At the start of 2023, the New York State legislature introduced several privacy-related bills.  One of those bills, S365, appears to be gaining momentum. It was reported and committed to the Internet and Technology Committee on April 25, was amended on May 18, and was further amended and recommitted to the Finance Committee on June 4. 

If it becomes law, S365 would require organizations to make disclosures regarding their data processing practices, impose limitations on sharing personal information, require data protection impact assessments in certain situations, and grant consumers an array of rights, including to access, correct, and/or delete their personal information. 

Among the other data privacy and security bills under consideration are the following:

  • A417 would restrict the disclosure of personal information and require that organizations make available to customers, free of charge, access to or copies of their personal information.
  •  A1366 would require advertising networks to post a clear and conspicuous notice on the home pages of their websites regarding their privacy policies and the data collection and use practices associated with their advertising delivery activities.
  •  S2277  would require any entity that conducts business in the state and maintains the personal information of 500 or more individuals to provide meaningful notice of their use of personal information. The law would also prohibit unlawful discriminatory practices relating to targeted advertising.
  • S3162, which would grant consumers the right to request that organizations disclose the categories of any specific personal information they collect, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Along with this flurry of legislative activity, State enforcement agencies have, in recent months, announced several notable data breach settlements.  For instance, lender and mortgage servicer OneMain agreed to pay $4.25M to resolve a New York State Department of Financial Services enforcement action and healthcare professional services provider PracticeFirst agreed to pay $550,000 – and to implement a variety of measures to bolster its data security program – to resolve an enforcement action by the State Attorney General.     

As is evident from the above, organizations that collect and process personal information related to New York residents need to be proactive in managing their data privacy and security risk.  The web of compliance obligations in this space is expanding quickly and the consequences of non-compliance are becoming more and more significant.

Jackson Lewis will continue to monitor the fast-changing landscape in New York and similar developments across the country and internationally.  If you have questions about New York’s proposed legislation or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.