New York Privacy Act (NYPA)
View Law TextMaximum Fine
$15,000 per violation
Scope
State
Regulator
AG
Status
Active
Need Help with New York Privacy Act (NYPA) Compliance?
Get expert guidance on implementing NYPA requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The New York Privacy Act establishes comprehensive privacy rights for New York residents and obligations for businesses processing personal data.
Key Facts
- Comprehensive privacy law
- Enforced by New York Attorney General
- Includes consumer rights and business obligations
- Requires data protection assessments
- Focus on algorithmic decision-making
Key Principles
Consumer Rights
Rights granted to New York residents under NYPA.
Requirements
- Right to access
- Right to delete
- Right to correct
- Right to data portability
- Right to opt-out of automated decision making
- Right to opt-out of targeted advertising
- Right to opt-out of sales
Examples
- Access request procedures
- Deletion mechanisms
- Correction processes
- Data portability formats
- Opt-out systems
Data Minimization
Requirements for limiting data collection and processing.
Requirements
- Collection limitations
- Processing restrictions
- Storage limitations
- Purpose specification
- Data quality
Examples
- Data inventories
- Processing records
- Retention schedules
- Purpose documentation
Transparency
Clear disclosure requirements for controllers.
Requirements
- Privacy notice requirements
- Processing disclosures
- Rights information
- Sharing practices
- Contact information
Examples
- Privacy policies
- Notice updates
- Rights notifications
- Processing records
Compliance Requirements
Data Protection Assessments
Required assessments for high-risk processing activities.
Implementation Steps
- Identify processing requiring assessment
- Document risks and benefits
- Evaluate safeguards
- Consider alternatives
- Implement controls
Required Documentation
- Assessment procedures
- Risk analyses
- Control documentation
- Review records
- Mitigation plans
Consumer Request Handling
Procedures for handling consumer rights requests.
Implementation Steps
- Establish request procedures
- Implement verification methods
- Set response timelines
- Train staff
- Document responses
Required Documentation
- Request procedures
- Verification methods
- Response templates
- Training materials
- Request logs
Data Security
Requirements for protecting personal data.
Implementation Steps
- Implement security measures
- Train employees
- Manage vendors
- Monitor compliance
- Regular reviews
Required Documentation
- Security policies
- Training records
- Vendor agreements
- Audit logs
- Review reports
Enforcement & Penalties
Attorney General Enforcement
The New York Attorney General has authority to enforce the NYPA.
Penalty Categories
Civil Penalties
Up to $15,000 per violation
For each willful violation
Injunctive Relief
Varies
Court orders to cease violations
Example Cases
Example Case 1
$75,000
2024 - Multiple violations of consumer rights
Example Case 2
$45,000
2024 - Failure to implement required safeguards