New York Considers Consumer Data Protection Law Similar to Those in California and Virginia

As the collection of personal information is increasingly part of doing business in the United States and abroad, a growing number of states are passing privacy laws in an effort to protect individuals’ personal data. For example, the California Consumer Privacy Act (CCPA) is a comprehensive privacy law that covers a wide variety of businesses that handle personal information. Virginia also recently passed its own comprehensive privacy legislation, and New York, Washington and other states are considering similar measures.

Will your business be affected?

Organizations that control or process personal data, whether on a local or multi-state or multi-national level, will need to review the applicable laws and make any necessary updates to privacy practices. Depending on the state where personal information is being collected and processed, companies may be required to conduct a “data protection assessment,” refrain from processing “sensitive data” in the absence of opt-in consent, and have a contract between data controllers and data processors.

Since New York is considering legislation that is similar to the CCPA and the European Union’s General Data Protection Regulation (GDPR), it behooves organizations in New York to familiarize themselves with those laws’ requirements, which include:

1. Make multiple disclosures about how and why your organization processes and discloses personal data.
2. Have in your organization’s privacy policy a statement on consumer “opt out” rights in certain circumstances.
3. Use reasonable data security practices.
4. Refrain from collecting or processing personal data unnecessarily or discriminating against consumers in any state for exercising their legal data rights.
5. Conduct impact assessments for covered data processing activities.
6. Include data privacy terms in your organization’s relevant vendor contracts.
7. Have a system to respond to consumer requests regarding personal data, as well as have contact information in your organization’s privacy policy.

Failing to proactively address privacy law requirements presents significant liability for companies. If you have questions or concerns about these matters, please reach out to the attorneys at Ford O’Brien Landy LLP LLP. We advise and represent clients in New York and Nationwide.

Source: California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100-1798.199

Source: Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 through 59.1-581

Source: EU General Data Protection Regulation (Regulation (EU) 2016/679)