New York

On December 19, 2025, New York Governor Kathy Hochul vetoed the New York Health Information Privacy Act (“NYHIPA”).  While NYHIPA bore similarities to Washington’s My Health My Data Act (“MHMD”) and Nevada’s Health Privacy Law (“SB 370”), it had several provisions that would have raised novel compliance and legal questions.Continue Reading New York Governor Vetoes Restrictive Health Privacy Law

On May 19, 2025, New York’s Office of the Attorney General (“OAG”) published new guidance on the New York Child Data Protection Act (the “Act”), which becomes effective on June 20, 2025.  As we reported last summer, the OAG released an Advanced Notice of Proposed Rulemaking addressing the Act on August 1, 2024.  The OAG has yet to release a full Notice of Proposed Rulemaking, which would be the next step in the process of developing a final rule implementing the Act’s rulemaking provisions.  Until the rules are finalized, the guidance suggests that the OAG will exercise discretion in its enforcement of the Act and consider good-faith efforts to comply with the statute.  Informal guidance is not legally binding, but provides some additional context on how the OAG might prioritize enforcement of the Act.  For a broader description of the Act’s provisions, see our previous reporting linked above. Some key elements from the guidance are listed below. Continue Reading New York Attorney General Issues Guidance on New York Child Data Protection Act

On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements.  The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach affecting New York residents.  Specifically, businesses now must disclose data breaches affecting New York residents within thirty days from the discovery of a breach.  Additionally, the amendment adds the New York Department of Financial Services (“NYDFS”) to the list of state regulators that must be notified whenever a breach requiring notification to New York residents occurs. Continue Reading New York Adopts Amendment to the State Data Breach Notification Law

On October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks arising from the use of artificial intelligence (“AI”) and providing strategies to address these risks.  While the Guidance “does not impose any new requirements,” it clarifies how Covered Entities should address AI-related risks as part of NYDFS’s landmark cybersecurity regulation, codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”).  The Cybersecurity Regulation, as revised in November 2023, requires Covered Entities to implement certain detailed cybersecurity controls, including governance and board oversight requirements.  Covered Entities subject to the Cybersecurity Regulation should pay close attention to the new Guidance not only if they are using or planning on using AI, but also if they could be subject to any of the AI-related risks or attacks described below. Continue Reading NYDFS Issues Industry Guidance on Risks Arising from Artificial Intelligence

On August 1, 2024, the Office of the New York State Attorney General (OAG) released two Advanced Notices of Proposed Rulemaking (ANPRM) for the SAFE for Kids Act and the NY Child Data Protection Act. These ANPRMs solicit input that will help the OAG promulgate regulations in three areas: (1) identifying “commercially reasonable and technically feasible methods” to determine if a user is a minor; (2) identifying methods of obtaining verifiable parental consent; and (3) promulgating any needed language access regulations.

The two laws forming the basis for the rulemaking were enacted on June 20, 2024. The Stop Addictive Feeds Exploitation (SAFE) For Kids Act and the New York Child Data Protection Act contain broad requirements applicable to some companies offering services to children, as explained further below.Continue Reading New York Begins Rulemaking for Two Children’s Data Privacy Laws

The New York Office of Attorney General (OAG) recently published guidance for website privacy controls. Although New York does not have a comprehensive privacy law, business’ privacy-related practices and statements may be subject to New York’s consumer protection laws, which generally prohibit businesses from engaging in deceptive acts and practices. Accordingly, the OAG noted that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”Continue Reading New York AG Issues Guidance on Website Privacy Controls

The New York Department of Financial Services (“NYDFS”) published the latest draft of its Proposed Second Amendment to its landmark Cybersecurity Regulation (23 NYCRR 500) on November 9, 2022.  The proposed second amendment comes after an initial comment period on an earlier-released draft amendment released on July 29, 2022.  NYDFS is accepting comments on the proposed second amendment through January 9, 2023. Continue Reading New York Department of Financial Services Proposed Second Amendment to Cybersecurity Regulation – Comments Close January 9, 2023

On November 8, 2021, New York Governor Kathy Hochul signed a new electronic monitoring law (S2628) requiring New York businesses that monitor or intercept employees’ e-mails, telephone calls, or internet usage to notify employees in writing of these practices.  The new law amends the state’s civil rights law and takes effect on May 7, 2022.
Continue Reading New York Requires Businesses To Notify Employees of Electronic Monitoring

On March 21, 2020, the data security requirements of the New York SHIELD Act became effective.  The Act, which amends New York’s General Business Law, represents an expansion of New York’s existing cybersecurity and data breach notification laws.  Its two main impacts on businesses are:

  1. expanding data breach notification requirements


Continue Reading New York SHIELD Act’s Reasonable Safeguard Requirements Became Effective on March 21st —Is Your Company Ready?

With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020.  But the rapid pace of privacy legal developments could continue next year.  This past year, five states established studies or task forces to study privacy laws and report back to the legislature before their next session begins. Bills in Washington and Illinois passed one legislative chamber before failing, and their proponents have promised a renewed effort in 2020.

This is the first of a series of blog posts on what states other than California were considering to help you anticipate and prepare for 2020.  In total, at least eighteen states considered comprehensive privacy bills this year.  This initial blog post — on the heels of Halloween last week — focuses on some of those that are the scariest: bills in New York, Massachusetts, and Maryland.
Continue Reading State Privacy Laws Have the Potential to Haunt Industry