Does this jurisdiction have laws specifically governing personal data?
The key data protection principles in this jurisdiction are:
The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.
A covered business will be deemed to be in compliance with the SHIELD Act’s data security requirement if the business implements a data security program that includes reasonable administrative, technical and physical safeguards, such as:
- Reasonable administrative safeguards:(1) designating one or more employees to coordinate the security program; (2) identifying reasonably foreseeable internal and external risks; (3) assessing the sufficiency of safeguards in place to control the identified risks; (4) training and managing employees in the security program practices and procedures; (5) selecting service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract; and (6) adjusting the security program in light of business changes or new circumstances.
- Reasonable technical safeguards:(1) assessing risks in network and software design; (2) assessing risks in information processing, transmission and storage; (3) detecting, preventing and responding to attacks or system failures; and (4) regularly testing and monitoring the effectiveness of key controls, systems and procedures
- Reasonable physical safeguards: (1) assessing risks of information storage and disposal; (2) detecting, preventing and responding to intrusions; (3) protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (4) disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
The supervisory authority / regulator in charge of data protection is:
New York Office of the Attorney General;
Is there a requirement to register with a supervisory authority / regulator?
No registration required.
Is there a requirement to notify the supervisory authority / regulator?
No notification is required.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
NY residents have a right to know when a security breach has resulted in the exposure of their private information.
Is there a requirement to appoint a data protection officer (or equivalent)?
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Does this jurisdiction have any specific data breach notification requirements?
Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Notification should be made to the affected individuals via written notice, electronic notice, telephone notice, or substitute notice.
If any New York residents are to be notified, the person or state entity required to give such notice also must notify the Attorney General, the Department of State, in the case of persons the Division of State Police and, in the case of state agencies, the Office of Information Technology Services as to the timing, content, and distribution of the notices and approximate number of affected persons, without delaying notice to affected residents.
In the event that more than 5,000 NY residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons.
The following restrictions apply to the international transfer of personal data / information:
No, NY does not restrict the transfer of personal data out of the j zurisdiction.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the data protection laws are for the protection of NY residents. If organizations outside of NY collect data for NY residents, those organizations are obligated to comply with NY’s data protection and data breach notification laws with respect to NY residents.
The following rules specifically deal with marketing:
New York’s Nuisance Call Act requires telemarketers to inform consumers that they may be added to the seller’s internal do-not-call list. This law applies to calls made to consumers located within the state. If a consumer chooses to be placed on the company do-not-call list, the telemarketer must immediately end the call and add the number to the company’s internal do-not-call list to prevent future calls.
The NYNC Act restricts the sharing of customer data by requiring telemarketers and sellers to obtain a consumer’s “express agreement,” in writing or electronic format, before transmitting, sharing, or otherwise making available any customer’s contact information, including name, telephone number, or email address, unless such disclosure is required by law or under a lawful subpoena or court order.
Unsolicited telemarketing calls to NY residents are prohibited during a state of emergency.
Do different rules apply to business-to-business and business-to-consumer marketing?
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
No special rules, defer to federal law: CAN-SPAM, TCPA etc.
The following rules specifically deal with cookies:
No special rules.
The consequences of non compliance with data protections laws (including marketing laws) are:
The penalty for violations of New York’s telemarketing restrictions cannot exceed $11,000 per violation.
Covered businesses under the SHIELD Act may be liable for a civil penalty of up to $5,000 dollars per violation.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Not at this time.
Multinational organisations should be aware of the following upcoming data protection developments:
Yes, New York Privacy Act is in committee. NYPA follows California’s CCPA and CPRA by providing a number of consumer rights (right of access, rectification, deletion, restriction, portability, opt-out, right against automated decision making, private right of action). As drafted, it would also obligate businesses to have a privacy notice and data processing would be limited to the purpose for which the data was collected.