New York’s proposed data privacy law failed to materialize in the latest legislative session and is now presumed dead. New York was one of a number of states that proposed sweeping privacy legislation after the enactment of the California Consumer Privacy Act (CCPA). The proposed New York law, in fact, was broader than the CCPA in many ways. The law would have applied to non-profits as well as for profits, and included a private right of action for data breaches of $10,000 per consumer. The proposed law also would have designated businesses that collect personal information of New York consumers as “information fiduciaries” and imposed on such companies a “duty to exercise loyalty and care” in how the business uses personal information, as the Electronic Frontier Foundation put it.
Concerns about the overly prescriptive nature of the proposed law as well as its potential impact on small and medium-sized companies appear to have derailed the bill in the New York senate. A number of other states, including Massachusetts and Connecticut, are still considering their own privacy laws, but for the time being at least, the CCPA remains the only comprehensive US state privacy law on the books.