FROM: Ostroff Associates

DATE: May 13, 2021

RE: New York Privacy Act: S.6701 (Thomas)

General Summary

The New York Privacy Act would require companies to attain consent from consumers before
processing their personal data, and includes additional requirements for the handling, processing and
selling of personal data. The bill also provides for enforcement and a private right to action for
consumers.

Applicability (Pages 4-6)

• The New York Privacy Act applies to businesses that conduct business in New York who either:
• Have an annual gross revenue of $25 million or more.
• Control or process data on 25,000 or more consumers, or;
• Derive over 50% of gross revenue from the sale of personal data, and control or process
personal data on 25,000 or more consumers.
• The act does not apply to:
• State and Local governments.
• Personal data required pursuant to the Gramm-Leach-Bliley Act, the Driver’s Privacy
Protection Act, Family Educational Rights and Privacy Act, Farm Credit Act, HIPAA, Health
Information Technology for Economic and Clinical Health Act, the Health Care Quality
Improvement Act and other healthcare related data.
• Data collected as part of human subject research.
• Data processed for product registration under the FDA.
• Any activity involving the collection, maintenance, disclosure, sale communication or use of
any personal data bearing on a consumer’s credit worthiness, credit standing, credit
capacity, character, general reputation, or mode of living by a consumer reporting agency
who provides information for use in a consumer report as defined under the Fair Credit
Reporting Act (FCRA), and; to the extent such activity is subject to regulation under the
FCRA, and the data is not collected, maintained, used, communicated, disclosed or sold
except as authorized by the FCRA.

Consumer Rights (§1102) (Pages 6-12)

Controllers are defined as the people who determine the purposes and means of the processing of personal
data.

1
 • Notice: Controllers must post a public notice with information including consumer rights,
the categories of personal data being processed, the sources from which personal data is
collected, and the identity of each processor or third party to whom the controller discloses
personal data to.
• Opt-in consent: Controllers must obtain opt-in consent from a consumer in order to process
personal data for any purpose or make changes to the processing. The option for consent
must clearly identify the categories of data and processing purposes that are necessary to
provide the services or goods requested by the consumer, and those which are not. Targeted
advertising and the sale of personal data is not considered necessary to providing services.
The option to deny consent must be clearly presented, and a mechanism for a consumer to
withdraw consent must be provided. Controllers are prohibited from discriminating against
consumers who withhold consent by denying services or goods or charging a different price.
Consent shall be deemed withdrawn if control of the majority of assets change ownership.
• Unfair, deceptive and abusive practices: Controllers may not engage in unfair, deceptive or
abusive practices in order to obtain consent, in the processing of personal data, or in regard
to a consumer’s exercising of rights under the New York Privacy Act.
• Right to access: Upon verified request of a consumer, controllers shall provide access to a
copy of any personal data requested and provide the identity of any processor or third party
whom the controller gave access to the consumer’s data.
• Right to Correct: Controllers must conduct an investigation into data that a consumer
disputes. Any information found to be inaccurate must be corrected.
• Right to delete: Upon verified request of a consumer, a controller must delete all personal
data the controller possesses or controls. A consumer’s deletion of an online account must
be treated as a request for deletion, unless deleting data would hinder accounting functions
or other necessary business activities.
• Implementation of rights: Controllers must provide easily accessible and convenient means
for consumers to exercise their rights.
• Non-waiver: Any contract agreement that purports to waive or limit consumer rights is void
and unenforceable.
• Automated Decision-Making:
• When a controller makes an automated decision based solely on automated processing that
results in denial of services, the controller must disclose the automated process and allow
the consumer to appeal the decision.
• Automated decision-making processes must be assessed on an annual basis. The impact
assessment must evaluate the design and training data used to develop the process, how the
process was tested for accuracy, bias and discrimination, and must be completed by an
outside auditor or researcher. All impact assessments must be made public.

Controller Responsibilities (§1103) (Pages 12-15)

• Duty of Loyalty:
• Where it is “reasonably foreseeable” to a controller that a process will be against a
consumer’s physical, financial, psychological, or reputational interests, the controller must
notify the consumer in advance, unless the processing is required by law or protects against
criminal activity.

2
 • Duty of Care:
• On an annual basis, controllers must conduct and document risk assessments of all current
processes of personal data.
• Controllers must develop and implement safeguards to protect the security of personal data,
appropriate to the volume and nature of the personal data.
• A controller that collects a consumer’s personal data shall limit its use and retention of that
data to what is necessary to provide the service or good requested by a consumer, or for the
purposes for which the consumer has provided opt-in consent.
• Agreements with Processors:
• Before making any disclosure of personal data with a processor, a controller must enter into
a written and signed contract with the processor, with requirements for the processor that
include:
• A duty of confidentiality, protection of data consistent with the New York Privacy
Act requirement to process data to the extent necessary to comply with the legal
obligation to the controller, and to delete or return all personal data to the
controller at their direction.
• Controllers may not agree to defend or hold a processor harmless for claims or liability
arising from breach of contract.
• Controllers and Data Brokers (Page 16):
• Controllers must annually provide the Attorney General a list of all the data brokers to
which the controller provided personal data in the previous year, and controllers cannot sell
personal data to brokers who are not registered with the Attorney General.

Processor Responsibilities (§1103) (Page 15)

Processor is defined as a person that processes data on behalf of the controller.
• Processors are not required to comply with a request from a consumer to the extent the
processor has processed the consumer’s data solely in its role as a processor for the controller.
• Processors must review their activities for circumstances that may have altered their ability to
identify a specific natural person, and to update their classifications of data.
• Processors shall not sell personal data unless it is on the behalf of the controller pursuant to
their agreement.

Third Party Responsibilities (§1103) (Pages 15-16)

Third Parties are defined as a person, public authority, agency or body other than the consumer, processor
or controller. A third party may also be a controller if they determine the purposes and means of processing
personal data.
• Third parties may only process data to the extent their agreement with the controller allows.
• Third parties may only process personal data for the purposes for which opt-in consent has
been given.
• Third parties must comply with the obligations of controllers if the third party becomes a
controller.

Data Broker Responsibilities (§1104) (Pages 16-17)

Data brokers are defined as units of a legal entity that do business in New York State and knowingly collect
and sell the personal data of a consumer with whom it does not have a direct relationship. Data brokers are

3
not considered consumer reporting agencies to the extent covered by the FCRA or financial institutions to
the extent covered by the Gramm-Leach-Bliley Act.
• Data brokers must annually register with the State Attorney General, and;
• Pay a registration fee of $100 or as otherwise determined by the Attorney General.
• Provide contact information.
• Provide a statement describing the method for exercising consumer rights under the New York
Privacy Act.
• Provide a statement on whether the broker implements a purchaser credentialing process.
• Provide any information the broker chooses regarding their collection methods.

Enforcement and Private Right of Action (§1106) (Pages 18-19)

• The Attorney General can bring action for violation of the New York Privacy Act on behalf of the
people of the State of New York.
• Any action brought by the AG must commence within six years.
• Each instance of unlawful processing counts as a separate violation.
• Any consumer injured by violation of section 1102 (consumer rights) of the New York Privacy
Act, may bring action in their own name to recover damages or $1,000, whichever is greater.
The court may also award reasonable attorney fees to a prevailing plaintiff.
• The AG may promulgate rules and regulations to carry out the provisions of this act.

Effective Date (Page 20)

This act takes effect immediately, however sections 1101, 1102, 1103, 1105, 1106 and 1107, take effect
on January 1st, 2022.