities are not considered processing purposes necessary to provide services or goods requested by a consumer.

To summarize, the New York Privacy Act of 2021 requires companies to provide notification of consumers’ rights, opt-in consent, the right to access and correct consumers’ own data, and the right to delete one’s own data. It also requires businesses to destroy redundant data yearly. There are similar laws and regulations in place on a global scale, such as the General Data Protection Regulation (GDPR).

What is the Purpose of the New York Privacy Act?

To put it as simply as possible: This act was created to protect consumer data and data privacy in New York. Businesses globally will have to be compliant with this act, should it be passed, if they plan on having New York consumers use their websites or use any consumer data from New York consumers.

How Can Businesses Remain Compliant with this New Law?

Luckily, breaking down the basics of staying compliant with the New York Privacy Act is quite simple.

To start, conduct data mapping to discover the sources of personal data you get, the sorts of personal data you receive, how it is utilized, and to whom it is given. The proposed NYPA includes privacy notice requirements comparable to those found in the CCPA and CDPA, as well as a requirement that a controller name all third parties with whom it shares personal data. Data mapping will be necessary when creating a privacy notice.

Investigate the data flow to suppliers. Not only processors, but also "data brokers" must be notified of the data controller's NYPA compliance requirements through contract. Essentially, this applies to companies or units of a specific business that earn revenue from selling data or inferences about individuals gathered from sources other than individuals alone. Businesses may begin the process of analyzing and changing their contracts to push down essential requirements or negotiate additional constraints on third-party use of personal data in order to comply with the NYPA by mapping data and identifying which third parties obtain personal data.

Just as well, you’ll also need to examine facts to determine fiduciary responsibilities. The "data fiduciary" idea, as previously stated, is a unique aspect of the NYPA. Data mapping will be crucial in determining if a company is meeting its data fiduciary obligations and whether it needs to get consent from any New York residents.

Lastly, examine your current privacy policy, or design one if you don't currently have one, and make any necessary changes to comply with the NYPA's disclosure obligations. The bill's"profiling" provision includes more stringent disclosure and opt-out requirements for routine internet-based advertising, which your privacy policy should address.

It’s also worth noting that you might not even be required to be compliant with this potential law. In order for the NYPA to apply to you, you would need to meet one of the following criteria:

  • Yearly gross revenue of over $25,000,000.
  • Control of data from a minimum of 100,000 New Yorkers.
  • Control of data a minimum of 500,000 people in general, with 10,000 that are New York residents.
  • You derive 50% or more of your gross revenue from the selling of personal data.
How Data Sentinel Can Help

This new law seems intimidating. However, you have some options.

Data Sentinel is a sensitive data management company that works to help businesses organize and secure their data via the cloud, on-premise, and anywhere else it can be stored. Our team of experts understands that businesses tend to change a lot, and with that comes changes in your valuable data. With real-time data management, you can keep track of your data, organize it where it needs to be, secure sensitive customer data, and manage the overall system that gathers information for different use cases. With Data Sentinel, you won’t have to constantly fight with your data and suffer as a result. If the New York Privacy Act is passed, we’ll be able to help your business to be compliant and as accurate as possible.

Let's talk

Ready To Discuss Your Data Challenges?

you may also like

Blog

What is Data Ethics?

Data may be utilized to make decisions and have a large influence. However, this valuable resource is not without its drawbacks. How can businesses acquire, keep, and use data in an ethical manner?

News

Susan Kirk joins Data Sentinel as SVP of Customer Success

Data Sentinel enhances its customer support capability with the addition of a recognized industry leader.

Webinar

Demystifying the De Identification of Data - How to Protect your Organization’s Data

Kevin Downey, Chief Technical Officer at Data Sentinel, Liana Di Giorgio, Senior Associate at Norton Rose Fulbright, and Patricia Thaine, MSc, CEO and Co-founder of Private.ai discuss the art of de-identification of data.