It’s six days into the new year and we already have four new comprehensive privacy bills from: New YorkKentuckyTennessee and Oklahoma.

There are a lot of moving pieces here and you can go cross-eyed trying to comply with all the proposed rules. Still, here are some of the highlights from the New York bill.

  • The preamble to the New York bill reads: “Privacy is a fundamental right and an essential element of freedom; we need to do something about non transparency privacy notices and give NY consumers more control over their data and digital privacy.”
  • On the heels of the Data Protection Commission Ireland’s 390 million Euro Meta decision on the scope of contractual necessary, the New York bill says, “Targeted advertising and sale of personal data shall not be considered processing purposes that are necessary to provide services or goods requested by a consumer.”
  • New York is adopting the de-identification formulation of CPRA with the steps you need to take (policies, undertakings, etc.). This seems to now be the standard for the U.S. definition of de-identification, even though it is different from, and arguably stricter than, GDPR.
  • GDPR terminology (controller, processor, personal data) and concepts (data minimization and retention limitation).
  • “Sale” defined like California and Colorado: Monetary or other valuable consideration. The “sale” concept seems also here to stay.
  • Similar definition of sensitive data, and specifically includes genetic and biometric data and precise geolocation.
  • Jurisdiction threshold is similar to California, with a revenue or number of records thresholds.
  • Carve outs are data based (NPI and PHI), not entity based. The employee carve out is narrower: “data maintained as employment records, for purposes other than sale.”
  • GDPR like opt in for processing sensitive data (with some exceptions) with detailed requirements that echo EDPB and EU supervisory authorities on what consent looks like (including a “reject” option at the top layer).
  • New York has specific requirements regarding automated decision making, including providing an avenue to appeal the decisions and a required assessment of whether the automated decision making system produces discriminatory results.
  • Consumer rights include detailed disclosure requirement, right to opt out of sale, some profiling and targeted advertising, requirement to recognize user enabled privacy controls, right to access, right to delete, right to data portability, non discrimination.
  • Requirements for a data protection impact assessment with an expansive list of triggers including: (i) processing that may benefit the controller to the detriment of the consumer; (ii) processing that would be unexpected and highly offensive to a reasonable consumer; (iii) processing personal data for purposes of targeted advertising; (iv) sale of personal data; (v) processing sensitive data; and (vi) processing of personal data for purposes of profiling (in certain cases).
  • Duty of loyalty: requirement to notify the consumer, or class of consumers, of the interest that may be harmed in advance of requesting consent, and as close in time to the processing as practicable, where it is reasonably foreseeable to the controller that a process presents a heightened risk of harm to the consumer or class of consumers.
  • Requirements for reasonable information security safeguards.
  • Requirements for agreements with processors / third parties.
  • Specific requirements for data brokers (including registration).
  • Multiple violations: Each instance of unlawful processing counts as a separate violation. Unlawful processing of the personal data of more than one consumer counts as a separate violation, as to each consumer. Each provision of this article that is violated counts as a separate violation.
  • Private right of action for violation of the right to opt out, and rights regarding sensitive data; automated decision making and responding to requests.