California Consumer Privacy Act-like regulations may be coming to a New York business near you. State lawmakers have reintroduced two key pieces of data privacy legislation for the new session.

New York state’s  “do not sell my personal information” bill was reintroduced in the Senate and referred to the Senate Consumer Protection Committee.

The bill has many similarities to CCPA including that it

  • Requires businesses to disclose collection of information
  • Requires businesses to disclose the categories of personal information sold and the identify of the third parties to whom it was sold.
  • Also gives individuals the right to opt out of such sale.
  • Requires businesses to provide two methods for submitting the requests (website and toll free phone number).
  • Requires a “do not sell my personal information link” on the homepage.

In addition, the bill:

  • Provides a private right of action to individuals.
  • Allows cities and counties to set additional (higher) requirements.
  • Requires the New York Attorney General to set forth regulations on a number of topics.

At the same time, the New York Privacy Act was reintroduced in the New York State Assembly and referred to the Assembly Committee on Consumer Affairs and Protection.

This bill also has some similarities to CCPA and contains General Data Protection Regulation concepts like objection to processing, rectification of inaccurate information and limitations on automated decisions based on profiling.

In addition, the bill:

  • Creates a concept of “data fiduciary” and prohibits a business to use, process or transfer to a third party personal data of consumers without the consumer’s express and documented consent.
  • Requires businesses to exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to security the personal data.
  • Prohibits a business from using personal data or data derived from it in any way that will benefit the service provider to the detriment of the consumer.
  • Requires a business to take steps to ensure that the parties with whom it shares personal data fulfill the duties of care, loyalty and confidentiality also, including periodic auditing.
  • Contains a detailed definition of “privacy risk.”
  • Addresses the concept of a number of controllers and the allocation of liability among them.