Readers of CPW are already familiar with the New York Biometric Bill, which resembles the Illinois Biometric Privacy Act (“BIPA”) and contains a private right of action. If enacted, it would be a sea change for data privacy litigation in New York. However, the New York Biometric Bill is not the only privacy legislation under consideration. More than 50 privacy bills have already been introduced in New York for the 2021-2022 session. A must-read analysis authored by Lydia de la Torre and Ann LaFrance discusses this development.
As they note, the two New York bills that have garnered the greatest attention may be described as comprehensive privacy bills: S567 (and its Assembly mirror bill A3709), and A680 which would enact the New York Privacy Act.
- S567 resembles and includes rights similar to those established by the California Consumer Privacy Act (addressing, for instance, disclosures of the categories and specific pieces of personal information collected, purposes for collecting or selling, and the categories of third parties with which the information is shared).
- By contrast, A680 goes even further by granting individuals additional rights (such as the right to rectification and deletion). It also requires companies to disclose their methods of de-identifying personal information and places special safeguards around data sharing. Moreover, A680 would a impose a “data fiduciary” duty on “every legal entity, or any affiliate of such entity, and every controller and data broker, which collects, sells or licenses personal information of consumers, [to] . . . exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and [to] . . . act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”