Support Centre

New York


Law: Please note this State does not have a general privacy law in effect, you can visit USA State Law Tracker to monitor the progress of US State bills.

Regulator: The New York State Attorney General ('AG')

Summary: Although New York does not recognise a constitutional or common law right of privacy, privacy is regulated statutorily through the Civil Rights Law. Another important part on New York's legislation is the Stop Hacks and Improve Electronic Data Security Act ('the SHIELD Act'). It was signed into law in July 2019 before fully coming into effect on 21 March 2020, and regulates data breach and data security matters in New York. The SHIELD Act modified existing data breach requirements, established obligations regarding developing security programs, and expanded enforcement capabilities. New York’s State Senate and Assembly have also tried to pass general privacy legislation, but such bills have not yet been successful.


When the New York Department of Financial Services (NYDFS) first promulgated its cybersecurity regulations in March 2017 (the Cybersecurity Regulations), these were widely considered the most prescriptive requirements imposed on financial institutions nationwide.1 The Cybersecurity Regulations aimed to address constantly evolving cyber threats and enhance the financial industry's cybersecurity practices to reflect the reality that the cybersecurity landscape is changing rapidly with the increased sophistication of threat actors, rising prevalence of cyberattacks (including ransomware), higher remediation costs, and the proliferation of cybersecurity solutions and tools.

Moving the bar even further, the NYDFS has chosen to further enhance the Cybersecurity Regulations with recent updates announced on November 1, 2023. For those financial institutions subject to the NYDFS Cybersecurity Regulations, understanding the latest changes will be crucial to ensure compliance with these regulatory expectations in the coming years. Kim Phan and Edgar Vargas, from Troutman Pepper Hamilton Sanders LLP, highlight the recent amendments.

In this Insight article, Mark Francis and Sophie Kletzien, from Holland & Knight LLP, delve into New York City's pioneering regulations, making it the first US jurisdiction to govern artificial intelligence's (AI) role in employment decisions.

On 8 November 2021, New York Governor Kathy Hochul signed into law Senate Bill ('SB') 2628, which requires every private-sector employer to provide notice of its electronic monitoring practices to all employees upon hiring, with written or electronic employee acknowledgement, and, more generally, in a 'conspicuous place' viewable by all employees. Since then, the law has taken effect on 7 May 2022. Mark Francis and Sophie Kletzien, from Holland & Knight LLP, summarise the main provisions and implications of SB 2628, while drawing comparisons to other States' laws.

The New York City Council approved, on 10 November 2021, Bill Int 1894-2020 for a Local Law to amend the Administrative Code of the City of New York in relation to automated employment decision tools. Soon after, the bill was automatically enacted without a mayoral signature on 10 December 2021 and is due to take effect in 2023. In particular, the law regulates automated employment decision tools which score, classify, or otherwise make a recommendation, that is used to substantially assist or replace the decision-making process of an individual. OneTrust DataGuidance gives an overview of the law, its scope, and main provisions, alongside comments provided by Jessica Lee and Bianca Lewis from Loeb & Loeb LLP.