N.Y. Lawmakers File Privacy and Age-Verification Bills

The Assembly referred the comprehensive privacy bill (A-974) to the Consumer Affairs and Protection Committee. “It gives New York consumers the ability to exercise more control over their personal data and requires businesses to be responsible, thoughtful, and accountable managers of that information,” the bill says. Consumer rights include “clear notice of how their data is being used, processed and shared; the ability to access and obtain a copy of their data in a commonly used electronic format, with the ability to transfer it between services; and the ability to correct inaccurate data and to delete their data.”

Businesses must “maintain reasonable data security for personal data,” tell consumers about “foreseeable harms arising from use of their data and … obtain specific consent for that use,” and “conduct regular assessments to ensure that data is not being used for unacceptable purposes,” says the bill. Also, the measure would require that data brokers register with the New York attorney general.

The legislation would apply to companies that either (1) make $25 million or more in annual revenue, (2) control or process personal data of at least 50,000 consumers or (3) derive more than 50% of gross revenue from selling data. It would exempt personal data processed by governments “for processes other than sale,” national securities associations, nonprofits that help first responders or law enforcement agencies fighting insurance fraud. It also has data-level exemptions for information covered by the Gramm-Leach Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act and some other laws.

The New York attorney would enforce the bill. Also, A-974 would authorize the AG to make rules for carrying out the proposed law, “including rules governing the form and content of any disclosures or communications required by this article.” The bill lacks a right for companies to cure potential violations, unlike most of the 20 existing state privacy laws.

Rozic’s bill notably calls out “social security, financial account, passport or driver's license numbers” as a category of sensitive data. It also includes categories common to other state privacy laws, including “racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status,” as well as genetic or biometric information and precise geolocation data. The definition doesn’t list children’s data, unlike many other states’ laws.

Mulrow-Peattie noted the bill's possible compliance challenges. For instance, a proposed requirement that companies make available their privacy notices from the preceding six years “would be confusing for consumers and could lead to an increase in class action lawsuits against companies under other statutes such as wiretapping statutes, increasing the class action risk exponentially for NY companies,” she said.

Also, data-level exemptions for GLBA and HIPAA are more costly to implement than entity-level exemptions seen in many other state laws, said Mulrow-Peattie. She also flagged a provision saying that a customer’s previous opt-in consent for using sensitive data would no longer be valid after a merger or acquisition. That “would be a hindrance to companies who obtain specific consent for targeted advertising, sharing of specific data sets or profiling in compliance with other laws and then are trying to sell their company or assets,” she wrote. “If the consent is still valid for the purpose, it should be able to be transferred to the acquiring company.”

The American Civil Liberties Union's opposition to previous years' editions of Rozic's bill continues in 2025, said an ACLU New York spokesperson.

Separately, Sen. Liz Krueger (D) introduced a health data privacy bill (SB-929) with nine other Democrats. The Senate referred it to the Internet and Technology Committee.

The state AG would enforce the proposed law and make implementing rules. Among other things, the legislation would make it unlawful to sell a person’s regulated health information to a third party or otherwise process it unless the “individual has provided valid authorization for such processing” or processing “is strictly necessary” for various reasons, including “providing or maintaining a specific product or service requested by such individual,” conducting internal business operations, security and protecting against fraud or illegal activity.

The health bill’s scale is similar to Washington state’s My Health My Data law, “but with important distinctions,” Future of Privacy Forum Director-U.S. Legislation Keir Lamont said on Bluesky. “Most notably, it would impose a 24 [-hour] delay following initial registration before ‘valid authorization’ can be obtained to use health data for a non-exempt purpose.” He added that last year's version of the New York bill was “arguably one of the most significant state privacy proposals that came closest to enactment.”

In addition, 18 Republicans floated a social media age-verification bill in the Democratic-controlled state. SB-927 would require that platforms determine a user’s age and not allow those younger than 18 to create accounts without parental consent. It would also require social sites to provide parents or legal guardians access to their kids’ accounts. The bill includes enforcement by the New York Consumer Protection Division and a private right of action. The Senate referred the bill to the Internet and Technology Committee.

Earlier this week, Assemblymember Alex Bores (D) introduced a comprehensive proposal for regulating AI-based decisions (see 2501070076).