Polsinelli PC
What law(s) specifically govern personal data / information?
Yes.
New York has not enacted a comprehensive data privacy law to date. However, it has enacted various statutes that regulate the processing of personal data in various contexts. For example, §§50 and 51 under Article 5 of the Civil Rights Law of the Consolidated Laws on New York (N.Y. C.V.R. Law) provide for a limited right of privacy in situations where a person or business uses another person's name, portrait, picture, or voice for advertising or trade without having first obtained written consent. Such violations are deemed criminal misdemeanors under New York law.
New York has also enacted numerous laws that regulate the privacy of health-related information.
In the financial sector, financial services and insurance companies operating in New York are required to comply with the New York Department of Financial Services (NYDFS) cybersecurity regulations that impose strict requirements with respect to security controls used to protect personal data.
In the employment sector, §203-D of Article 7 of the Labor Law of the Consolidated Laws of New York (N.Y. L.A.B. Law) imposes a duty on employers to prevent the unlawful disclosure of their employees' personal information, and places specific limitations on the use of Social Security numbers.
In addition, Senate Bill 2628 requires private sector employers to provide notice of its electronic monitoring practices to all employees upon hiring with written or electronic acknowledgment.
Notably, in July 2023 the New York City Department of Consumer and Worker Protection (DCWP) started to enforce Local Law 144 on automated employment decision tools (AEDTs) (the “Law on AEDTs”). The Law on AEDTs applies to employers and employment agencies that use an AEDT in the city of New York, requires that a bias audit be conducted before its use, and requires covered employers/agencies to provide job candidates who are New York City residents with notice that it used an AEDT.
New York also has an education privacy law that protects student information beyond the protections afforded under the federal Family Education Rights and Privacy Act of 1974 (FERPA).
What are the key data protection principles in this jurisdiction?:
The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.
A covered business will be deemed to be in compliance with the SHIELD Act’s data security requirement if the business implements a data security program that includes reasonable administrative, technical and physical safeguards, such as:
Reasonable administrative safeguards: (1) designating one or more employees to coordinate the security program; (2) identifying reasonably foreseeable internal and external risks; (3) assessing the sufficiency of safeguards in place to control the identified risks; (4) training and managing employees in the security program practices and procedures; (5) selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and (6) adjusting the security program in light of business changes or new circumstances.
Reasonable technical safeguards: (1) assessing risks in network and software design; (2) assessing risks in information processing, transmission and storage; (3) detecting, preventing and responding to attacks or system failures; and (4) regularly testing and monitoring the effectiveness of key controls, systems and procedures.
Reasonable physical safeguards: (1) assessing risks of information storage and disposal; (2) detecting, preventing and responding to intrusions; (3) protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (4) disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
What is the supervisory authority / regulator in charge of data protection?
New York Office of the Attorney General.
Is there a requirement to register with a supervisory authority / regulator?
Registration is not required.
Is there a requirement to notify the supervisory authority / regulator?
Notification is not required.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A.
What are the key data subject rights under the data protection laws of this jurisdiction?
NY residents have a right to know when a security breach has resulted in the exposure of their private information.
Under the Law on AEDTs, job candidates who are New York City residents are entitled to receive notice that the employer or employment used an AEDT in the hiring process.
Under NY’s biometric law, commercial establishments that process biometric information have to notify their customers of their collection practices by posting a formal notice near all physical entrances.
Is there a requirement to appoint a data protection officer (or equivalent)?
No.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No.
Does this jurisdiction have any specific data breach notification requirements?
Yes. Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Notification should be made to the affected individuals via written notice, electronic notice, telephone notice, or substitute notice.
If any New York residents are to be notified, the person or state entity required to give such notice also must notify the Attorney General, the Department of State, in the case of persons the Division of State Police and, in the case of state agencies, the Office of Information Technology Services as to the timing, content, and distribution of the notices and approximate number of affected persons, without delaying notice to affected residents.
In the event that more than 5,000 NY residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons.
What restrictions apply to the international transfer of personal data / information?
No, NY does not restrict the transfer of personal data out of the jurisdiction.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the data protection laws are for the protection of NY residents. If organizations outside of NY collect data for NY residents, those organizations are obligated to comply with NY’s data protection and data breach notification laws with respect to NY residents.
What rules specifically deal with marketing?
Yes. New York’s Nuisance Call Act requires telemarketers to inform consumers that they may be added to the seller’s internal do-not-call list. This law applies to calls made to consumers located within the state. If a consumer chooses to be placed on the company do-not-call list, the telemarketer must immediately end the call and add the number to the company’s internal do-not-call list to prevent future calls.
The NYNC Act restricts the sharing of customer data by requiring telemarketers and sellers to obtain a consumer’s “express agreement,” in writing or electronic format, before transmitting, sharing, or otherwise making available any customer’s contact information, including name, telephone number, or email address, unless such disclosure is required by law or under a lawful subpoena or court order.
Unsolicited telemarketing calls to NY residents are prohibited during a state of emergency.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
No, defer to federal law: CAN-SPAM, TCPA etc.
What rules specifically deal with cookies?
No.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The penalty for violations of New York’s telemarketing restrictions cannot exceed USD $11,000 per violation.
Covered businesses under the SHIELD Act may be liable for a civil penalty of up to USD $5,000 dollars per violation.
Penalties for violating Senate Bill 2628 range from USD $500 to USD $3,000 per violation, with a maximum of USD $500 for the first offense, USD $1,000 for the second offense, and USD $3,000 for any subsequent offenses.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Not at this time.
What upcoming data protection developments should multinational organisations be aware of?
Yes, numerous bills addressing privacy have been introduced, including the New York Privacy Act which is a comprehensive privacy law similar to California’s CCPA. In January 2025, the New York Assembly approved Senate Bill S929 which addresses privacy concerns for health data that is not regulated by HIPAA. If passed, the bill would require businesses that collect or sell health data to disclose how such data is being used, and requires consent and/or a designated purpose to process such data. The bill would also give individuals certain rights with respect to their data, including access and deletion. As of the date this survey was last updated, the bill was pending the New York Governor’s signature.