New Year Brings New Privacy Proposals Affecting New York Businesses

At the start of the 2021-2022 legislative session, the New York state legislature proposed a raft of new regulations related to data privacy which may create challenges for entities doing business in the state. We expect that some or all will pass in some form, as many believe that current laws do not adequately protect individual’s privacy interests and may prevent New York from maintaining its leadership role in national commerce. We are encouraging our clients to prepare now for the passage of at least some of these bills.

Proposed New York Privacy Act

First and foremost, the New York Privacy Act was again proposed as an amendment to the General Business Law. If passed, it has the potential to exponentially expand New York businesses’ obligations regarding consumer data privacy and security, and the consequences for a breach of those obligations.

The New York Privacy Act is intended to apply to all legal entities that “conduct business” in New York or target New York residents and that are not otherwise state or local governments or governed by HIPAA or Hi-Tech. It does not apply to individual data contained in employment records. Under the Act, every legal entity is a “data fiduciary” that owes the obligations of “due care, loyalty and confidentiality expected of a fiduciary” in regard to securing the personal data of a consumer against a privacy risk. As a result, the entity is required to act in the best interest of the consumer, and not the entity, in connection with the personal data. The Act limits the purposes to which the entity may use, sell, disclose, or share the personal data and requires the entity to take reasonable steps to ensure the privacy of the personal data when it is shared.

The New York Privacy Act proposes creation of new consumer rights regarding the collection and use of consumers’ personal data. Consumers must be clearly advised of the entity’s practices regarding the data in advance of collection and be provided with an opportunity for the consumer to opt in or opt out of collection. Consumers will be entitled to request a report describing the processing of their personal data twice a year, free of charge and for a reasonable processing fee, if requested more frequently. In response to a consumer request, entities must “without undue delay”:

• correct inaccurate personal data and complete missing information;
• delete consumer information unless it is required to be maintained for one of the reasons enumerated in the Act, such as to complete the business purpose for which it was originally provided (i.e., process payment) or because there is a legal requirement that the business preserve the information, etc.; and
• cease processing the data if the consumer contests the data’s accuracy, the data’s collection or processing is unlawful or no longer has a legally permissible purpose, or the consumer requests it for another reasonable reason.

Under certain circumstances, businesses may be required provide the consumer with his/her personal data in a format that may be used by the consumer or another entity designated by the consumer. Actions taken by the business regarding correction, deletion or restriction of use must be communicated by the entity to every third party with whom the entity has shared the data.

One of the biggest impacts that the Privacy Act may have is the creation of a new personal right of privacy that did not previously exist under New York law. Enforcement of the Act is generally entrusted to the Attorney General. However, the Act also permits an individual allegedly injured by a violation of the Act to bring a private suit to recover his/her own actual damages as well as legal fees. The Court may also issue an order directing that the defendant business to cease or change its data practices in line with the Act.

Biometric Privacy Act

Also pending before the legislature is the Biometric Privacy Act. If passed, the Biometric Privacy Act would also amend the General Business Law to impose new requirements on “private entities” and provide consumers with new rights to bring a private suit if the Act is violated.

The proposed Act defines biometric information as a retina, iris, hand or facial geometry scan; fingerprint; or voiceprint. It excludes a variety of other data such as handwriting, photographs, biological samples collected for clinical purposes, etc.

Entities would be required to develop and publish a written policy disclosing their process for the collection, retention, and permanent destruction of the biometric information once the purpose for which it was collected has ended. Additionally, the entity will be required to provide individual advance written notice to each consumer and obtain that consumer’s advance written consent as to the collection, storage, and intended use of the biometric information.

The bill prohibits entities from “selling” a consumer’s biometric information for profit and limits sharing of that information to certain disclosed purposes. It requires that the entity store, transmit, and protect biometric information in a manner consistent with the standard in that entity’s industry AND in a manner at least as secure as the entity uses for its own sensitive or confidential information.

The bill proposes a private right of action on behalf of any person “aggrieved” by a violation of the provision, which would enable that individual to recover $1,000 or actual damages, whichever is greater, for each negligent violation or $5,000 for each violation or actual damages, if the violation is deemed to be intentional or reckless, plus attorneys’ fees, costs and any other relief that the Court deems appropriate, such as an order governing the entities future conduct.

Other New York Privacy Bills

Other pending privacy bills are narrower in scope but could impact a business’s practices under some circumstances. For example, the Wellness Program Privacy Act is intended to obligate employers and insurers to take certain steps to protect the security of wellness program participants’ private information and to limit the information’s use. An amendment to the Labor Law, entitled the Uniform Employee and Student Online Privacy Act, prohibits employers or schools from requiring individuals to provide sign-in credentials to their personal social media accounts as a condition of employment or enrollment. The Patient Privacy Protection Act prohibits ex parte interviews of another party’s treating medical providers in personal injury litigation. The Protect Our Privacy Act will limit the use of drones for law enforcement purposes. An amendment to criminal procedure law is designed to protect the privacy of emergency personnel present at a crime scene as it relates to the discovery process. Finally, a proposed bill would create ethical guidelines governing the use of technology to screen, monitor, contact trace or respond to the Covid-19 emergency.

Outside New York

Of course, New York legislators are not the only ones concerned with consumer privacy rights and cybersecurity. California continues to lead with the enactment of the California Privacy Rights Act as an eventual replacement to the already rigorous California Consumer Privacy Act. New Jersey, Minnesota and Washington states have likewise proposed new privacy litigation this year. And, with the change of control in the Congress, many privacy professionals, not only anticipate but favor passing a nationwide privacy standard. Federal regulation in this area would provide uniformity and predictability for businesses that provide products or services consumers in more than one state.

Next Steps

While we cannot predict changes to the proposed legislation prior to their passage, we can anticipate and preemptively address the bills’ common aspects. Regardless of the details, all the proposals aim to create privacy rights intended to invest each individual with a measure of control over his/her personal information. Thus, businesses will likely be required to identify categories of data in their possession and implement methods to disclose, delete and limit sharing of that data in response to consumers’ requests. To prepare, businesses should consider adopting the following measures now:

• Assess present data management practices including what types of data the business collects, maintains and stores on individual consumers, the purpose for which the data is collected, where and how that data is kept, and if and how it is shared;
• Assess whether the business actually needs to collect or maintain the personal data in its possession or whether it can reduce its risk by limiting its collection practices;
• Review and update existing policies or draft working policies concerning data management and classification, data retention and destruction policies, data sharing practices, third-party vendor practices and other practices that can impact the business’s handling of private consumer data and its ability to respond to consumer privacy rights requests in the future;
• Consider whether the business is presently in possession of consumer data that should be safely disposed of because the data has no continuing business purpose and is not otherwise required to be maintained by operation of law;
• Establish a privacy team that will be responsible for establishing and updating privacy practices and responding to privacy issues. The team should include individuals from the C-Suite, information technology and in-house or outside counsel.

These steps will enable businesses to more efficiently respond to any new legislation that is passed concerning consumer privacy rights regardless of the nuances in the legislation.