The Empire State is making waves in the world of privacy with the introduction of its own version of the now infamous California Consumer Privacy Act (CCPA).  SB 567, which was introduced on January 6, 2021, is New York’s attempt to introduce new consumer rights with respect to personal information, as well as regulate the sale of consumer personal information to third parties.  Notably, the Bill also introduces a private right of action for consumers who have suffered an injury in-fact.

What are the key provisions?

At a high-level, the Bill includes some provisions that are similar to the CCPA, however, unlike the CCPA the Bill focuses exclusively on the sale and disclosure of personal information.  Specifically, the Bill:

  • Introduces the concept of “sale” of personal information, though the Bill defines the concept  differently than the CCPA, as: “(A) selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for valuable consideration; or (B) sharing orally, in writing, or by electronic or other means, a consumer’s personal information with a third party, whether for valuable consideration” (i.e., adding the element of “valuable consideration” to at least some forms of information exchange).  This concept is arguably broader than the CCPA’s definition of “sale”, which requires consideration in all cases.
  • Gives consumers the right to request that a business which collects the consumer’s personal information disclose to the consumer the categories of personal information it has collected about the consumer (i.e., not only information collected from the consumer).
  • Gives consumers the right to request that businesses selling personal information disclose both the categories of personal information the business disclosed or sold, and the identity of the third parties to whom the personal information was disclosed or sold.
  • Gives consumers the right to opt-out of the sale of their personal information, and includes a requirement that the business generate an identifier for a consumer who has “opted out” to alert third parties that the consumer has opted out of the sale of such sale.
  • Prohibits businesses from discriminating against a consumer because the consumer directed the business not to sell the consumer’s personal information.

What about the expanded private right of action?

Importantly, the Bill also creates a private right of action, deeming a consumer to have suffered an “injury in fact” by virtue of the statutory violation alone, and essentially waiving the requirement to establish a concrete and particularized injury to bring suit.  As a practical matter, this allows a consumer who falls victim to a violation to recover statutory damages – to the tune of $1,000 for each violation – even if they have not suffered any loss of money or property as a result of the violation.  Violations deemed “knowing and willful” will recover up to $3,000 in statutory penalties a piece, or actual damages, whichever is greater.  The Bill does not, however, allow for the recovery of attorneys’ fees.  Unlike under the CCPA, this private right of action is not limited to breaches of sensitive personal information, but rather applies to all violations of the law.

This facet of the Bill risks inciting a new wave of consumer privacy class actions over alleged violations, in addition to opening the door to claims from vendors and competitors.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Teresa advises on all aspects of dispute resolution, primarily complex business disputes, class actions, intellectual property and international arbitration. She is the Co-Chair of the North American Class Action Subgroup.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Sara Pitt is an associate in Baker McKenzie's Los Angeles office and a member of the Firm's Litigation and Government Enforcement practice. She represents foreign and domestic corporations involved in high-stakes commercial litigation, with a focus on cross-border disputes.

Author

Gary is an associate in the Chicago office. His practice focuses on regulatory and transactional issues in global privacy and data protection, including cross-border data transfers, data security, data breach notification, global privacy, website privacy policies, behavioral advertising, and comprehensive compliance programs.

Author

Dominic Panakal is an associate in Baker McKenzie's Privacy and Technology practice, based in the New York office. Dominic was named by National Law Review as a "Go-To Thought Leader" for Cybersecurity.

Write A Comment