Privacy Daily is a service of Warren Communications News.
Subscriber Login

N.Y. Personal Health Data Privacy Bill Includes Private Right of Action

January 10, 2025 |States

A private right of action appeared in a New York state health privacy bill introduced Thursday. Another lawmaker introduced a biometric privacy bill enforced by the state AG.

Sign up for a free preview to unlock the rest of this article

Start My Free Preview

The health privacy bill (A-1415) would allow individuals to sue businesses providing personal health devices and software, including websites and mobile apps. Under the proposal by Assemblymember Linda Rosenthal (D), those businesses couldn’t engage in data processing, with some exceptions. They could process the data if they receive opt-in consent from the user or if it’s “strictly necessary and proportionate for the purpose of … protecting against malicious, fraudulent, or illegal activity,” dealing with security incidents or threats or responding to a warrant or court order.

Businesses would have to disclose any data processing to users and provide a way to revoke consent after it’s given. They would have to delete the data immediately upon receiving such a request or upon users deactivating their accounts. Also, A-1415 says companies must limit collection and sharing of information with third parties “to what is reasonably necessary to provide a service or conduct an activity that a user has requested or is reasonably necessary for security or fraud prevention.” And the company must limit its own use and retention of the data “to what is strictly necessary to provide a service or conduct an activity that a user has requested or a related operational purpose.”

The biometric bill (S-1422) by Sen. John Liu (D) would require companies possessing biometric identifiers or information to make a written data retention policy. The policy must contain guidelines for deleting the data when the initial purpose for collection is satisfied or within three years of the user’s last interaction with the company, whichever happens first. Data would have to be deleted within 60 days of one of those triggers. Among other requirements, companies would have to get written consent from the user before collecting, buying or otherwise obtaining biometrics data.

The Assembly Consumer Affairs and Protection Committee will get first crack at A-1415. The Senate Consumer Protection Committee will review SB-1422.