New York

Keypoint: Section 500.17(b) of 23 NYCRR Part 500 (“Part 500”) requires all non-exempt Covered Entities regulated by the New York Department of Financial Services to submit their annual notices of compliance by April 15th.

Businesses that are subject to the NYDFS Cybersecurity Regulations have four weeks left to submit their annual notices of compliance or acknowledge their noncompliance. When the regulations were amended in 2023, several of the new requirements were phased in over two years. Businesses cannot simply re-use their notice from last year, without confirming that the new obligations were met and preparing for the requirements going into effect in 2025.  

Keypoint: New York has amended its data breach notification law twice in the last 60 days to (1) add a 30-day deadline for notifying affected residents, (2) clarify that covered financial entities must still notify the New York Department of Financial Services (NYDFS) in accordance with existing NYDFS cybersecurity regulations, and (3) expand the prior definition of “private information” to include medical and health insurance information.

In the last sixty days, the New York legislature twice amended its data breach notification law. In the below article, we discuss the amendments and takeaways for covered businesses.

Keypoint: The New York legislature passes broad and restrictive health data privacy legislation with implications for businesses both within and outside New York.

Last week, the New York legislature passed the New York Health Information Privacy Act (S 929) (the “Act”). If signed into law, the Act will add New York to the list of states that have enacted consumer health data-specific privacy legislation in response to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.

Although the Act is not a clone of Washington’s My Health My Data Act (“MHMD”), it follows many of the same themes: regulating health data beyond the state’s borders, utilizing a broad definition of health data, and imposing additional obligations and narrower exemptions than those seen in generally applicable consumer privacy legislation.

Below, we provide a summary of the Act and identify some of the unique challenges it poses for affected companies.

Keypoint: The New York State Department of Financial Services (NYDFS) issued an industry letter outlining the threats posed to U.S. companies who hire remote technology workers linked to North Korea and may embezzle funds from their new employers.

On November 1, 2024, NYDFS issued guidance warning companies against an increasing risk posed from individuals applying for employment in IT roles who are in fact operating on behalf of North Korea. These applicants seek employment in order to infiltrate western companies’ computer systems and illicitly generate revenue for the North Korean regime.

Keypoint: Although New York lacks a consumer data privacy law, the New York Attorney General’s office has taken the position that New York’s consumer protection laws require entities to implement certain tracking technology practices.

In mid-July the New York Attorney General’s office published a Guide for Website Privacy Controls in which the office identifies “mistakes we found businesses making when deploying tracking technologies.” The guidance acknowledges that New York lacks a consumer data privacy law that regulates online tracking technologies, but takes the position that “New York’s consumer data protection laws . . . , which prohibit businesses from engaging in deceptive acts and practices, effectively require that websites’ representations concerning consumer privacy be truthful and not misleading.” According to the Attorney General, this “means that statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”

In the below article, we provide a brief overview of the guidance and some key takeaways.

Keypoint: Assuming the bills become law and go into effect, operators of websites and online services that collect the personal data of minors and are subject to the bills will need to undertake several compliance activities.

On June 7, 2024, the New York legislature passed two bills directed at kids’ use of online technologies –

Keypoint: After a January hearing, New York City continues to consider comments to a new law regulating employers’ use of automated employment decision tools, with enforcement to begin “in the coming months.”

New York City moves closer to implementing Local Law 144, the first major U.S. law governing the use of AI employment technologies. On January 23, 2023, the New York City Department of Consumer and Worker Protection (DCWP), the agency charged with enforcing the law, held a second public hearing on the law’s proposed rules to address several ambiguities related to key definitions and the scope of the law. Within the past week, the DCWP published a transcript of the hearing and announced that it would finalize its rules and begin enforcement “in the coming months.”

Keypoint: Employers who use automated employment decision tools in New York City will receive additional guidance on complying with Local Law 144 before enforcement begins on April 15, 2023.

New York City employers who use automated employment decision tools (“AEDTs”) now have until April 15, 2023, to prepare for compliance with New York City Local Law 144 which regulates usage of such tools. The law was to go into effect on January 1, 2023.

In the below post, we provide a brief overview of the law and its current rulemaking process.

Keypoint: As of May 7, 2022, New York employers that monitor or intercept employee emails, internet usage, or telephone communications must provide written notice to those employees.

On May 7, 2022, an amendment to the New York Civil Rights Act goes into effect that requires private employers with places of business anywhere in the state to provide employees a written notice if the employer monitors or intercepts employee emails, internet access or usage, or telephone conversations. The written notice must communicate that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system . . . may be subject to monitoring at any and all times by any lawful means.”

Keypoint: This week the Colorado legislature passed the Colorado Privacy Act.

Below is our sixteenth weekly update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we need to make a few announcements.

This will be our last weekly update – for now. With the legislatures in so many states having adjourned for the year and the bills in the remaining states not moving forward, we will be pausing our weekly updates. Rest assured, we will be back when things heat up again.

Even though we are pausing our weekly updates, we are not slowing down our work on state consumer privacy legislation.

On June 15, we will be hosting a webinar on the Colorado Privacy Act. Click here to register.

Starting Monday, June 21, we will be releasing a limited podcast series with interviews of state lawmakers who spearheaded privacy legislation in 2021. If you want to know the inside story on how these bills are drafted and lobbied, you will not want to miss these interviews.

Finally, if you are not already subscribed to our blog, consider doing so to stay updated.