Over the last few months, we have been presenting and reporting on the California Consumer Privacy Act (CCPA), the county’s first comprehensive state law designed to give consumers significant control over the personal data that companies collect. Not to be outdone, New York is working on data privacy legislation that imposes even heavier burdens on companies that collect consumer information.

The proposed New York Privacy Act (NYPA), Senate Bill S5642, sponsored by Democrat Kevin Thomas, has not yet been passed. If it passes in its current form, however, it would impose the strictest requirements in the country relating to companies’ collection, maintenance, use, and disclosure of consumer information. 

The NYPA would mirror the CCPA in many ways. The NYPA would require companies that collect consumer information to provide notice to consumers of their rights under the statute. It would also require companies to disclose to consumers, on their request, what personal information about the consumers the company holds, how that information is used, and whether it is sold.  It also would allow consumers to request that the their personal information be deleted.

But there a some key differences too. The proposed NYPA, unlike the CCPA, would designate any legal entity that “collects, sells or licenses personal information of consumers” as a “data fiduciary.” A “data fiduciary” would be required to “exercise the duty of care, loyalty and confidentiality expected of a fiduciary” in handling consumer information. It also would be prohibited from using information in a way that “will benefit the online service provider to the detriment of an end user,” “will result in reasonably foreseeable and material physical or financial harm to a consumer,” or “would be unexpected and highly offensive to a reasonable consumer.”

The NYPA would also create a data “correction” mechanism requiring companies to correct “inaccurate personal data” when requested by a consumer, recalling provisions of consumer protection laws involving credit reporting. This would in some cases entail a “supplementary statement” that the company needs to add to the data it already maintains.

Finally, unlike the CCPA, which at present allows private civil actions only for data breaches, the entirety of the NYPA would be privately-actionable. “Any person who has been injured by reason of a violation” could sue for actual damages and injunctive relief.

As noted above, the NYPA is still a work in progress, and it may be modified before being passed, if it is passed. But whether it makes it to Governor Cuomo’s desk in its present form or not, it presents a valuable glimpse into the possible future of state-level data privacy law.

For more information regarding this article, please contact Luke Sosnicki and Ashley Fickel.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.