A680 titled the New York Privacy Act has been introduced into the New York State Assembly. The bill is sponsored by Assemblywoman Rosenthal (D-District 67). 

The proposed bill seeks to enact the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared. Furthermore the proposed bill creates a special account to fund a new office of privacy and data protection.  

While the bill has echoes of Europe’s General Data Protection Regulation consent requirements, this bill takes a hard line approach on the subject which requires consent for all   processing activities and third-party disclosures, with no exceptions, the proposed bill as currently written raises significant concerns with how businesses would realistically be able to comply with the proposal’s requirements. 

Penalties are very strong under this proposal as seen below:

The attorney general may bring an action in the name of the state,or as parens patriae on behalf of persons  residing  in  the  state,  to enforce this article.

In addition to any right of action granted to any governmental body pursuant to this section, any person who has been injured by reason of a violation  of this article may bring an action in his or her own name to enjoin such unlawful act, or to recover his or her  actual  damages,  or both  such  actions. The court may award reasonable attorney's fees to a prevailing plaintiff.

Any controller or processor who violates this article is subject to an injunction and liable for damages and a civil penalty. When calculating damages and civil penalties, the court shall consider the number  of affected  individuals,  the  severity of the violation, and the size and revenues of the covered entity. Each individual  whose  information  was unlawfully  processed  counts as a separate violation. Each provision of this article that was violated counts as a separate violation.

Privacy is a hotly trending topic that is showing now signs of slowing down. Bills like this one will require significant work as it makes its way through the legislature in order for New York to achieve consumer protection while enacting a workable law that businesses will be able to comply with. 

We at Lanton Law can help. Our legal and lobbying tools can help offer your organization a clear path forward to navigate what will be changing policies for healthcare, technology and clean energy stakeholders. We are a D.C. based firm with no state boundaries as we are active nationwide. Contact us today to discuss your options.  

The New York State legislature has introduced Assembly Bill 27, which seeks to make New York the fourth state to enact a biometric privacy law. If successful it will be the second state that will allow consumers a private right of action to see companies for improper data handling. 

New York is definitely taking its cue from Illinois, as that state became the first to require businesses to collect biometric data to provide notice and obtain the owner’s written consent prior to using this information. We have written about the Illinois Information Privacy Act or (BIPA) in a previous post. 

The New York proposal seeks to do the following: 

Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first. 

New York has enacted facial recognition laws in the past. In December 2020 Governor Cuomo released a press statement where he signed A6787-D/S5140-B into law that suspended “the use of facial recognition technology and other kinds of biometric technology in schools, directing a study of whether its use is appropriate in schools and issuing recommendations. The legislation places a moratorium on schools purchasing and using biometric identifying technology until at least July 1, 2022 or until the report is completed and the State Education Commissioner authorizes its use, whichever occurs later. It applies to both public and private schools in New York State.” 

Proposed Assembly Bill 27 shows that New York will continue to press forward in this area and will likely inspire other states. If you are a biometric, Health IT/digital health or technology stakeholder, your interests will be impacted.    

Lanton Law is a national boutique law and lobbying firm that focuses on healthcare/life sciences and technology. Contact us today to learn about your organization’s options to prepare for additional regulatory oversight.