The on-going state competition to enact comprehensive privacy legislation, triggered by the enactment of the 2018 California Consumer Privacy Act, is heating up in 2021. We recently wrote a post on the recent Virginia developments, but the Commonwealth of Virginia is not alone.

New York was closely watched in privacy circles last year, as approximately 30 privacy bills had been introduced and were discussed during the 2019-2020 session. None of the bills were enacted but state legislators clearly are not giving up.

More than 50 privacy bills have already been introduced in New York this year for consideration during the 2021-2022 session. We have already posted on the New York Biometric Bill, which is very similar to the Illinois Biometric Information Privacy Act (“BIPA”) and includes a private right of action.

The two New York bills that have garnered the greatest attention may be described as comprehensive privacy bills: S567 (and its Assembly mirror bill A3709), and A680 which would enact the New York Privacy Act.

S567 includes rights fairly similar to those established by the California Consumer Privacy Act (e.g., disclosures of the categories and specific pieces of personal information collected, purposes for collecting or selling, and the categories of third parties with which the information is shared).

A680 goes even further by granting individuals additional rights (such as the right to rectification and deletion).  It also requires companies to disclose their methods of de-identifying personal information and places special safeguards around data sharing. In addition, A680 would create a new office of privacy and data protection and re-introduce the concept of “data fiduciary” from previous bills.  This would require “every legal entity, or any affiliate of such entity, and every controller and data  broker,  which collects, sells or licenses personal information of consumers, [to] . . . exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and [to] . . . act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”

Likewise, A3586 (together with its Senate counterpart, S4021), which would become the “It’s Your Data Act,” takes a relatively holistic approach to privacy by providing protections and transparency in regard to the collection, use, retention, and sharing of personal information.

There are many others bills that cover a variety of topics. Examples include:

  • A687, which imposes requirements for the collection and use of emergency health data and personal information and the use of technology to aid during the COVID-19 public health emergency.
  • A733, which requires express and affirmative consent prior to collection, storage or transmittal of any personal information obtained from the installation or use of a smart home connected system by certain persons.
  • A768, which prohibits the use of facial recognition and biometric information as the sole factor in determining the existence of probable cause to place in custody or arrest an individual.
  • A940 (and its Senate counterpart S685), which relate to automatic license plate readers (ALPRs) and sets out when the use of ALPR systems is allowable and the transparency and retention requirements that would apply to them.
  • S3003, which creates a private right of action for the breach of certain consumer’s identifying information.
  • A405 (and its Senate counterpart S2886), which would require advertising network to provide transparency through notices about their data use practices related to advertising delivery activities.
  • A3119 (and its Senate counterpart S3674), which would require persons or business that suffer a breach to offer free identity theft prevention and mitigation services.
  • A400 (and its Senate counterpart S1349), providing for a right of access and imposing an obligation to disclose “[t]he names and contact information of all of the third parties that received the customer’s personal information from the business.”

We will provide further updates as developments unfold in New York.  Watch this space!