New York Privacy Act Update: Bill Out of Committee, Moves to Full Senate

May 21, 2021

Click for PDF

On May 18, 2021, the New York Privacy Act (“NYPA”) passed out of the New York Senate Consumer Protection Committee.[1]  Senator Kevin Thomas previously introduced a version of this bill in the 2019-2020 legislative session, but this is the first time that the bill—or any comprehensive privacy bill in New York—has made it out of committee.  In addition to needing the approval of the majority of the full senate, the bill must progress in the New York Assembly before it is enacted.  If the NYPA is enacted, it would be the third comprehensive state privacy law in the United States following the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA”) and the Virginia Consumer Data Protection Act (“VCDPA”), the latter of which was signed into law earlier this year and goes into effect in January 2023.  While the New York Privacy Act shares similarities with its counterparts in California and Virginia, such as prohibiting discrimination against consumers that exercise their rights under the laws, the NYPA is substantially broader.[2]  If the NYPA is signed into law, many companies doing business in New York will need to assess their compliance and may need to modify their compliance efforts and collection and use of consumer personal information.

The NYPA’s broad jurisdictional mandate applies to any entity that “conduct[s] business in New York or produce[s] products or services that are targeted to residents of New York,” and that (1) has annual gross revenue of $25 million or more, (2) controls or processes the personal data of at least 100,000 New York consumers, (3) controls or processes the personal data of at least 500,000 individuals nationwide and 10,000 New York consumers, or (4) derives over 50% of gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 New York consumers.[3]  Just like the CCPA and VCDPA do not define  “doing” or “conduct[ing]” business in California or Virginia, the NYPA does not define “conduct[ing] business in New York.”  It seems likely that the NYPA will apply to for-profit and business-to-business companies that interact with New York residents, or process personal data of New York residents on a relatively large scale.  Like the CCPA, the NYPA would exempt a list of enumerated data types, including data already subject to certain laws and regulations, like the Gramm-Leach-Bliley Act (“GLBA”).[4]

The cornerstone of the NYPA is the creation of an expansive consumer “bill of rights,” which contains similar rights as enacted in California and Virginia, but also goes further to give unprecedented rights to consumers.  Similar to the California and Virginia laws, consumer rights under the NYPA include the right to know the categories of personal data collected, and purposes of such categories; the right to access, correct, and delete their personal information; the right to data portability; and anti-discrimination rights.[5]  Unlike the California and Virginia laws, which provide consumers with the right to opt out of certain data selling, sharing, and/or processing, under the NYPA data controllers must obtain opt-in consent before processing personal data or “mak[ing] any changes in the processing or processing purpose,” such as using “less protective” methods of collection.[6]

The NYPA would also go further in codifying the concept of a “data fiduciary.”  This concept would prevent controllers from using consumers’ personal information in a way that would harm them—that is, in a manner against a consumer’s physical, financial, psychological, or reputational interests.  As a data fiduciary, a controller would be required pursuant the NYPA’s duty of loyalty to notify consumers about data processing foreseeably adverse to their interests and prohibit controllers from engaging in “unfair, deceptive, or abusive…practices with respect to obtaining consumer consent.”[7]  Complying with the NYPA’s duty of care would require implementing certain practices, such as annual risk assessments and reasonable safeguards to protect personal data.[8]  The bill’s consumer focus also extends to authorizing a broad private right of action for violations of any of these consumer rights—unlike the California laws, which provide for a narrow private right of action, and the Virginia law, which provides for no private right of action at all.[9]  The Attorney General also has authority to enforce the law.  Finally, the Virginia and California laws provide the opportunity to cure violations before enforcement, which is not explicitly provided for in the NYPA.[10]

The NYPA would create an even broader comprehensive privacy regime than its counterparts in Virginia and California.  If the NYPA is enacted, it would mandate yet another privacy regime in the United States and pose additional challenges as businesses attempt to navigate this already complex environment.  Gibson Dunn is tracking this bill through the end of the legislative session, and will continue to monitor developments in New York and nationwide.


   [1]   Senate Bill No. 6701.

   [2]   Compare id. § 1103(1)(C) with Cal. Civ. Code § 1798.125 (as amended by California Consumer Privacy Rights and Enforcement Act on November 3, 2020) and Virginia Consumer Data Protection Act, S.B. 1392 § 59.1-574(A)(4).

   [3]   Senate Bill No. 6701 § 1101.

   [4]   Id. § 1101(2).

   [5]   Id. § 1102–1103.

   [6]   Id. § 1102(2).

   [7]   Id. § 1103(1)(A).

   [8]   Id. § 1103(1)(B).

   [9]   Compare id. § 1106 with Cal. Civ. Code § 1798.150 and S.B. 1392 § 59.1-579(C).

  [10]   See, e.g., Cal. Civ. Code § 1798.199.45; S.B. 1392 § 59.1-579(B).

This alert was prepared by Alexander H. Southwell, Mylan L. Denerstein, Amanda M. Aycock, Jennifer Katz and Lisa V. Zivkovic.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments.  Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Privacy, Cybersecurity and Data Innovation practice group, or the following authors:

Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
Mylan L. Denerstein – Co-Chair, Public Policy Practice (+1 212-351-3850, [email protected])

Privacy, Cybersecurity and Data Innovation Group:

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])

Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])

Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.