1
New York Privacy ActThe New York Privacy Act: Proposed Privacy Legislation 2022 Update

The New York Privacy Act: Proposed Privacy Legislation 2022 Update

On May 13, 2021, New York State Senator Kevin Thomas reintroduced the New York Privacy Act (S6701). With California, Virginia, and Colorado already having comprehensive state privacy laws on the books, New York may be the next state to have one of its own.

Having convened for the 2022 Legislative Session on January 5, 2022, New York lawmakers are once again considering the New York Privacy Act (S6701A / A680B). As of February 8, 2022, the Senate version of the bill has been reported and committed to the Internet and Technology Committee.

Here are some of the important details that businesses should know about the proposed legislation:

Who does the New York Privacy Act apply to?

The New York Privacy Act would apply to legal persons that conduct business in New York or produce products or services that are targeted to residents of New York, and that satisfies one or more of the following thresholds:

  • Have annual gross revenue of $25 million or more;
  • Controls or processes personal data of 100,000 consumers or more;
  • Controls or processes personal data of 500,000 natural persons or more nationwide, and controls or processes personal data of 10,000 consumers or more; or
  • Derives over 50% of gross revenue from the sale of personal data, and controls or processes personal data of 25,000 consumers or more.

Which entities and what types of information are exempted from the New York Privacy Act?

The New York Privacy Act recognizes a number of exemptions.

For example, this act would not be applicable to personal data processed by state and local governments, personal data covered under the Gramm-Leach-Bliley Act (GLBA), personal data covered under the Driver’s Privacy Protection Act, personal data covered under the Family Educational Rights and Privacy Act (FERPA), personal data covered under the Farm Credit Act, protected health information covered under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH), and other similar federal laws.

Data maintained as employment records (for purposes other than sale) as well as data collected as part of human subjects research (such as clinical trials) would also be exempted.

Furthermore, the New York Privacy Act would not apply to national securities associations regulated by the Securities Exchange Act of 1934.

How does the New York Privacy Act define “personal data”? Is there a separate category for “sensitive data”?

The New York Privacy Act defines “personal data” as “any data that identifies or could reasonably be linked, directly or indirectly, with a specific natural person, household, or device. Personal data does not include de-identified data.”

The bill does not address a defined category for “sensitive data” that would be subject to additional restrictions.

What consumer rights does the New York Privacy Act provide?

Under the New York Privacy Act, consumers have the right to notice, access, portable data, correct, delete, and appeal automated decision-making.

A controller that processes a consumer’s personal data must provide notice in a publicly and persistently available as well as a conspicuous and readily accessible manner. Such notice must include:

  • A description of the consumer’s rights;
  • The categories of personal data processed by the controller and by any processor;
  • The sources from which personal data is collected;
  • The identity of each third party to whom the controller disclosed, shared, transferred, or sold personal data along with information regarding the specific categories of personal data, purposes, and retention periods;
  • The controller’s retention period for each category of personal data;
  • The average expected revenue per user (ARPU) – or a similar metric – for those controllers engaging in targeted advertising.

The New York Privacy Act requires that notices be written in easy-to-understand language at an 8th grade reading level or below and updated at least annually.

What is the New York Privacy Act’s perspective on consent?

The New York Privacy Act defines “consent” as “a clear affirmative act signifying a freely given, specific, informed, and unambiguous indication of a consumer’s agreement to the processing of data relating to the consumer. Consumers can withdraw their consent at any time.

The following do NOT constitute consent:

  • An agreement of general terms of use or a similar document that references unrelated information in addition to personal data processing;
  • An agreement obtained through fraud, deceit, or deception;
  • Any act that does not constitute a user’s intent to interact with another party such as hovering over, pausing, or closing any content; or
  • A pre-checked box or similar default.

The New York Privacy Act takes an opt-in consent approach. Controllers must obtain freely given, specific, informed, and unambiguous opt-in consent prior to processing.

What responsibilities do controllers, processors, and third parties have under the New York Privacy Act?

Controllers must regularly conduct and document data protection assessments. The New York Privacy Act also imposes a duty of loyalty and duty of care upon controllers. Controllers must also review their retention practices at least annually and may not discriminate against a consumer for exercising his or her privacy rights. Notably, controllers must also enter into written, signed contracts with any processors prior to making any disclosure, transfer, or sale of personal data.

Processors must comply with these contracts (for which the New York Privacy Act lists several requirements and restrictions) and are under a continuing obligation to engage in reasonable measures to review their activities.

Third parties are only permitted to process data to the extent permitted and must generally comply with any exercises of a consumer’s privacy rights.

What about data brokers?

Data brokers must register with the attorney general on an annual basis, pay a registration fee of $100 (or some other amount determined by the attorney general), and provide identifying information and a statement describing the method for exercising consumers’ rights and whether they implement a purchaser credentialing process.

The New York Privacy Act would require the attorney general to maintain a statewide registry of data brokers.

Is there a private right of action?

Yes, the New York Privacy Act gives consumers a private right of action in the event of a violation of the opt-in consent, automated decision-making, and/or controller response sections.

If passed, when will the New York Privacy Act become effective?

Sections 1101 (Jurisdictional scope), 1102 (Consumer rights), 1103 (Controller, processor, and third-party responsibilities), 1105 (Limitations), 1106 (Enforcement and private right of action), and 1107 (Miscellaneous) will take effect 2 years after the New York Privacy Act becomes law.

The private right of action will have a three-year period to take effect.

——————————————————————————————————————————-

The New York Privacy Act bill is currently under active committee consideration. On February 8, 2022, the New York Senate Consumer Affairs Committee voted the senate version of the bill out of committee (5 ayes, 1 nay). It is currently in the New York Senate Internet and Technology Committee. New York State’s current legislative session is open until early June.

Beckage continues to actively monitor updates to the New York privacy landscape. To learn more about the impact the New York Privacy Act may have on your business, please reach out to our team of highly experienced attorneys.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter. 

0
Privacy Day 2022Data Privacy Day 2022 – Beckage Attorneys Make 2022 Data Security & Privacy Predictions

Data Privacy Day 2022 – Beckage Attorneys Make 2022 Data Security & Privacy Predictions

Happy Data Privacy Day 2022!

January 28th is Data Privacy Day, an annual, international event promoting privacy and data protection best practices for both consumers and businesses.

Every day is Data Privacy Day at Beckage. Our team of highly skilled attorneys and technologists work with businesses day in and day out on all things data privacy. With our unique experience, we assist clients in building out privacy and data security compliance programs from the ground up, responding to headline-making national and international data breaches and cyber incidents, navigating the wide range of state, federal, and international regulatory regimes, and so much more.

The legal landscape surrounding data security and privacy is constantly evolving as it adapts to global privacy trends and technological advancements. In observance of Data Privacy Day, January 28, 2022, we asked our Global Data Privacy Team Leads, Jordan Fischer and Kara Hilburger, what they expect to see in this space in 2022. Watch the video above to hear our 2022 data security and privacy predictions.

For more information, read our list of the top five things that businesses can start thinking about when addressing privacy in 2022.

Be at the forefront of data privacy and security by following us on LinkedInreading our blog, and subscribing to our newsletter.

*Attorney advertising – prior results do not guarantee future outcomes.

Subscribe to our newsletter. 

 

 

Data Privacy Day 2022Data Privacy Day: 5 Privacy Considerations for Businesses in 2022

Data Privacy Day: 5 Privacy Considerations for Businesses in 2022

January 28th is Data Privacy Day – an annual, international event to promote privacy and data protection best practices for both consumers and businesses.

Here at Beckage, every day is Data Privacy Day. Our premier team of highly skilled attorneys and technologists work with businesses day in and day out on all things data privacy. With our unique experience and expertise, we assist clients to build out privacy and data security compliance programs from the ground up, responding to headline-making national and international data breaches and cyber incidents, navigating the wide range of state, federal, and international regulatory regimes, and so much more.

For this year’s Data Privacy Day, we put together a list of the top five things that businesses can start thinking about when addressing privacy in 2022:

1. Data Rights and What They Mean for Your Data Management

The European Union’s General Data Protection Regulation (GDPR) comes with, amongst many other things, a number of data subject rights, including the rights to access, rectification, erasure (otherwise referred to as the “right to be forgotten”), restriction of processing, data portability, object, and not be subject to a decision based solely on automated processing. At the domestic level, the California Consumer Privacy Act (CCPA) also includes its own set of data subject rights, including the rights to access, opt-out of the sale of personal information, and deletion. The upcoming California Privacy Rights Act (CPRA), which amends and expands on portions of the original CCPA, adds the right for consumers to limit the use and disclosure of sensitive personal information. Both Virginia and Colorado enacted their own comprehensive privacy laws set to go into effect in the next 18 months – each with their own sets of data subject rights.

As 2022 progresses and as 2023 approaches, businesses should stay up to date with upcoming privacy laws and their respective data subject rights. In addition to data rights included in the aforementioned regulations, consumers in 2022 are increasingly invested in what companies are doing with their data. Developing and implementing data access request procedures is both a step towards compliance with privacy regulations and a way to demonstrate that your organization values consumer privacy.

2. Data Mapping

From a regulatory compliance standpoint, obtaining a complete and accurate picture of your organizational data landscape is essential. Part and parcel of compliance with major, comprehensive privacy laws, such as the GDPR and the CCPA/CPRA, includes determining the scope and flow of data into and within your organization. For example, from whom is personal data being collected? And to whom is that personal data going? What categories of personal data are being collected? When is it being collected? For what purposes is that personal data being collected? And where does it sit within the organizational infrastructure?

Data mapping is an extremely useful exercise for a business to understand its own data flows. In 2022, as privacy law continues to develop on both a national as well as an international scale, businesses should take the critical step to develop a data inventory and a data map.

3. Governing Your Privacy

Developing a privacy compliance program is important, and so is implementing those privacy policies and procedures into your daily operations. What does it mean to “govern your privacy”? After understanding data rights and mapping your data, the next step in the process is taking proactive measures to understand your privacy requirements and implementing data governance principles to comply with applicable laws and regulations. Data governance refers to an organization’s ability to understand its data flows and stakeholders, to handle data effectively and properly at all points of the information lifecycle, and to develop access privilege controls and accountability measures. In 2022, consider data governance principles when assessing how to protect and handle your data to comply with the major, comprehensive privacy laws.

4. The Good, Bad, and Ugly of Cookies

Another key consideration for businesses is their website’s cookie consent banner. For example, in the first week of January, France’s data protection authority (the CNIL) announced fines against Google and Facebook for €150 million and €60 million, respectively, for failures to make the rejection of cookies as easy to do as the acceptance of cookies. These fines follow on the heels of the CNIL’s November 2021 guidance, in which it reminded businesses that users must be able to “choose freely and in an informed manner to be the object of a tracking not strictly necessary for the provision of the requested service” and “to refuse such tracking.” Businesses should anticipate cookies and online data tracking to continue to be an area of focus for regulatory authorities and should take care to ensure that cookie consent banners are compliant with the varying applicable laws.

5. Annual Review of External Website Disclosure Policies and Notices

Businesses that are subject to the CCPA are required to update their privacy policies “at least once every 12 months.” Not only is an annual review of external website disclosure policies and notices required, but such a review presents an opportunity for a business to take stock of their data collection and processing practices and to ensure that any policies or notices reflect current activities. Furthermore, the privacy landscape is constantly evolving. New laws and regulations enter the playing field, while updates are made to existing ones. The four above-mentioned considerations can help businesses prepare for an annual review of privacy policies, and the review itself can help businesses stay up to date with current data practices and legal developments.

Conclusion – Data Privacy Day

In the spirit of Data Privacy Day, we hope that you take the time to think about how privacy impacts your business, and key data privacy and security consideration for 2022. Given that privacy compliance is a constantly evolving and long-term endeavor, we hope that you continue to engage with data privacy beyond Data Privacy Day. Beckage attorneys are committed to providing updates on relevant legislation, current threats, and proactive data security steps.

Be at the forefront of data privacy and security by following us on LinkedIn, reading our blog, and subscribing to our newsletter.

*Attorney advertising – prior results do not guarantee future outcomes.

 

Top Privacy and Cybersecurity Trends of 2021Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Despite the ongoing COVID-19 pandemic, 2021 proved to be another incredibly busy year for consumer privacy and cybersecurity. In this blog post, we revisit some of the most important domestic and international privacy and cybersecurity trends of the past year. 

 

New State Consumer Privacy Laws 

On the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Virginia and Colorado became the next two states to enact comprehensive consumer privacy laws. Signed into law by Governor Ralph Northam back in March, the Virginia Consumer Data Protection Act (VCDPA) becomes effective on January 1, 2023 and applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia and meet certain thresholds. Months later in July, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Set to go into effect on July 1, 2023, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and meet certain thresholds. Both the VCDPA and the CPA carve out several exemptions for entities that are already covered under the privacy and security requirements of other federal laws. Unlike the CCPA and the VCDPA, however, the CPA does not provide an exemption for non-profit organizations. Furthermore, neither the VCDPA nor the CPA offer a private right of action. 

Other notable state privacy developments include New York’s new rules on employee electronic monitoring as well as Nevada’s SB260 amendment, which expanded the right to opt-out of sales and created new requirements for “data brokers”. 

As we head into 2022, we anticipate that the patchwork of state consumer privacy laws will continue to grow. Beckage recommends that businesses take proactive steps to first evaluate what laws and regulations apply to their business and then develop a comprehensive roadmap and plan to mature their data privacy and security posture both internally and externally.   

 

Continued Focus on Cybersecurity 

Threat actors in 2021 continued to launch increasingly sophisticated ransomware and cyberattacks against businesses of all sizes and in all industries. In the wake of highly disruptive attacks such as SolarWinds and the Colonial Pipeline ransomware attack, both the federal government and also state governments sought to increase their focus on cybersecurity standards. For example, the New York State Department of Financial Services (NYDFS) issued guidance to cyber insurers in the form of the Cyber Insurance Risk Framework. The Cybersecurity and Infrastructure Security Agency (CISA) also regularly issued advisories informing businesses of vulnerabilities. In an effort to secure critical infrastructure, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity” in May. The new Civil Cyber-Fraud Initiative announced by the Department of Justice back in October further indicates the increasing importance of developing and maintaining resilient cybersecurity protocols.  

The federal government’s response to this year’s exponential increase in ransomware attacks has led several high-profile threat actors – such as DarkSide, REvil, and Black Matter – to take their dark web platforms offline.  At the same time, however, new variants of ransomware are constantly emerging and there is significant evidence that experienced cyber criminals are rebranding to evade law enforcement rather than shutting down their operations.   

In this complex threat landscape, companies across industries are wisely seeking to secure or renew cyber liability coverage in an increasingly competitive market.  Insurers are asking meaningful questions about applicants’ security programs and expecting strong safeguards in place.  For organizations of all sizes, the past year has shown that cybersecurity incidents are now a question of when rather than if.  

Beckage’s Incident Response Team urges businesses to develop plans and procedures to mitigate cyber and legal risk. Beckage recommends businesses continue to dedicate internal resources to refining compliance programs and testing incident response plans through tabletop training exercises. 

 

Health Privacy and Compliance Challenges 

Our lives have become increasingly digitized, and 2021 was no different – especially with the COVID-19 pandemic. The proliferation of apps and technologies handling personal health data led the FTC to confirm back in September that the requirements contained in the agency’s Health Breach Notification Rule extend to health apps and connected device companies. And as the world continued to operate under the shadow of the COVID-19 pandemic, businesses faced – and will continue to face – uncertainty regarding new federal vaccination and testing policies. Beckage’s Data Security and Privacy Compliance and Health Law Teams recommend businesses take stock of their employee data collection practices in their efforts to prevent the spread of COVID-19. 

 

Biometrics Class Actions, BIPA Claims Accrual, and Statute of Limitations 

In 2021, litigation under Illinois’ Biometric Information Privacy Act (BIPA) remained at the forefront of the data privacy landscape. As we noted back in JanuaryMarch, and April, BIPA’s private right of action has contributed in part to an increase in the number of class actions. In September, the First District of the Illinois Appellate Court found that the statute of limitations period could range from one year to as much as five years depending on the nature of the alleged violation. But as the year closed out, Illinois courts continued to wrestle with the issues of BIPA claims accrual and statute of limitations. As this blog post goes to press, the U.S. Court of Appeals for the Seventh Circuit had just issued its decision in Cothron v. White Castle, certifying the issue of BIPA claims accrual to the Illinois Supreme Court.  

 

Website Accessibility Litigation and What Counts as a Place of Public Accommodation 

The Beckage Accessibility Team continues to see a drastic increase in litigation filed under Title III of the Americans with Disabilities Act (ADA) as well as the rapidly evolving caselaw surrounding website accessibility claims. 2021 is set to be a record-breaking year, with approximately of 4,000 new lawsuits filed this year alone, with most of these cases filed against small to medium sized businesses. The issue of whether websites qualify as places of public accommodates under the ADA continued to take shape in 2021. For example, in May the Eleventh Circuit Court of Appeals held in Gil v. Winn-Dixie Stores that a website is not a “place of public accommodation” under Title III of the ADA, creating a clear conflict with 9th Circuit authority that has held a website is a place of public accommodation if there is a nexus to a brick and mortar location. In September, the United States District Court for the Eastern District of New York issued a decision in Winegard v Newsday LLC, which also concluded that a website is not a “place of public accommodation” under Title III of the ADA. Despite this unsettled landscape, we anticipate more litigation to come around the specific statutory definition of what constitutes a “public accommodation.” 

Nevertheless, there is no end in sight for companies facing lawsuits under the ADA. Accordingly, Beckage recommends that businesses with any online presence or mobile application take proactive steps and prioritize accessibility internally. Minimizing legal risk through a digital accessibility compliance buildout that includes both a full scale audit of digital assets and internal and external policy development is recommended for all businesses looking ahead in to 2022.  

 

Telephone Consumer Protection Act (TCPA) 

TCPA class actions are numerous. Beckage’s TCPA team has charted the complex legal landscape surrounding text message marketing and telemarketing throughout the course of 2021. In April, we covered the decision by the Supreme Court of the United States in Facebook v. Duguid et al., which narrowed the scope of the TCPA down to systems that utilize random number generators. In November, we covered Florida’s new telemarketer requirements. As we head into 2022, TCPA compliance will continue to be an important area of focus for businesses. Businesses that leverage text messaging marketing as part of their consumer outreach should evaluate compliance initiatives and stay up to date on this fast moving area of the law. 

 

More Global Privacy and Cybersecurity Developments 

Privacy and cybersecurity continued to be areas of significant focus on an international scale. For example, China’s new Data Security Law (DSL) and new Personal Information Protection Law (PIPL) became effective on September 1 and November 1, respectively. Along with the Cybersecurity Law (CSL) of 2017, these two new laws have added a set of new cross-border requirements for international companies seeking to do business in China. Furthermore, following the Schrems II decision, which invalidated the EU-US Privacy Shield, the EU Commission released new standard contractual clauses (SCCs) intended to provide more flexibility and options for cross-border data exchange. The new SCCs are applicable for all new contracts entered into as of September 27, and businesses have until December 27, 2022 to transition all contracts using the older SCCs to ones with the new SCCs. Additionally, Québec’s Bill 64, which received royal assent a few months ago, has a series of new requirements coming into effect within the next couple of years for businesses both within and outside the province. 

On the global data privacy class action front, the UK Supreme Court’s recent decision in Lloyd v. Google suggests that opt-out class action cases for data privacy claims will be very difficult to bring. 

 

Conclusion and Key Takeaways 

In the midst of the ongoing COVID-19 pandemic and a rise in sophisticated cyberattacks, 2021 saw many privacy and cybersecurity trends and developments. There were new laws and regulations on both a domestic and an international scale. Case law in relevant areas developed rapidly, with some issues still unresolved as we embark on 2022. Things do not seem to be slowing down at all in the realm of privacy and cybersecurity. Beckage’s team of attorneys and technologists work with businesses of all sizes and industries to develop comprehensive scalable data security and privacy infrastructures to navigate this fast moving area. 

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our newsletter. 

0
New York Employee Electronic Monitoring RuleNew York’s New Rules on Employee Electronic Monitoring

New York’s New Rules on Employee Electronic Monitoring

On November 8, 2021, New York Governor Kathy Hochul signed into law Senate Bill 2628 / Assembly Bill 430, making New York the third state, following  Connecticut and Delaware, to require employers to provide notice of electronic monitoring to employees.

 

Who is covered?

The new law defines employers as “any individual, corporation, partnership, firm, or association with a place of business in the state.” The definition does not “include the state or any political subdivision of the state.”

 

What is required?

“Any employer who monitors or otherwise intercepts telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems, shall give prior written notice upon hiring to all employees who are subject to electronic monitoring.”

Such notice must be: (1) in writing, in an electronic record, or in some other electronic form; (2) acknowledged by the employee either in writing or electronically; and (3) conspicuously placed and readily available for employees.

Please note that the requirements of this new law do not apply to electronic mail, telephone, and internet usage processes that are “performed solely for the purpose of computer system maintenance and/or protection.”

 

Enforcement

The new law allows for enforcement by the attorney general. The maximum civil penalty for the first offense is $500. The maximum civil penalties for the second and third offenses are $1000 and $3000, respectively.

 

Effective Date

This new law takes effect on May 7, 2022.

Considering the evolving legal landscape and impending laws such as the recent employee electronic monitoring law enacted in New York, the Beckage Compliance team recommends that companies review existing policies and procedures.  Employee notices, Acceptable Use policies, and Employee handbook provisions are among the items that should be reviewed annually to be sure the representations align with any new legal obligations. Companies should also review employee login banners as well as evaluate and audit the process for tracking and documenting employee acknowledgment.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

 

1 2 3 4 28