New York Privacy Act approved by Senate: Here’s how it differs from other state privacy laws

The New York Senate approved the New York Privacy Act (NYPA) on 3 June, bringing the state one step closer to joining the 19 others that have enacted comprehensive privacy laws. 

Like almost every other state, the NYPA models its law closely on the framework established by the Virginia Consumer Data Protection Act (VCDPA).  

But, like comprehensive privacy laws in increasingly many states, the NYPA departs from the VCDPA via some unique or unusual provisions that businesses operating in New York should pay close attention to. 

Application 

One particularly noteworthy aspect of the NYPA is its relatively broad application. 

The NYPA applies to any “legal person” (a business or other entity), that conducts business in New York or produces products or services targeted to New York residents, and that meets one or more of the following thresholds:  

• It has annual gross revenue of at least $25 million  

• It controls or processes personal data about at least 50,000 New York consumers 

• It derives over 50% of its gross revenue from the sale of personal data 

If the NYPA passes, it would make New York the only state other than California to apply its comprehensive privacy law to businesses meeting a specific revenue threshold regardless of how much personal data they process. 

Certain states, namely Utah and Tennessee, restrict the application of their privacy laws only to businesses with over $25 million in revenue. This “floor” threshold excludes lower-revenue businesses even where they process large amounts of personal data. 

Other states, such as Texas and Delaware, target their privacy laws at all businesses but exclude “small businesses” with fewer than 500 employees from almost all obligations. 

With this California-style revenue threshold, the NYPA will capture many more businesses than comprehensive privacy laws in most other states. 

Transparency requirements 

The NYPA requires controllers to publish a fairly extensive privacy notice that includes more detail than is required under most other laws. 

The law requires that each controller must “make publicly and consistently available, in a conspicuous and readily accessible manner, a notice containing the following”: 

• A description of the consumer’s rights under the NYPA 
• Information about how a consumer can exercise their rights, including how to withdraw consent 
• The categories of personal data processed by the controller and by any processors 
• The sources from which personal data is collected 
• The purposes for processing personal data 
• The categories of third parties to whom the controller disclosed, shared, transferred or sold personal data 
• For each category of third party:  
• The categories of personal data being shared, disclosed, transferred, or sold to the third party 
• The purposes for which personal data is being shared, disclosed, transferred, or sold to the third party 
• Any applicable retention periods for each category of personal data processed by the third parties or processed on their behalf, or if that is not possible, the criteria used to determine the period 
• Whether the third parties may use the personal data for targeted advertising 
• The retention period for each category of personal data processed by the controller or any relevant processors, or if that is not possible, the criteria used to determine that period. 

The NYPA requires a detailed description of how controllers share personal data with third parties. But, unlike some other laws, it does not require controllers to name the third parties with which they share personal data. 

The law also requires that a controller’s privacy notice is “written in easy-to-understand language and format at an eighth-grade reading level or below and in at least twelve-point font” and that controllers make privacy notices from the past six years available to consumers on request. 

The right of access 

The NYPA’s focus on transparency around disclosures of personal data to third parties also manifests in its “right of access” provisions. 

The law states that, upon receiving a verified consumer request, a controller must provide a copy of the consumer’s data “in a manner understandable to a reasonable consumer,” and also disclose: 

• The category of each processor or third party to whom the controller disclosed, transferred, or sold the consumer’s personal data 
• For each category of processor or third party 
• The categories of the consumer’s personal data disclosed, transferred, or sold 
• The purposes for which each category of the consumer’s personal data was disclosed, transferred, or sold 

Note that, unlike under the law’s transparency obligations, the NYPA requires businesses to disclose the categories of processors – as well as third parties – to which the controller has disclosed personal data.  

But as with the NYPA’s transparency obligations, consumers are not entitled to information about the specific third parties (or processors) to which the controller has disclosed their personal data—only the categories of third parties and processors. 

Nonetheless, a controller will need to carefully map how data flows into and out of its organization in order to provide this detailed breakdown of its data disclosures. 

Other consumer rights 

The NYPA includes several noteworthy provisions relating to other consumer rights that set New York apart from most other states, including: 

• The “right to correct” explicitly requires controllers to “conduct a reasonable investigation” to determine whether personal data is inaccurate within 45 days of a request. 
• Controllers must treat a consumer’s request to delete their online account as a request to “delete all of that consumer’s personal data directly related to that account.” 
• A controller must maintain “reasonable procedures designed to prevent the reappearance” of personal data deleted following a consumer’s request, either “in its systems” or among “any data it discloses, transfers, or sells to any processor or third party.” 
• Under the NYPA’s “right to portable data,” a controller must transfer the portable copy of a consumer’s personal data to another controller on behalf of the consumer on request. 

Should the NYPA be enacted by the New York legislature, the law will add another piece to the increasingly complex compliance puzzle being presented by comprehensive state privacy laws – and perhaps strengthen the case for a federal law that provides uniform standards across the US.