New York Gives Businesses A Package Of Six New Consumer Data Protection Laws To Unwrap During The Holiday Season

On December 21, 2024, while many Americans were busy signing holiday cards and exchanging gifts, New York Governor Kathy Hochul was signing six significant pieces of legislation aimed at enhancing online safety and strengthening consumer data protection.¹ This legislative package, which includes privacy and cybersecurity measures, collectively has a broad reach. They create new requirements across multiple industries and expanding oversight of several state agencies, including the Department of Financial Services and the Attorney General.

According to the New York governor, the holiday timing was strategic. During the holiday season, there is typically an increase in fraudulent activities involving consumer data and so the bills were prioritized to address this heightened risk.²

As many were focused on holiday festivities over the past few weeks, we are providing this Legal Update to ensure you are informed about these important legislative developments as you return to the office.

Legislation S2376B/A4737B: Stronger Protections for Medical and Insurance Information Related to Identity Theft³

Health information has always been sensitive and protected under certain state and federal laws. However, the theft of health information for fraudulent purposes continues to grow. S2376B/A4737B modifies three areas of law in an effort to combat the fraudulent use of medical information.

• Enhances protections for medical and health information by modifying portions of the New York Penal Law, New York General Business Law, and New York State Technology law to provide notice requirements and enforce identity theft penalties on misuse of medical and health information.
• Expands the definitions related to identity theft in the penal law (including Section 190.77) to encompass medical and health insurance information. Additionally, S2376B/A4737B amends the state data breach notification law (Section 899-AA of the New York General Business Law) to include medical and health information in the definition of "private information," which, if compromised, requires notice to individuals and regulators. The legislation makes similar changes to Subdivision 1 of Section 208 of the State Technology Law.
• Will be effective 90 days after becoming law on March 21, 2025. However, effective immediately, the addition, amendment, and/or repeal of any necessary rules or regulations for implementing the legislation is authorized to be made and completed.

Legislation S2659B/A8872A: Modifications to the Notice Requirements for a Data Breach⁴

Previously, NY data breach law required notice to individuals "in the most expedient time possible and without unreasonable delay," without a specific timing requirement.⁵ Notices were also required to be made to the state attorney general, the Department of State, and the Division of State Police. With S2659B/A8872A, both the timing for notice and the number of departments to notify have changed.

• Includes a new timing requirement mandating that businesses notify consumers of a data breach within 30 days.
• Adds the New York Department of Financial Services to the state agencies that must be notified of a data breach.
• Is effective immediately.

Legislation S5615/A2833: Requirements for Better Security Features in Devices Procured by State Government⁶

S5615/A2833imposes new cybersecurity requirements on state agencies.

• Mandates end point device security for devices procured by the commissioner and state agencies.
• Amends Section 165 of the State Finance Law by adding new Subdivision 9, which defines "end point device" and requires that certain devices, services, and solutions comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
• Will be effective 90 days after becoming law on March 21, 2025.

Legislation S5703B/A1035B: Prohibiting the Use of Social Media Platforms for Debt Collection⁷

S5703B/A1035B limits debt collection activity on social media websites. The stated intent of this law is to limit debt collection efforts to legitimate means.

• Prohibits the use of social media platforms to collect debt from debtors by amending Section 601 of the New York General Business Law to add Subdivision 12 to the list of prohibited practices.
• Defines "social media platform" to exclude sites that only provide email or direct messaging while broadly encompassing interactive websites that may not typically be considered social media platforms.
• Is effective immediately.

Legislation S1759B/A1057C: Requirements for Further Disclosures and Transparency for Online Dating Services⁸

Romance scams alone have created a highly profitable industry for scammers. S1759B/A1057C is intended to limit the risk of these scams by providing more disclosures to users of online dating services to educate users.

• Aims to limit fraud on dating services and enhance transparency to users through new disclosure requirements.
• Amends Section 394-C of the NY General Business Law to include specific definitions related to online dating services and establishes new requirements and prohibitions for contracts governing social referral services, including contractual and disclosure requirements for online dating services.
• Will be effective 60 days after becoming law on February 19, 2025.

Legislation S895B/A6789B: Requirements for Social Media Companies to Update Their Terms of Service Relating to Hate Speech⁹

Following recent trends in legislation governing social media, S895B/A6789Baims to promote further transparency for social media platform users. While many laws focus website privacy policies, this law focuses on creating more transparency within social media platforms' terms of service.

• Amends the NY General Business Law by adding Article 42, which mandates required disclosures for social media terms of service, establishes terms of service reporting requirements, outlines violations and remedies, and specifies factors for determining applicability.
• Requires Semi-Annual Reporting by social media platforms on terms of service and content moderation policies, practices, and detailed statistics on the implementation of content moderation.
• Will be effective 180 days after becoming law on June 19, 2025.

Footnotes

1. S2376B, S2659B, S5615, S5703B, S1759b, and S895b.

2. Governor Hochul Signs Online Safety Legislation to Strengthen Protections for the Personal Data of Consumers | Governor Kathy Hochul.

3. S2376B, NY State Assembly Bill 2023-A4737B.

4. S2659B.

5. NYS Open Legislation | NYSenate.gov.

6. S5615.

7. S5703B.

8. S1759b.

9. S895b.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.