Professional Documents
Culture Documents
New York Privacy Act Summary (S.6701)
New York Privacy Act Summary (S.6701)
New York Privacy Act Summary (S.6701)
General Summary
The New York Privacy Act would require companies to attain consent from consumers before
processing their personal data, and includes additional requirements for the handling, processing and
selling of personal data. The bill also provides for enforcement and a private right to action for
consumers.
1
• Notice: Controllers must post a public notice with information including consumer rights,
the categories of personal data being processed, the sources from which personal data is
collected, and the identity of each processor or third party to whom the controller discloses
personal data to.
• Opt-in consent: Controllers must obtain opt-in consent from a consumer in order to process
personal data for any purpose or make changes to the processing. The option for consent
must clearly identify the categories of data and processing purposes that are necessary to
provide the services or goods requested by the consumer, and those which are not. Targeted
advertising and the sale of personal data is not considered necessary to providing services.
The option to deny consent must be clearly presented, and a mechanism for a consumer to
withdraw consent must be provided. Controllers are prohibited from discriminating against
consumers who withhold consent by denying services or goods or charging a different price.
Consent shall be deemed withdrawn if control of the majority of assets change ownership.
• Unfair, deceptive and abusive practices: Controllers may not engage in unfair, deceptive or
abusive practices in order to obtain consent, in the processing of personal data, or in regard
to a consumer’s exercising of rights under the New York Privacy Act.
• Right to access: Upon verified request of a consumer, controllers shall provide access to a
copy of any personal data requested and provide the identity of any processor or third party
whom the controller gave access to the consumer’s data.
• Right to Correct: Controllers must conduct an investigation into data that a consumer
disputes. Any information found to be inaccurate must be corrected.
• Right to delete: Upon verified request of a consumer, a controller must delete all personal
data the controller possesses or controls. A consumer’s deletion of an online account must
be treated as a request for deletion, unless deleting data would hinder accounting functions
or other necessary business activities.
• Implementation of rights: Controllers must provide easily accessible and convenient means
for consumers to exercise their rights.
• Non-waiver: Any contract agreement that purports to waive or limit consumer rights is void
and unenforceable.
• Automated Decision-Making:
• When a controller makes an automated decision based solely on automated processing that
results in denial of services, the controller must disclose the automated process and allow
the consumer to appeal the decision.
• Automated decision-making processes must be assessed on an annual basis. The impact
assessment must evaluate the design and training data used to develop the process, how the
process was tested for accuracy, bias and discrimination, and must be completed by an
outside auditor or researcher. All impact assessments must be made public.
2
• Duty of Care:
• On an annual basis, controllers must conduct and document risk assessments of all current
processes of personal data.
• Controllers must develop and implement safeguards to protect the security of personal data,
appropriate to the volume and nature of the personal data.
• A controller that collects a consumer’s personal data shall limit its use and retention of that
data to what is necessary to provide the service or good requested by a consumer, or for the
purposes for which the consumer has provided opt-in consent.
• Agreements with Processors:
• Before making any disclosure of personal data with a processor, a controller must enter into
a written and signed contract with the processor, with requirements for the processor that
include:
• A duty of confidentiality, protection of data consistent with the New York Privacy
Act requirement to process data to the extent necessary to comply with the legal
obligation to the controller, and to delete or return all personal data to the
controller at their direction.
• Controllers may not agree to defend or hold a processor harmless for claims or liability
arising from breach of contract.
• Controllers and Data Brokers (Page 16):
• Controllers must annually provide the Attorney General a list of all the data brokers to
which the controller provided personal data in the previous year, and controllers cannot sell
personal data to brokers who are not registered with the Attorney General.
3
not considered consumer reporting agencies to the extent covered by the FCRA or financial institutions to
the extent covered by the Gramm-Leach-Bliley Act.
• Data brokers must annually register with the State Attorney General, and;
• Pay a registration fee of $100 or as otherwise determined by the Attorney General.
• Provide contact information.
• Provide a statement describing the method for exercising consumer rights under the New York
Privacy Act.
• Provide a statement on whether the broker implements a purchaser credentialing process.
• Provide any information the broker chooses regarding their collection methods.