New York Privacy Law Overview
New York does not yet have a comprehensive consumer privacy law, but it has one of the strongest data-security regimes in the country. The Stop Hacks and Improve Electronic Data Security (SHIELD) Act imposes affirmative security obligations on any business holding the private information of New York residents and broadens breach-notification duties. A comprehensive bill, the New York Privacy Act, remains pending in the legislature.
Sector-Specific Privacy Laws in New York
The SHIELD Act
The SHIELD Act requires any business that owns or licenses the private information of New York residents to implement reasonable administrative, technical and physical safeguards. It applies regardless of whether the business operates in New York and expands the categories of data and events that trigger breach notification. The Attorney General can seek penalties of up to $5,000 per violation for the data-security requirements and up to $250,000 for notification failures.
NYC Biometric Identifier Law
New York City's biometric ordinance requires commercial establishments that collect biometric identifier information to post conspicuous notice and prohibits selling such data. It includes a private right of action with statutory damages of $500 to $5,000 per violation.
DFS Cybersecurity Regulation (23 NYCRR 500)
Financial institutions licensed by the New York Department of Financial Services must maintain a documented cybersecurity program, conduct risk assessments, and report cybersecurity events — one of the most prescriptive financial-sector privacy regimes in the nation.
Data Breach Notification in New York
New York's breach-notification law (General Business Law § 899-aa, as amended by the SHIELD Act and 2024 amendments) requires notice to affected residents and to three state agencies.
- Deadline to notify residents: Within 30 days of the breach determination (effective December 21, 2024)
- Attorney General notice: Notify the NY Attorney General, Department of State and State Police for any breach of New York residents' private information
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Pending Privacy Legislation
The New York Privacy Act (NYPA) would create comprehensive consumer rights similar to California's, including access, deletion and opt-out rights and an opt-in consent model. It has advanced through committee in the State Senate but has not yet passed both chambers as of June 2026. The New York Child Data Protection Act, separately enacted, restricts processing of minors' data by online services.
Federal Privacy Laws That Apply in New York
Even where New York law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Industry-Specific Privacy Requirements in New York
Many New York businesses face privacy obligations that flow from their industry rather than from a single state statute:
Healthcare
Providers, health plans and their vendors must comply with HIPAA and with any state medical-confidentiality rules when handling patient information in New York.
Financial Services
Banks, credit unions, lenders and insurers are subject to the Gramm-Leach-Bliley Act privacy and safeguards rules in addition to New York consumer-protection requirements.
Technology & Online Services
Companies serving users in other states may owe duties under California's CCPA/CPRA and other comprehensive laws even while New York itself has none — making multi-state compliance the practical reality for most online businesses.
Retail
Retailers handling payment-card data must meet PCI DSS contractual standards and New York's breach-notification law if customer information is exposed.
Where to File a Privacy Complaint in New York
New York residents who believe a business has mishandled their personal information can file a complaint with the New York Attorney General, which enforces the state's consumer-protection and data-breach laws. Complaints involving federally regulated data — health, financial, credit or children's information — can also be directed to the Federal Trade Commission or the relevant federal regulator. An attorney can help you assess whether you have a claim and choose the best venue to pursue it.
New York Privacy Law FAQ
Does New York have a law like the California CCPA?
What does the SHIELD Act require my business to do?
How a New York Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the New York Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a New York Privacy Attorney?
Whether you are a business working toward compliance or a New York resident whose privacy has been violated, our network of New York-licensed attorneys can help.
Find a New York Privacy Attorney