New York

Comprehensive Privacy Law

New York does not currently have a comprehensive consumer data privacy law like California’s CCPA or other leading privacy states[1][2]. However, New York residents are protected by existing laws including the SHIELD Act for data breach notification[3][4], and the state’s consumer protection laws, which the Attorney General’s office uses to enforce privacy-related violations[5][6].

The New York Child Data Protection Act became effective on June 20, 2025, providing specific protections for users under 18 years old[7][8][9]. Additionally, the legislature passed a Health Information Privacy Act in January 2025, which awaits the governor’s signature[10][11].

Legislative Activity

The New York Privacy Act (NYPA) has been reintroduced in 2025 as companion bills A4947 and S3044, but faces an uncertain path forward after losing its longtime champion Senator Kevin Thomas, who is no longer in office[1]. A competing bill, the Data Protection Act (A974), offers a more prescriptive approach[1][12].

These bills remain in committee review with no unified proposal drawing broad legislative support[1][13][14]. The proposed laws would provide comprehensive consumer data rights including access, deletion, correction, and opt-out rights, similar to other state privacy laws[1][2][15].

Implementation Timeline

Unlike other states that enacted comprehensive privacy laws in 2025, New York’s proposed legislation has no clear timeline for passage[16][1]. The Child Data Protection Act is already in effect as of June 20, 2025[9], while the SAFE for Kids Act will take effect 180 days after the Attorney General finalizes implementing regulations[7].

The Health Information Privacy Act, if signed by Governor Hochul, would take effect one year after being signed into law, providing businesses with a 12-month implementation period[10][11].

Your Rights as a New York Resident

While New York lacks a comprehensive privacy law, residents have limited privacy protections under existing state laws and active Attorney General enforcement.

Right to data breach notification: Businesses must notify you within 30 days of discovering a breach affecting your personal information[17][4]
Right to protection from deceptive privacy practices: The Attorney General can enforce against companies making false claims about their privacy practices[5][18][6]
Right to child data protection: If you are under 18, online services must obtain consent before collecting your personal data[7][8][9]
Right to health data protection: Once signed into law, you would have rights to control how health-related companies process your medical information[10][11]
Right to accurate website privacy controls: Companies must ensure their cookie banners and privacy settings work as described[18][6]

These rights are significantly more limited than those available to residents of California, Virginia, and other states with comprehensive privacy laws[2][15].

Business Requirements

New York businesses currently face a patchwork of privacy-related obligations rather than comprehensive requirements.

Data breach notification: Companies must notify affected residents and state regulators within 30 days of discovering a breach[17][4]
Truthful privacy representations: Businesses cannot make deceptive claims about their privacy practices or website controls[5][18][6]
Child data protection compliance: Online services must obtain consent before collecting data from users under 18[7][9]
Medical data restrictions: Health-related companies would face strict consent requirements if the Health Information Privacy Act becomes law[10][11]
Financial services compliance: Companies in financial services must now notify the Department of Financial Services of any data breaches[17][4]

Practical Impact

Limited daily privacy protection: Without a comprehensive law, New York residents cannot easily access, delete, or control most of their personal data held by businesses[1][2]
Enforcement depends on Attorney General action: Privacy violations are addressed reactively through consumer protection enforcement rather than proactive consumer rights[5][6]
Strong child protections: Parents and teens under 18 have meaningful protections from data collection by online services[8][9]
Breach notification improvements: The 30-day notification requirement provides faster alerts when personal information is compromised[17][4]
Gap in comprehensive coverage: Most data collection, sharing, and selling by businesses remains largely unregulated[1][2]

Comparison Context

Behind leading privacy states: New York lacks the comprehensive consumer rights available in California, Virginia, Colorado, and other states that enacted privacy laws[16][2]
Stronger child protections: New York’s Child Data Protection Act extends protections to age 18, broader than the federal COPPA law which only covers children under 13[7][9]
Active enforcement approach: The Attorney General’s office pursues privacy violations more aggressively than many states, even without comprehensive privacy legislation[5][6]
Potential for stronger future law: Proposed legislation would provide more comprehensive rights than many existing state laws, including stronger opt-in consent requirements[1][2][15]

Action Steps for Residents

Monitor breach notifications: Watch for required 30-day notifications from companies about data breaches affecting your information[17][4]
Verify privacy controls work: Test that website cookie settings and privacy controls actually function as described[18][6]
Report deceptive privacy practices: File complaints with the Attorney General’s office about companies making false privacy claims[5][6]
Stay informed on legislative progress: Follow developments on the New York Privacy Act and related bills in the state legislature[1][13]
Exercise existing federal rights: Use available protections under federal laws like COPPA for children and sector-specific regulations[7]
Contact representatives: Advocate for passage of comprehensive privacy legislation by contacting your state legislators[1]

Official Resources and Contact Information

New York State Legislature

Track privacy legislation including the New York Privacy Act (S3044/A4947) and Data Protection Act (A974) through the official legislature website. Contact your specific representatives to advocate for privacy legislation.

Website: https://www.nysenate.gov and https://www.assembly.state.ny.us

Find Your Senator: https://www.nysenate.gov/find-my-senator

Find Your Assembly Member: https://www.assembly.state.ny.us/mem/

New York Attorney General’s Office

The Attorney General’s office handles privacy enforcement and consumer protection complaints. They also provide guidance on privacy practices and investigate deceptive business practices.

Consumer Protection Hotline: 1-800-771-7755

Online Complaint Form: https://ag.ny.gov/consumer-frauds/filing-consumer-complaint

Main Website: https://ag.ny.gov

Committee on Open Government

This state agency provides advice on privacy rights under New York’s Personal Privacy Protection Law and maintains directories of government record systems.

Website: https://opengovernment.ny.gov

Phone: (518) 474-2518

Email: coog@dos.ny.gov

Governor’s Office

Contact Governor Kathy Hochul’s office to advocate for signing pending privacy legislation or supporting new privacy initiatives.

Website: https://www.governor.ny.gov

Phone: (518) 474-8390

Constituent Services: https://www.governor.ny.gov/content/governor-contact-form

Sources and Citations

[1] https://www.centraleyes.com/everything-you-need-to-know-about-the-new-york-privacy-act-2021/

[2] https://www.security.org/resources/digital-privacy-legislation-by-state/

[3] https://www.easyllama.com/blog/new-york-data-privacy-law

[4] https://www.insideprivacy.com/cybersecurity-2/new-york-adopts-amendment-to-the-state-data-breach-notification-law/

[5] https://iapp.org/news/a/a-year-in-review-privacy-data-security-enforcement-by-new-yorks-state-attorney-general

[6] https://www.insideprivacy.com/advertising-marketing/new-york-ag-issues-guidance-on-website-privacy-controls/

[7] https://www.whitecase.com/insight-alert/data-privacy-update-2025

[8] https://www.insideprivacy.com/childrens-privacy/new-york-attorney-general-issues-guidance-on-new-york-child-data-protection-act/

[9] https://www.goodwinlaw.com/en/insights/publications/2025/06/alerts-practices-dpc-new-yorks-child-data-protection-act-now-effect

[10] https://www.hunton.com/privacy-and-information-security-law/new-york-state-legislature-passes-health-data-law-to-protect-abortion-rights

[11] https://www.healthlawadvisor.com/new-yorks-health-information-privacy-act-poised-to-become-the-latest-in-a-growing-trend-of-state-data-privacy-laws

[12] https://legiscan.com/NY/bill/A00974/2025

[13] https://legiscan.com/NY/bill/S03044/2025

[14] https://legiscan.com/NY/bill/A04947/2025

[15] https://www.termsfeed.com/blog/nypa-vs-california-privacy-laws/

[16] https://www.whitecase.com/insight-alert/2025-state-privacy-laws-what-businesses-need-know-compliance

[17] https://www.governor.ny.gov/news/governor-hochul-signs-online-safety-legislation-strengthen-protections-personal-data-consumers

[18] https://www.bytebacklaw.com/2024/07/new-york-attorney-general-publishes-website-privacy-controls-guidance/

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.