Close this search box.

Everything You Need to Know About New York’s Data Privacy Law

In today’s digital age, data is the new currency. Consumers generate a tremendous amount of sensitive information online, from browsing history and search queries to financial and personal details. Many states have enacted comprehensive data privacy laws to protect consumer privacy and safeguard data against breaches. New York’s data privacy law is the latest addition to this legal landscape, and it imposes strict obligations on businesses that collect, use, and disclose personally identifiable information. This article will explore everything you need to know about New York’s data privacy law, from its history and key provisions to its impact on businesses and consumers.

A Brief History of New York's Data Privacy Law

New York has long been at the forefront of data privacy regulation. In 1999, it became the first state to enact a breach notification law, which requires businesses to notify consumers when their personal information has been compromised in a data breach. This law served as a model for many other states and catalyzed the development of similar laws at the federal level.

Since then, New York has continued to develop its data privacy legislation to keep pace with the ever-changing landscape of technology and cybersecurity threats. In 2005, the state passed the New York State Information Security Breach and Notification Act, which expanded on the original breach notification law and added new requirements for businesses to protect personal information.

In 2008, New York passed the Identity Theft Prevention and Mitigation Services Act, which created more protections for consumers and required businesses to take additional steps to safeguard personal information. Then, in 2010, the state enacted the New York State Electronic Equipment Recycling and Reuse Act, which addressed the growing problem of electronic waste and included provisions to protect consumer data.

Most recently, in 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which imposes significant obligations on businesses that collect or process the personal information of New York residents. The SHIELD Act is considered one of the country’s most comprehensive data privacy laws and rivals the California Consumer Privacy Act (CCPA) in its scope and stringency. It went into effect on March 21, 2020.

The Evolution of Data Privacy Legislation in New York

Over the years, New York has demonstrated a strong commitment to data privacy and has taken a leadership role in protecting consumers from data breaches and other cybersecurity threats. Besides the laws mentioned above, the state has also enacted the Nonprofit Revitalization Act of 2013, which includes provisions on data protection and has helped to ensure that nonprofit organizations are held to high data privacy and security standards.

These laws reflect New York’s dedication to data privacy and demonstrate its willingness to adapt and strengthen its legislation to address new challenges and emerging threats. As technology advances and new risks arise, New York will likely continue to play a leading role in shaping data privacy policy at the state and national levels.

Key Players and Advocates for Data Privacy

Several key individuals and organizations have been instrumental in promoting data privacy legislation in New York. One of the most prominent advocates for data privacy in the state is New York Attorney General Letitia James, who has been a vocal supporter of consumer privacy and played a key role in the passage of the SHIELD Act.

The New York Civil Liberties Union (NYCLU) has also been a strong supporter of data privacy regulation and has advocated for strong consumer protections. The organization has worked closely with lawmakers and other stakeholders to ensure that New York’s data privacy laws are robust and effective.

Finally, the New York State Bar Association has been a valuable resource for businesses and other organizations seeking guidance on best practices in data privacy and cybersecurity. The association has developed guidelines and recommendations for data security and has helped ensure businesses are aware of their obligations under New York’s data privacy laws.

Together, these players have helped to shape the data privacy landscape in New York and have created a culture of privacy and security that benefits consumers, businesses, and the entire state.

Understanding the Key Provisions of the Law

The SHIELD Act contains several key provisions that businesses must comply with to avoid penalties and fines. These provisions cover everything from data mapping and risk assessment to breach notification and disposal of personal information. Here are the most important provisions of the law:

Scope and Applicability

The SHIELD Act applies to any business that collects or processes the personal information of New York residents, regardless of the business’s location. Personal information is broadly defined as any information that can identify an individual, such as a name, address, social security number, or email address.

The law also covers third-party service providers that handle personal information on behalf of covered businesses. This provision is designed to ensure that businesses are aware of their vendors’ privacy policies and practices and are held accountable for any breaches or mishandling of data.

Consumer Rights and Protections

The SHIELD Act gives New York residents several new rights and protections regarding their personal information. These include:

  • The right to know what personal information is being collected and how it is being used
  • The right to access and request a copy of their personal information
  • The right to request the deletion of their personal information
  • The right to opt out of the sale of their personal information

Businesses must also provide clear and conspicuous privacy notices and must implement reasonable data security measures to protect personal information from unauthorized access, use, or disclosure.

Business Obligations and Compliance Requirements

Under the SHIELD Act, businesses must proactively approach data privacy and security. This includes conducting risk assessments to identify and mitigate potential vulnerabilities, implementing reasonable administrative, technical, and physical safeguards, and regularly reviewing and updating their privacy policies and procedures.

Additionally, businesses must report any data breaches to affected consumers and the New York Attorney General’s office as soon as practicable and must provide free identity theft prevention and mitigation services for affected individuals.

Comparing New York's Law to Other State and Federal Data Privacy Laws

New York’s SHIELD Act is one of the country’s most comprehensive data privacy laws, but it is not the only one. Several other states have passed their own data privacy laws, and the federal government has also expressed interest in enacting a national data privacy law. Here are some of the most notable data privacy laws:

The California Consumer Privacy Act (CCPA)

The CCPA went into effect on January 1, 2020, and also regulates the collection, use, and sharing of personal information. The CCPA gives California residents the right to access and delete their personal information and opt out of selling their information. It also requires businesses to provide clear and conspicuous privacy notices and implement reasonable data security measures.

The General Data Protection Regulation (GDPR)

The GDPR is a European Union regulation that went into effect on May 25, 2018 and governs the collection and processing of personal information of EU residents. The GDPR gives individuals the right to access and request the deletion of their personal information, the right to data portability, and the right to object to processing their information. It also requires businesses to obtain clear and explicit consent for collecting personal information and to implement strong data security measures.

Other State Data Privacy Laws

Several other states, including Nevada, Maine, and Massachusetts, have passed data privacy laws regulating the collection, use, and sharing of personal information. These laws vary in their requirements and protections but reflect a growing trend towards strong data privacy regulation at the state level.

The Impact of the Law on Businesses and Consumers

The SHIELD Act has significant implications for both businesses and consumers. Here’s what you need to know:

How Businesses Are Adapting to the New Regulations

Many businesses in New York and beyond are investing significant resources to comply with the SHIELD Act and other data privacy laws. This includes implementing data mapping and risk assessment programs, reviewing and updating privacy policies, and investing in robust data security measures. While the cost of compliance can be significant, many businesses consider it a worthwhile investment in protecting their customers and avoiding potential fines and legal liabilities.

The Benefits for Consumers

The SHIELD Act and other data privacy laws offer several benefits from a consumer perspective. Consumers now have greater control over their personal information, and businesses must be more transparent about their data collection and sharing practices. Additionally, the requirement for businesses to implement reasonable data security measures can help prevent data breaches and minimize the harm caused by cyber-attacks. 

Potential Challenges and Criticisms

Despite the benefits of data privacy regulation, there are also potential challenges and criticisms. Complying with multiple and often conflicting data privacy laws can be cumbersome and expensive for businesses. There is also concern that overly restrictive data privacy laws could stifle innovation and harm economic growth.

From a consumer perspective, there is a risk that data privacy laws could lull individuals into a false sense of security and lead them to share personal information with businesses that they may not fully trust. Additionally, there is concern that some data privacy laws may not go far enough in protecting individual privacy rights and may allow businesses to continue to collect and monetize personal information in ways that are detrimental to consumers. If you’re unsure about your business’s privacy policy, PPGS ™ can help you understand potential data risks and assess whether your current privacy policy meets industry and legal standards


New York’s data privacy law represents a significant step forward in protecting consumer privacy and securing sensitive data. By imposing stringent obligations on businesses, giving consumers greater control over their personal information, and promoting a culture of privacy and security, the SHIELD Act and other data privacy laws are helping to build a more trustworthy and equitable digital landscape. However, as with any complex issue, there are challenges and trade-offs to consider, and it will be up to lawmakers, businesses, and consumers to navigate this evolving landscape and find a balance that works for everyone. 

Benjamin Franklin
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”
Stephen King,
“Friends don’t spy; true friendship is about privacy, too.”
Ayn Rand
Civilization is the progress toward a society of privacy. The savage's whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men.
Bill Nelson - NASA
If we don't act now to safeguard our privacy, we could all become victims of identity theft.
John Twelve Hawks
Anyone who steps back for a minute and observes our modern digital world might conclude that we have destroyed our privacy in exchange for convenience and false security
Edward Snowden
I don't see myself as a hero because what I'm doing is self-interested: I don't want to live in a world where there's no privacy and therefore no room for intellectual exploration and creativity.
Previous slide
Next slide
Connect with us