toggle accessibility mode

New York Privacy Act: What You Need To Know

By John DiGiacomo

It’s no secret that consumers today are more concerned than they’ve ever been about their privacy online, especially when they use social media. In response, consumer privacy laws have been popping up throughout the United States and Europe.

Consumer privacy laws began ramping up in May 2018 with the European Union’s General Data Protection Regulation, which has had a tremendous impact on websites across the world to avoid a costly breach. Then, a month later, California passed its own consumer privacy law, the California Consumer Privacy Law. Not to be outdone, New York proposed the stringent New York Privacy Act this month.

Not sure how to comply with all this new legislation? We’ve got you covered. Read on to learn all about the New York Privacy Act!

The Low down on the New York Privacy Act

The California Consumer Privacy Act was a landmark moment for consumer privacy in the United States. It appears, however, that it was just the starting point for consumer privacy protection laws in the United States. New York has recently proposed its own law, the New York Privacy Act, that is more stringent than California’s law.

But what is it?

The New York Privacy Act addresses concerns about how online platform and social media firms process users’ personal data. If passed, it will amend portions of New York’s general business law that relate to the management of consumers’ personal data. The intent of this law is to give consumers more power over what, if any, personal data gets sold or shared to third parties.

Data Fiduciaries

At the heart of the New York Privacy Act is the belief that businesses should have a fiduciary duty toward the customers. The New York Privacy Act works by changing the status of businesses from mere holders of users’ personal information to data fiduciaries.

The term “data fiduciary” is inspired by a similar term, “information fiduciary,” coined relatively recently by Yale Law School professor Jack Balkin. In law, a fiduciary is a person or entity who must act in the interest of another person or entity. Your accountant, for example, has to act in your interest.

Balkin argues that, like an accountant or doctor or lawyer, social media firms and other online businesses collect significant amounts of sensitive personal information about users. That information has the potential to be used against the best interests of users and consumers, especially if it is sold or shared with a third party. Thus, social media firms and other online businesses should be held to the same standard as other businesses that have a fiduciary duty toward their customers.

New York State Senator Kevin Thomas agrees with Balkin. Thomas believes that users are being targeted for their personal data, allowing these companies to double dip: once for the ads they share with users and another time for the sale of your personal data. Thomas wants businesses to look out for more than their profits.

The New York bill applies to every single business operating within New York. Whether your company is a Fortune 500 or a small sole proprietorship, you will have a duty to act as a data fiduciary for your customers. On top of that, a business’ fiduciary duty to consumers supersedes its fiduciary duty to shareholders.

What Rights Will Consumers Have?

The New York Privacy Act aggressively expands consumer rights.

To start, consumers will be able to find out the specific data that companies are collecting about them. From there, consumers will able to find out what third parties are on the receiving end of their personal data. They would then be able to request that businesses correct or delete their personal data, or they can restrict businesses from sharing or selling their data entirely.

I addition to adhering to consumers’ best interests and acquiescing to their requests pertaining toward their personal information, this law will set guidelines regarding how they store that information, too.


If this bill passes, then New York citizens themselves will have the ability to take action against companies who act against the interest of users or against their directives. This means that companies who sell consumer data without permission from the individual consumers have the potential to face mountains of litigation.

This makes the New York Privacy Act significantly more radical than the California Consumer Privacy Act because the CCPA is enforced by the California Attorney General. The onslaught of lawsuits from New York citizens against companies who violate their fiduciary duties have the potential to be more difficult to handle than one-off lawsuits filed by the attorney general.


The New York Privacy Act is lauded by consumer protection advocates for its aggressive provisions. Predictably, however, it is not popular with businesses themselves.


The New York Privacy Act protects the rights of New York citizens, but New York has a large population, which means that it will have a global reach. Any company that operates online and stores and transmits the personal data of citizens within New York will have to comply, thus countries throughout the world will have a fiduciary duty to consumers should this pass.

There is also the issue of conflicting laws. A significant number of companies incorporate in Delaware due to its well-developed body of statutory and common law. Businesses incorporated in Delaware must place their fiduciary duty to stockholders above all other fiduciary duties.

No matter what these Delaware companies do, they’ll be violating a law. As a result of this and the sheer expense of compliance with this law, many companies feel that they will have to pull out of New York because they can’t reasonably comply with the law.

The California Consumer Privacy Act faced similar scrutiny when it was moving through the state legislature. In fact, CCPA originally allowed private rights of action before resistance from companies caused them to strike it from the bill and hand enforcement over to the state attorney general. It is possible that similar scrutiny will have the same effect on the toughness of this bill.

What’s the Current Status of the New York Privacy Act?

The New York Privacy Act is sponsored by New York State Senator Kevin Thomas. Co-sponsors include David Carlucci, Todd Kaminsky, Rachel May, and Zellnor Myrie.

The bill is currently being reviewed by the Senate Consumer Protection Committee. Once it moves out of committee, it must then pass both the Senate and Assembly before it is delivered to the governor who can either sign or veto the bill.

If you have any questions or comments about this bill that you want to address, contact your local senator to make your voice heard.

A Move Toward More Consumer Protection

The New York Privacy Act is still pending, but other stringent consumer privacy legislation has been passed in the United States and the European Union. Read on to learn about them.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) was passed by the European Parliament and Council in April 2016 and went into effect on May 25, 2018. This law addresses how companies that have a web presence store and transmit the personal data of citizens within the European Union.

Personal data refers to information about a particular person that is a customer, member, client, employee, supporter, business contact, public official, or member of the public. Personal data includes information that is generally public knowledge.

GDPR requires companies to take measures to prevent loss, alteration, or unauthorized disclosure of people’s personal information. If data is compromised, companies must report the breach.

The California Consumer Privacy Act

The California Consumer Privacy Act was passed just one month after the General Data Protection Regulation went into effect. This law gives consumers the right to know exactly what information companies collect about them. It also allows them to know why that particular data is collected and with whom the company shares that data.

Once the consumer receives that information, the California Consumer Privacy Act allows consumers to delete the information and the ability to restrict companies from selling or sharing their data. If a consumer requests that a company delete or refrain from sharing their data, then the company must comply and give that consumer the same quality of service.

Though it is limited in scope in comparison to the European Union’s General Data Protection Regulation, it is considered to be the most comprehensive data protection law in the United States.

Need Help Navigating New Laws?

From the General Data Protection Regulation to the California Consumer Privacy Act, to the New York Privacy Act, it may feel impossible to stay on top of how to comply with the voluminous body online consumer protection laws. Thankfully, there are experts available to help you protect your company from costly penalties for non-compliance. With a little help, you’ll be able to navigate consumer privacy laws just fine.

Is your company looking for assistance with consumer privacy law compliance? Contact us today with the form on this page or call us at 855-473-8474 to see how we can help your company with all your business needs from Internet law to trademark registration.


Contact Revision Legal

  • This field is for validation purposes and should be left unchanged.

Put Revision Legal on your side