December 1, 2022

Volume XII, Number 335


December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

Off to the Races: Over 50 Privacy Bills Introduced in the State of New York

The on-going state competition to enact comprehensive privacy legislation, triggered by the enactment of the 2018 California Consumer Privacy Act, is heating up in 2021. We recently wrote a post on the recent Virginia developments, but the Commonwealth of Virginia is not alone.

New York was closely watched in privacy circles last year, as approximately 30 privacy bills had been introduced and were discussed during the 2019-2020 session. None of the bills were enacted but state legislators clearly are not giving up.

More than 50 privacy bills have already been introduced in New York this year for consideration during the 2021-2022 session. We have already posted on the New York Biometric Bill, which is very similar to the Illinois Biometric Information Privacy Act (“BIPA”) and includes a private right of action.

The two New York bills that have garnered the greatest attention may be described as comprehensive privacy bills: S567 (and its Assembly mirror bill A3709), and A680 which would enact the New York Privacy Act.

S567 includes rights fairly similar to those established by the California Consumer Privacy Act (e.g., disclosures of the categories and specific pieces of personal information collected, purposes for collecting or selling, and the categories of third parties with which the information is shared).

A680 goes even further by granting individuals additional rights (such as the right to rectification and deletion).  It also requires companies to disclose their methods of de-identifying personal information and places special safeguards around data sharing. In addition, A680 would create a new office of privacy and data protection and re-introduce the concept of “data fiduciary” from previous bills.  This would require “every legal entity, or any affiliate of such entity, and every controller and data  broker,  which collects, sells or licenses personal information of consumers, [to] . . . exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and [to] . . . act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”

Likewise, A3586 (together with its Senate counterpart, S4021), which would become the “It’s Your Data Act,” takes a relatively holistic approach to privacy by providing protections and transparency in regard to the collection, use, retention, and sharing of personal information.

There are many others bills that cover a variety of topics. Examples include:

  • A687, which imposes requirements for the collection and use of emergency health data and personal information and the use of technology to aid during the COVID-19 public health emergency.
  • A733, which requires express and affirmative consent prior to collection, storage or transmittal of any personal information obtained from the installation or use of a smart home connected system by certain persons.
  • A768, which prohibits the use of facial recognition and biometric information as the sole factor in determining the existence of probable cause to place in custody or arrest an individual.
  • A940 (and its Senate counterpart S685), which relate to automatic license plate readers (ALPRs) and sets out when the use of ALPR systems is allowable and the transparency and retention requirements that would apply to them.
  • S3003, which creates a private right of action for the breach of certain consumer’s identifying information.
  • A405 (and its Senate counterpart S2886), which would require advertising network to provide transparency through notices about their data use practices related to advertising delivery activities.
  • A3119 (and its Senate counterpart S3674), which would require persons or business that suffer a breach to offer free identity theft prevention and mitigation services.
  • A400 (and its Senate counterpart S1349), providing for a right of access and imposing an obligation to disclose “[t]he names and contact information of all of the third parties that received the customer’s personal information from the business.”

We will provide further updates as developments unfold in New York.  

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 55

About this Author

Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

Ann J. LaFrance Data Privacy & Cybersecurity Attorney Squire Patton Boggs New York, NY & Washington DC

Ann LaFrance co-chairs the firm’s global Data Privacy & Cybersecurity Practice and is a senior member of the international Communications Practice.

In addition to advising clients on national and cross-border data privacy and cybersecurity matters, Ann has experience counselling clients on a broad range of legal and regulatory issues affecting the provision of internet and digital services, as well as advanced technologies. She has particular expertise advising on issues of concern to technology, media and telecommunications companies and she frequently serves as an adviser to...