Skip to main content

2021 New York privacy forward

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

By Gamelah Palagonia | January 28, 2021

New York hits the ground running on privacy in 2021.

As part of the 2021 State of the State, Governor Andrew Cuomo announced a comprehensive law that will provide New Yorkers with transparency and control over their personal data and provide new privacy protections. This law will mandate that companies that collect information on large numbers of New Yorkers disclose the purposes of any data collection and collect only data needed for those purposes. Governor Cuomo will also establish a Consumer Data Privacy Bill of Rights guaranteeing every New Yorker the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.

New Yorkers appreciate the value and convenience that technology has afforded their lives, but progress does not need to come at the expense of basic privacy.”

Governor Andrew Cuomo

On opening day, the 2021-22 New York State legislature introduced their version of California’s CCPA, Senate Bill 567, which includes a private right of action specifying that a consumer who suffers an injury in fact may recover the greater of statutory damages of $1,000 or actual damages, and $3,000 or actual damages for an intentional violation. Under Senate bill 567, any person who becomes aware, based on non-public information, that a person or business has violated this section may file a civil action for civil penalties, which would allow for suits to be brought by competitors, vendors and consumer groups based on violations of the law. Like the CCPA, the New York attorney general would have rulemaking and enforcement authority.

The New York Biometric Act Assembly Bill A27, similar to the Illinois Biometric Information Act, requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a data retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first. The proposed bill prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person's or a customer's biometric identifier or biometric information, unless the private entity first:

  • informs the data subject in writing that a biometric identifier or biometric information is being collected or stored;
  • the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
  • obtains a written release from the data subject.

The New York Biometric Act also includes a private right of action in New York Supreme Court for any violation of the statute’s requirements. Where a violation is found, the prevailing consumer may recover the greater of actual damages or liquidated damages per violation of up to $1,000 for a negligent violation and up to $5,000 for an intentional or reckless violation.

Several other consumer privacy bills were introduced including the New York Privacy Act (NYPA) Assembly Bill A680 and the Right to Know Act Assembly Bill A400, which are identical to the bills that were introduced in the 2019-20 legislative session but did not make it out of committee.

The NYPA would require companies to disclose their methods of de-identifying personal data, place special safeguards around data sharing and allow consumers to obtain the names of all entities with whom their information is shared, reminiscent of the GDPR’s consent requirement. The NYPA contains a private right of action, which gives New Yorkers the right to sue companies directly for any violation of the law, and not only just in the context of a data breach. This bill does not specify statutory damages, claimants would have to prove actual damages. The NYPA’s private right of action allows for third-party businesses and nonprofit consumer groups to bring actions as well.

The NYPA also includes a requirement for businesses to act as data fiduciaries, which creates an inherent conflict, particularly for the public technology and media sectors. Boards of directors have a duty to act in the best interest of shareholders, however, as data fiduciaries, they would have to act in the best interest of consumers as well. The NYPA also expands the definition of personal data to include consumer profiles if correlations can be drawn from the personal information that is collected from New Yorkers.

Assembly Bill A400, The Right to Know Act, would require businesses to provide customers with access to their personal information and the categories of personal information disclosed to third parties, and the names and contact information of all such third parties, which is similar to requirements under California’s Shine the Light law. The Right to Know Act also includes a private right of action with enforcement actions to be brought by the attorney general, a district attorney, a city attorney, or a city prosecutor in a court of competent jurisdiction. No statutory damages are specified.

The Online Consumer Protection Act Assembly Bill 405 (AB 405) is a proposed amendment to New York’s General Business Law and directly addresses interest-based advertising activities. AB 405 prohibits publishers such as website owners and advertising networks from collecting non-personally identifiable information, such as mobile device identifiable information for the purposes of online preference marketing, unless the consumer is given an opportunity to opt-out. This bill also requires publishers to post a clear and conspicuous notice on its website that describes the collection and use of information by the advertising network. There is no private right of action under AB 405. The New York attorney general has sole authority to bring actions, including injunctive relief and statutory damages of $250 per violation, which may be increased at the discretion of the court to up to three times that amount if the violation relates to use of personally identifiable information for online preference marketing or the failure to provide an opt-out.

Until a federal privacy law is passed, businesses in New York and other states will continue to face significant compliance complexities. Aiming to comply with an assortment of federal and state data privacy laws that are continuously changing is more challenging than ever before. Some privacy experts believe that it is only a matter of time before the United States passes federal data privacy legislation – 2021 will tell.


Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.



Senior Vice President for Network Security, Data Privacy and Technology Errors & Omissions

Related Solutions

Contact Us