open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/new-mexico.md

@@ -0,0 +1,174 @@
+---
+jurisdiction: "New Mexico"
+slug: new-mexico
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/new-mexico
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/new-mexico · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# New Mexico Consumer Privacy Law[^about]
+
+New Mexico has no comprehensive consumer-privacy statute — the 2026 omnibus bill died despite aggregator claims it was enacted. The operative framework is the Data Breach Notification Act (NMSA 1978, §§ 57-12C-1 to -12), the Unfair Practices Act, and the federal overlay.
+
+
+## At a glance
+
+| Question | New Mexico |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | New Mexico has not enacted a comprehensive consumer-privacy law — the Consumer Information and Data Protection Act (HB 214) died in the 2026 session, and aggregator pages reporting a July 1, 2026 effective date are describing a dead bill. What governs today is the Data Breach Notification Act (45-day breach notice, reasonable-security, disposal, and vendor-contract duties) plus the Unfair Practices Act, which can create private damages exposure when a covered privacy-policy or breach-response misstatement causes money or property loss. |
+| **Main law** | Data Breach Notification Act, NMSA 1978, §§ 57-12C-1 to -12, plus the Unfair Practices Act, NMSA 1978, §§ 57-12-1 to -26 — New Mexico has no comprehensive consumer-privacy statute |
+| **Privacy policy required?** | No New Mexico statute mandates a consumer privacy policy or fixes its contents; what you publish is policed by FTC Act § 5 and the Unfair Practices Act, so a knowing policy misstatement tied to a covered transaction can create private exposure if a person loses money or property |
+| **Who does it cover?** | Any person that owns or licenses personal identifying information of New Mexico residents — no revenue or volume threshold; persons subject to GLBA or HIPAA are exempt from the breach act entirely |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the Data Breach Notification Act — enforcement is Attorney General-only; but the Unfair Practices Act gives a private action to a person who loses money or property from an unlawful practice, with a $100 statutory floor, possible treble damages for willful conduct, mandatory fee-shifting, and class actions |
+| **Who enforces it?** | New Mexico Attorney General (New Mexico Department of Justice) |
+
+## Which privacy laws apply to your business in New Mexico? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive New Mexico consumer-privacy law. The operative state statute is the Data Breach Notification Act, which applies to any person that owns or licenses personal identifying information of New Mexico residents — with no revenue or consumer-volume threshold — and imposes reasonable-security [^q1-dbna-security-duty], disposal [^q1-dbna-disposal-duty], vendor-contract [^q1-dbna-vendor-duty], and breach-notification duties [^q1-dbna-notice-duty]. Alongside it sits the Unfair Practices Act, the state's general consumer-protection statute, which makes unfair or deceptive and unconscionable trade practices unlawful and can reach data-practices misstatements tied to covered trade or commerce [^q1-upa-prohibition]. One unusual carve-out matters at the threshold: the breach act appears not to apply to a person subject to the federal Gramm-Leach-Bliley Act or HIPAA, but mixed lines of business should confirm coverage before treating the entire operation as outside the act [^q1-dbna-exemptions].
+
+A correction is needed before anything else, because the secondary literature on New Mexico is contaminated. Several aggregator and compliance-vendor pages — many tracing back to the same database summaries — state that New Mexico enacted a comprehensive statute called the Consumer Information and Data Protection Act with an effective date of July 1, 2026. The primary legislative record refutes this. House Bill 214 (2026 Regular Session), which carried that name, is listed by the Legislature as *Died (API.)* and *Action Postponed Indefinitely* [^q1-hb214-status]. The July 1, 2026 date circulating online is simply an effective-date clause inside the dead bill's own text [^q1-hb214-effective-dates]. Had it passed, HB 214 would have created a controller-and-processor regime for businesses processing the personal data of at least 35,000 consumers, or 10,000 consumers plus more than 20% of gross revenue from selling personal data [^q1-hb214-scope]. It did not pass, nothing comparable is pending, and the Legislature does not convene again in regular session until January 2027. A compliance calendar built off the aggregator claim is preparing for a statute that does not exist.
+
+Because no omnibus law exists, New Mexico residents have no general state-law rights to access, delete, or correct their personal data, no right to opt out of its sale, and no recognized universal opt-out signal; businesses face no notice-at-collection, consent, or data-protection-assessment duties under state law. What fills the gap is a layered framework. The Data Breach Notification Act supplies the statewide data-security spine. The Unfair Practices Act supplies the enforcement teeth for covered misrepresentation — including, unusually, a private right of action where a person loses money or property from the unlawful practice, covered in the consumer-lawsuit question below. The rest rides the federal overlay: Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide, the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities, and the Children's Online Privacy Protection Act governs services directed to children under 13. This note is written to stay durable: if New Mexico enacts an omnibus law in a future session, a program built to this overlay upgrades rather than restarts.
+
+## What must your New Mexico privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No New Mexico statute requires a general consumer privacy policy or fixes what it must say. The binding rule is instead that whatever you publish has to be true. Under Section 5 of the FTC Act, a policy that misstates how you collect, use, share, retain, or secure data is a deceptive practice [^q2-ftc5-deceptive], and the Unfair Practices Act reaches the same conduct as a false or misleading written statement knowingly made in connection with the sale of goods or services [^q2-upa-deceptive-def]. Where a sectoral regime applies, that regime supplies the contents — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^q2-hipaa-notice].
+
+What makes New Mexico different from most no-omnibus states is the sharpness of the misrepresentation exposure. The Unfair Practices Act's definition of an unfair or deceptive trade practice expressly includes failing to state a material fact if doing so deceives or tends to deceive [^q2-upa-omission], and its private remedy reaches a person who loses money or property as a result of an unlawful practice [^q2-upa-private-remedy]. A privacy policy is a written statement a New Mexico claimant may test when the statement is knowingly made in connection with a covered sale, lease, rental, loan, credit extension, or debt collection, and when the claimant can tie the misstatement to money or property loss. The knowing-falsity element is a real pleading hurdle for plaintiffs, but the drafting lesson is the same: build the policy from the federal and sectoral overlay that actually binds you — GLBA privacy notices for financial institutions, the HIPAA notice for covered entities, a COPPA notice for child-directed services — describe your actual practices accurately, and then honor what you wrote.
+
+One breach-act provision feeds directly into policy drafting. A person that maintains its own notice procedures as part of an information security policy, consistent with the act's timing requirements, is deemed compliant with the breach-notification requirements if it follows those procedures [^q2-dbna-own-procedures].
+
+> [!CAUTION]
+> **Drafting note.**
+>
+> An incident-response commitment in a privacy policy cuts both ways in New Mexico. A policy promising notification on a stated timeline can qualify as your own notice procedure and earn the statutory safe harbor if it is consistent with the act's timing requirements [^q2-dbna-own-procedures] — but it is also a written representation under the Unfair Practices Act, so promising faster notice than you can deliver can create deception exposure if the UPA's transaction and loss requirements are met [^q2-upa-deceptive-def]. Commit only to timelines your incident-response plan can actually meet.
+
+## What must your contracts with service providers say? {#vendor-contracts}
+
+**Short answer.** New Mexico has one mandatory vendor-contract clause, and it is statutory, not best practice. A person that discloses personal identifying information of a New Mexico resident to a service provider under a contract must require, by contract, that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the information [^q3-dbna-flowdown]. The duty attaches to any vendor that receives, stores, maintains, licenses, processes, or is otherwise permitted access to personal identifying information through its services [^q3-service-provider-def].
+
+This is a narrower mandate than an omnibus-state data processing agreement — it requires a security flow-down clause, not processing instructions, deletion duties, audit rights, or subprocessor terms. But it is a real statutory floor: a New Mexico-facing vendor agreement that shares Social Security numbers, driver's license or government-ID numbers, payment-card credentials, or biometric data without a written reasonable-security commitment from the vendor violates the act. Where a federal sectoral regime applies, it supplies the fuller contracting obligations — the GLBA Safeguards Rule requires financial institutions to oversee service providers and bind them by contract to maintain appropriate safeguards [^q3-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor flow-down terms before protected health information changes hands [^q3-hipaa-baa]. For everyone else, the prudent template still carries the omnibus-style protections forward — processing limited to documented instructions, confidentiality, breach notification back to your business, and return or deletion at the end of the engagement — because they cost little to include and your vendor stack rarely stops at the New Mexico border. The statutory minimum, though, is the reasonable-security clause, and it belongs in every New Mexico-facing services agreement that touches personal identifying information.
+
+## What data security and disposal duties does New Mexico impose? {#security-and-disposal}
+
+**Short answer.** Two standing duties apply to any person that owns or licenses personal identifying information of New Mexico residents, breach or no breach. First, a reasonable-security duty: implement and maintain reasonable security procedures and practices appropriate to the nature of the information [^q4-dbna-security]. Second, a disposal duty: when records containing personal identifying information are no longer reasonably needed for business purposes, arrange for proper disposal — shredding, erasing, or otherwise modifying the information to make it unreadable or undecipherable [^q4-dbna-disposal].
+
+Both duties are principles-based — the statute prescribes no specific controls, certifications, or frameworks, and no New Mexico regulator has issued implementing rules. The reasonableness standard scales with the sensitivity of the data: practices appropriate for marketing lists will not be appropriate for files of Social Security numbers or biometric records. Note a scope nuance in the text: the disposal duty speaks to *records* generally [^q4-dbna-disposal], while the act's breach-notification trigger is limited to computerized data — so paper files are inside the disposal and security duties even though a purely paper-record compromise does not trigger the notification provisions. The GLBA/HIPAA carve-out appears broad for a person subject to those federal regimes, but confirm coverage for mixed lines of business before treating every security and disposal function as outside the act [^q4-dbna-exemptions]. For everyone else, the practical program is a written security policy matched to the data you actually hold, a retention schedule that triggers disposal when business need ends, and documentation of both, since reasonableness is judged after the incident, with hindsight.
+
+## What must you do after a data breach in New Mexico? {#breach-notification}
+
+**Short answer.** A person that owns or licenses personal identifying information of New Mexico residents must notify each resident whose information is reasonably believed to have been subject to a security breach — in the most expedient time possible and no later than 45 calendar days after discovery [^q5-dbna-notice-duty]. Notice is excused if an appropriate investigation determines the breach does not give rise to a significant risk of identity theft or fraud [^q5-dbna-risk-of-harm]. If a single breach requires notice to more than 1,000 New Mexico residents, you must also notify the office of the attorney general and the nationwide consumer reporting agencies on the same 45-day clock [^q5-dbna-ag-cra]. And a vendor holding data it does not own owes the data's owner notice of any breach within the same 45 days [^q5-dbna-maintainer-notice].
+
+Start with what counts. A *security breach* is the unauthorized acquisition of unencrypted computerized data — or of encrypted data together with the key — that compromises personal identifying information; a good-faith acquisition by an employee or agent for a legitimate business purpose is carved out, so long as the information goes no further [^q5-dbna-breach-def]. The trigger is acquisition, not mere access, and it reaches only computerized data — a lost box of paper files does not start the notice clock. *Personal identifying information* means a resident's name combined with an unprotected Social Security number, driver's license number, government-issued ID number, financial-account or card number with its access credentials, or biometric data — and excludes information lawfully available from public sources [^q5-dbna-pii-def]. Encryption and redaction are built-in safe harbors: data elements that are encrypted or otherwise rendered unusable fall outside the definition unless the decryption key was compromised too.
+
+The notice itself has statutorily fixed contents — your name and contact information, the types of information involved, the date or date range of the breach, a general description of the incident, the consumer reporting agencies' toll-free numbers and addresses, advice to review account statements and credit reports, and advice about the recipient's federal Fair Credit Reporting Act rights [^q5-dbna-contents]. Send it by U.S. mail, electronic notice where the statute allows, or substitute notice when the cost exceeds $100,000, the number of residents exceeds 50,000, or sufficient contact information is unavailable; substitute notice requires email where available, conspicuous website posting where the person maintains a website, and written notice to the attorney general and major New Mexico media outlets [^q5-dbna-methods]. When AG notice is triggered at the 1,000-resident threshold, you must also tell the attorney general how many residents were notified and provide a copy of the resident notice within the 45-day window [^q5-dbna-ag-cra]. Two timing escape valves exist: notification may be delayed if law enforcement determines it would impede a criminal investigation, or as necessary to determine the breach's scope and restore the system's integrity [^q5-dbna-delay]. Three practical notes round out the plan. First, 45 days is a ceiling, not a target — the operative command is the most expedient time possible. Second, the risk-of-harm determination that excuses notice must follow an *appropriate investigation* [^q5-dbna-risk-of-harm], so document the analysis contemporaneously. Third, the GLBA/HIPAA carve-out appears broad for a person subject to those federal regimes, but confirm coverage for mixed lines of business before treating all notification duties as displaced by federal breach rules [^q5-dbna-exemptions].
+
+## Who enforces these laws — and can consumers sue? {#consumer-lawsuit}
+
+**Short answer.** The Data Breach Notification Act is enforced exclusively by the attorney general, who may sue on behalf of individuals and in the name of the state, with courts empowered to issue injunctions and award damages for actual costs or losses, including consequential financial losses [^q6-dbna-ag-enforcement]; for knowing or reckless violations, the court may add a civil penalty of the greater of $25,000 or, for failed notification, $10 per instance up to $150,000 [^q6-dbna-civil-penalty]. The act gives consumers no private right of action — but the Unfair Practices Act does: a person who loses money or property as a result of an unlawful deceptive or unconscionable practice may sue for actual damages or $100, whichever is greater, with up to treble damages for willful conduct and mandatory attorney fees for a prevailing complainant [^q6-upa-private-remedy]. The attorney general polices the Unfair Practices Act as well [^q6-upa-ag-action].
+
+On the breach-act side, the enforcement posture is public and penalty-capped. The attorney general acts on a reasonable belief that a violation occurred, and the remedies run from injunction through actual-loss damages to the knowing-or-reckless civil penalty [^q6-dbna-ag-enforcement]. The penalty arithmetic rewards notification even when late: the per-instance exposure attaches to *failed* notification, capped at $150,000 [^q6-dbna-civil-penalty] — small against omnibus-state penalty schedules, but it stacks with the reputational and litigation costs that follow any publicized AG action.
+
+The Unfair Practices Act is where private exposure lives. The private remedy carries a $100 statutory floor for a person who suffered money or property loss, discretionary treble damages (or $300 if greater) for willful practices, and one-way fee-shifting in the complainant's favor [^q6-upa-private-remedy] — and the statute expressly contemplates class actions, with class members recovering their actual damages [^q6-upa-class-action]. Applied to privacy, the theory is strongest when a privacy policy or breach-response promise is a false or misleading written statement knowingly made in connection with the sale, lease, rental, or loan of goods or services, an extension of credit, or debt collection [^q6-upa-deceptive-def], and the claimant can tie the misstatement to money or property loss [^q6-upa-private-remedy]. The knowing-falsity element — the main defense-side hurdle — does not require intent to deceive, but it does require a knowing representation [^q6-upa-intent]. On the public side, the attorney general may sue whenever proceedings would be in the public interest, seeking temporary or permanent injunctions and restitution without posting bond [^q6-upa-ag-action], plus a civil penalty of up to $5,000 per violation for willful conduct [^q6-upa-civil-penalty]. One enforcement claim circulating online deserves a final correction: there is no new comprehensive-privacy enforcement regime taking effect July 1, 2026 — that regime would have come from House Bill 214, which the Legislature lists as *Died (API.)* and *Action Postponed Indefinitely* [^q6-hb214-status]; July 1, 2026 was just an effective date in the dead bill text [^q6-hb214-effective-dates]. Until the Legislature acts, the enforcement map for New Mexico privacy is exactly this: AG-only under the breach act, and AG plus private UPA exposure where the statute's transaction, knowledge, and loss elements are met.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not New Mexico. This article synthesizes New Mexico primary law and is not legal advice from a New Mexico-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^q1-dbna-security-duty]: **NMSA 1978, § 57-12C-4** — "A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure." *NMSA 1978, § 57-12C-4.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q1-dbna-disposal-duty]: **NMSA 1978, § 57-12C-3** — "A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes." *NMSA 1978, § 57-12C-3.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q1-dbna-vendor-duty]: **NMSA 1978, § 57-12C-5** — "A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure." *NMSA 1978, § 57-12C-5.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q1-dbna-notice-duty]: **NMSA 1978, § 57-12C-6(A)** — "Except as provided in Subsection C of this section, a person that owns or licenses elements that include personal identifying information of a New Mexico resident shall provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. Notification shall be made in the most expedient time possible, but not later than fortyfive calendar days following discovery of the security breach, except as provided in Section 9 [57-12C-9 NMSA 1978] of the Data Breach Notification Act." *NMSA 1978, § 57-12C-6(A).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q1-upa-prohibition]: **NMSA 1978, § 57-12-3** — "Unfair or deceptive trade practices and unconscionable trade practices in the conduct of any trade or commerce are unlawful." *NMSA 1978, § 57-12-3.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q1-dbna-exemptions]: **NMSA 1978, § 57-12C-8** — "The provisions of the Data Breach Notification Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996." *NMSA 1978, § 57-12C-8.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q1-hb214-status]: **New Mexico Legislature HB 214 (2026 Regular Session)** — "Current Location Died (API.)" *New Mexico Legislature, HB 214 (2026 Regular Session).* <https://www.nmlegis.gov/Legislation/Legislation?chamber=H&legType=B&legNo=214&year=26>
+
+[^q1-hb214-effective-dates]: **HB 214 (2026), § 16** — "SECTION 16. EFFECTIVE DATES.-- A. The effective date of the provisions of Sections 1, 2 and 13 through 15 of this act is July 1, 2026. B. The effective date of the provisions of Sections 3 through 12 of this act is July 1, 2027." *HB 214 (2026), § 16.* <https://www.nmlegis.gov/Sessions/26%20Regular/bills/house/HB0214.HTML>
+
+[^q1-hb214-scope]: **HB 214 (2026), § 3(A)** — "SECTION 3. [ NEW MATERIAL ] SCOPE OF ACT--EXEMPTIONS.-- A. The Consumer Information and Data Protection Act applies to persons that conduct business in New Mexico and persons that produce products or services that are targeted to residents of New Mexico and that during the preceding calendar year did any of the following: (1) controlled or processed the personal data of at least thirty-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of at least ten thousand consumers and derived more than twenty percent of its gross revenue from the sale of personal data." *HB 214 (2026), § 3(A).* <https://www.nmlegis.gov/Sessions/26%20Regular/bills/house/HB0214.HTML>
+
+[^q2-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q2-upa-deceptive-def]: **NMSA 1978, § 57-12-2(D)** — "‘unfair or deceptive trade practice’ means an act specifically declared unlawful pursuant to the Unfair Practices Act, a false or misleading oral or written statement, visual description or other representation of any kind knowingly made in connection with the sale, lease, rental or loan of goods or services or in the extension of credit or in the collection of debts by a person in the regular course of the person's trade or commerce, that may, tends to or does deceive or mislead any person" *NMSA 1978, § 57-12-2(D).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q2-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^q2-upa-omission]: **NMSA 1978, § 57-12-2(D)(14)** — "(14) using exaggeration, innuendo or ambiguity as to a material fact or failing to state a material fact if doing so deceives or tends to deceive;" *NMSA 1978, § 57-12-2(D)(14).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q2-upa-private-remedy]: **NMSA 1978, § 57-12-10(B), (C)** — "Any person who suffers any loss of money or property, real or personal, as a result of any employment by another person of a method, act or practice declared unlawful by the Unfair Practices Act may bring an action to recover actual damages or the sum of one hundred dollars ($100), whichever is greater. Where the trier of fact finds that the party charged with an unfair or deceptive trade practice or an unconscionable trade practice has willfully engaged in the trade practice, the court may award up to three times actual damages or three hundred dollars ($300), whichever is greater, to the party complaining of the practice. C. The court shall award attorney fees and costs to the party complaining of an unfair or deceptive trade practice or unconscionable trade practice if the party prevails." *NMSA 1978, § 57-12-10(B), (C).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q2-dbna-own-procedures]: **NMSA 1978, § 57-12C-6(F)** — "A person that maintains its own notice procedures as part of an information security policy for the treatment of personal identifying information, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the person notifies affected consumers in accordance with its policies in the event of a security breach." *NMSA 1978, § 57-12C-6(F).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q3-dbna-flowdown]: **NMSA 1978, § 57-12C-5** — "A person that discloses personal identifying information of a New Mexico resident pursuant to a contract with a service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure." *NMSA 1978, § 57-12C-5.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q3-service-provider-def]: **NMSA 1978, § 57-12C-2(E)** — "‘service provider’ means any person that receives, stores, maintains, licenses, processes or otherwise is permitted access to personal identifying information through its provision of services directly to a person that is subject to regulation." *NMSA 1978, § 57-12C-2(E).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q3-glba-safeguards]: **GLBA Safeguards Rule** — "(f) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=(f)%20Oversee%20service%20providers%2C%20by%3A,continued%20adequacy%20of%20their%20safeguards.>
+
+[^q3-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2)(i)-(ii)(D).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information%3B>
+
+[^q4-dbna-security]: **NMSA 1978, § 57-12C-4** — "A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure." *NMSA 1978, § 57-12C-4.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q4-dbna-disposal]: **NMSA 1978, § 57-12C-3** — "A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, ‘proper disposal’ means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable." *NMSA 1978, § 57-12C-3.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q4-dbna-exemptions]: **NMSA 1978, § 57-12C-8** — "The provisions of the Data Breach Notification Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996." *NMSA 1978, § 57-12C-8.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-notice-duty]: **NMSA 1978, § 57-12C-6(A)** — "Except as provided in Subsection C of this section, a person that owns or licenses elements that include personal identifying information of a New Mexico resident shall provide notification to each New Mexico resident whose personal identifying information is reasonably believed to have been subject to a security breach. Notification shall be made in the most expedient time possible, but not later than fortyfive calendar days following discovery of the security breach, except as provided in Section 9 [57-12C-9 NMSA 1978] of the Data Breach Notification Act." *NMSA 1978, § 57-12C-6(A).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-risk-of-harm]: **NMSA 1978, § 57-12C-6(B)** — "Notwithstanding Subsection A of this section, notification to affected New Mexico residents is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud." *NMSA 1978, § 57-12C-6(B).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-ag-cra]: **NMSA 1978, § 57-12C-10** — "A person that is required to issue notification of a security breach pursuant to the Data Breach Notification Act to more than one thousand New Mexico residents as a result of a single security breach shall notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the security breach in the most expedient time possible, and no later than forty-five calendar days, except as provided in Section 9 [57-12C-9 NMSA 1978] of the Data Breach Notification Act. A person required to notify the attorney general and consumer reporting agencies pursuant to this section shall notify the attorney general of the number of New Mexico residents that received notification pursuant to Section 6 of that act [57-12C-6 NMSA 1978] and shall provide a copy of the notification that was sent to affected residents within forty-five calendar days following discovery of the security breach, except as provided in Section 9 of the Data Breach Notification Act." *NMSA 1978, § 57-12C-10.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-maintainer-notice]: **NMSA 1978, § 57-12C-6(C)** — "Any person that is licensed to maintain or possess computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible, but not later than forty-five calendar days following discovery of the breach, except as provided in Section 9 of the Data Breach Notification Act; provided that notification to the owner or licensee of the information is not required if, after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud." *NMSA 1978, § 57-12C-6(C).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-breach-def]: **NMSA 1978, § 57-12C-2(D)** — "‘security breach’ means the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person. ‘Security breach’ does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a legitimate business purpose of the person; provided that the personal identifying information is not subject to further unauthorized disclosure" *NMSA 1978, § 57-12C-2(D).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-pii-def]: **NMSA 1978, § 57-12C-2(C)** — "‘personal identifying information’: (1) means an individual's first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable: (a) social security number; (b) driver's license number; (c) government-issued identification number; (d) account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person's financial account; or (e) biometric data; and (2) does not mean information that is lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public;" *NMSA 1978, § 57-12C-2(C).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-contents]: **NMSA 1978, § 57-12C-7** — "Notification required pursuant to Subsection A of Section 6 [57-12C-6 NMSA 1978] of the Data Breach Notification Act shall contain: A. the name and contact information of the notifying person; B. a list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known; C. the date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known; D. a general description of the security breach incident; E. the toll-free telephone numbers and addresses of the major consumer reporting agencies; F. advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and G. advice that informs the recipient of the notification of the recipient's rights pursuant to the federal Fair Credit Reporting." *NMSA 1978, § 57-12C-7.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-methods]: **NMSA 1978, § 57-12C-6(D), (E)** — "D. A person required to provide notification of a security breach pursuant to Subsection A of this section shall provide that notification by: (1) United States mail; (2) electronic notification, if the person required to make the notification primarily communicates with the New Mexico resident by electronic means or if the notice provided is consistent with the requirements of 15 U.S.C. Section 7001; or (3) a substitute notification, if the person demonstrates that: (a) the cost of providing notification would exceed one hundred thousand dollars ($100,000); (b) the number of residents to be notified exceeds fifty thousand; or (c) the person does not have on record a physical address or sufficient contact information for the residents that the person or business is required to notify. E. Substitute notification pursuant to Paragraph (3) of Subsection D of this section shall consist of: (1) sending electronic notification to the email address of those residents for whom the person has a valid email address; (2) posting notification of the security breach in a conspicuous location on the website of the person required to provide notification if the person maintains a website; and (3) sending written notification to the office of the attorney general and major media outlets in New Mexico." *NMSA 1978, § 57-12C-6(D), (E).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-delay]: **NMSA 1978, § 57-12C-9** — "The notification required by the Data Breach Notification Act may be delayed: A. if a law enforcement agency determines that the notification will impede a criminal investigation; or B. as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system." *NMSA 1978, § 57-12C-9.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q5-dbna-exemptions]: **NMSA 1978, § 57-12C-8** — "The provisions of the Data Breach Notification Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996." *NMSA 1978, § 57-12C-8.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q6-dbna-ag-enforcement]: **NMSA 1978, § 57-12C-11(A), (B)** — "When the attorney general has a reasonable belief that a violation of the Data Breach Notification Act has occurred, the attorney general may bring an action on the behalf of individuals and in the name of the state alleging a violation of that act. B. In any action filed by the attorney general pursuant to the Data Breach Notification Act, the court may: (1) issue an injunction; and (2) award damages for actual costs or losses, including consequential financial losses." *NMSA 1978, § 57-12C-11(A), (B).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q6-dbna-civil-penalty]: **NMSA 1978, § 57-12C-11(C)** — "If the court determines that a person violated the Data Breach Notification Act knowingly or recklessly, the court may impose a civil penalty of the greater of twentyfive thousand dollars ($25,000) or, in the case of failed notification, ten dollars ($10.00) per instance of failed notification up to a maximum of one hundred fifty thousand dollars ($150,000)." *NMSA 1978, § 57-12C-11(C).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q6-upa-private-remedy]: **NMSA 1978, § 57-12-10(B), (C)** — "Any person who suffers any loss of money or property, real or personal, as a result of any employment by another person of a method, act or practice declared unlawful by the Unfair Practices Act may bring an action to recover actual damages or the sum of one hundred dollars ($100), whichever is greater. Where the trier of fact finds that the party charged with an unfair or deceptive trade practice or an unconscionable trade practice has willfully engaged in the trade practice, the court may award up to three times actual damages or three hundred dollars ($300), whichever is greater, to the party complaining of the practice. C. The court shall award attorney fees and costs to the party complaining of an unfair or deceptive trade practice or unconscionable trade practice if the party prevails." *NMSA 1978, § 57-12-10(B), (C).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q6-upa-ag-action]: **NMSA 1978, § 57-12-8(A), (B)** — "Whenever the attorney general has reasonable belief that any person is using, has used or is about to use any method, act or practice which is declared by the Unfair Practices Act to be unlawful, and that proceedings would be in the public interest, he may bring an action in the name of the state alleging violations of the Unfair Practices Act. The action may be brought in the district court of the county in which the person resides or has his principal place of business or in the district court in any county in which the person is using, has used or is about to use the practice which has been alleged to be unlawful under the Unfair Practices Act. The attorney general acting on behalf of the state of New Mexico shall not be required to post bond when seeking a temporary or permanent injunction in such action. B. In any action filed pursuant to the Unfair Practices Act, including an action with respect to unimproved real property, the attorney general may petition the district court for temporary or permanent injunctive relief and restitution." *NMSA 1978, § 57-12-8(A), (B).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q6-upa-class-action]: **NMSA 1978, § 57-12-10(E)** — "In any class action filed under this section, the court may award damages to the named plaintiffs as provided in Subsection B of this section and may award members of the class such actual damages as were suffered by each member of the class as a result of the unlawful method, act or practice." *NMSA 1978, § 57-12-10(E).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q6-upa-deceptive-def]: **NMSA 1978, § 57-12-2(D)** — "‘unfair or deceptive trade practice’ means an act specifically declared unlawful pursuant to the Unfair Practices Act, a false or misleading oral or written statement, visual description or other representation of any kind knowingly made in connection with the sale, lease, rental or loan of goods or services or in the extension of credit or in the collection of debts by a person in the regular course of the person's trade or commerce, that may, tends to or does deceive or mislead any person" *NMSA 1978, § 57-12-2(D).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q6-upa-intent]: **NMSA 1978, § 57-12-2 annotations** — "Intent to deceive not element of ‘unfair or deceptive trade practice’ but a knowing representation is required." *NMSA 1978, § 57-12-2 annotations (Richardson Ford Sales, Inc. v. Johnson).* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q6-upa-civil-penalty]: **NMSA 1978, § 57-12-11** — "In any action brought under Section 57-12-8 NMSA 1978, if the court finds that a person is willfully using or has willfully used a method, act or practice declared unlawful by the Unfair Practices Act, the attorney general, upon petition to the court, may recover, on behalf of the state of New Mexico, a civil penalty of not exceeding five thousand dollars ($5,000) per violation." *NMSA 1978, § 57-12-11.* <https://nmonesource.com/nmos/nmsa/en/4423/1/document.do>
+
+[^q6-hb214-status]: **New Mexico Legislature HB 214 (2026 Regular Session)** — "Current Location Died (API.)" *New Mexico Legislature, HB 214 (2026 Regular Session).* <https://www.nmlegis.gov/Legislation/Legislation?chamber=H&legType=B&legNo=214&year=26>
+
+[^q6-hb214-effective-dates]: **HB 214 (2026), § 16** — "SECTION 16. EFFECTIVE DATES.-- A. The effective date of the provisions of Sections 1, 2 and 13 through 15 of this act is July 1, 2026. B. The effective date of the provisions of Sections 3 through 12 of this act is July 1, 2027." *HB 214 (2026), § 16.* <https://www.nmlegis.gov/Sessions/26%20Regular/bills/house/HB0214.HTML>

package/skills/legal-explainers/data-privacy-law-explainer/content/new-york.md

@@ -0,0 +1,195 @@
+---
+jurisdiction: "New York"
+slug: new-york
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/new-york
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/new-york · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# New York Consumer Privacy Law[^about]
+
+New York has no comprehensive consumer-privacy act. The SHIELD Act (GBL §§ 899-aa, 899-bb) imposes breach-notice and reasonable-safeguards duties, the Child Data Protection Act restricts processing data of users under 18, and GBL § 349 supplies the UDAAP rule and SHIELD safeguards hook.
+
+
+## At a glance
+
+| Question | New York |
+| --- | --- |
+| **Law coverage** | Specific data types only |
+| **Summary** | New York has not enacted a comprehensive consumer-privacy law, but the SHIELD Act already requires almost every business holding New Yorkers' private information — with no revenue or in-state-presence threshold — to run a reasonable data-security program, to report breaches within 30 days, and to expect Attorney General enforcement under separate SHIELD and breach-notice provisions. Since June 20, 2025 the Child Data Protection Act has added a default-deny regime for processing personal data of users under 18, including a sale ban subject to statutory exceptions. There is no general privacy-policy mandate, so the policy slice is governed by the rule that whatever you publish must be true; the moving piece to watch is the twice-passed Health Information Privacy Act, which would add a strict consumer-health-data regime if it becomes law. |
+| **Main law** | SHIELD Act — N.Y. Gen. Bus. Law § 899-bb (reasonable-safeguards duty) and § 899-aa (breach notification) — plus the Child Data Protection Act (GBL art. 39-FF, in force since June 20, 2025) and GBL § 349; New York has no comprehensive consumer-privacy statute |
+| **Privacy policy required?** | No general New York statute mandates a consumer privacy policy or fixes its contents; a published policy that misstates practices is actionable under GBL § 349 and FTC Act § 5, and GLBA, HIPAA, and COPPA supply required contents where they apply |
+| **Who does it cover?** | Any person or business, wherever located, that owns or licenses computerized data including the private information of a New York resident — no in-state-presence, revenue, or volume threshold; small businesses get scaled (not waived) duties; the Child Data Protection Act covers operators of online services with New York users under 18 |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | Only for certain data types |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the SHIELD Act — § 899-bb expressly creates none and § 899-aa runs through the Attorney General; but GBL § 349(h) lets a consumer injured by a deceptive practice sue for actual damages or $50 (treble to $1,000) plus attorney's fees |
+| **Who enforces it?** | New York Attorney General (Commissioner of Labor for employee personal-identifying-information violations under Labor Law § 203-d) |
+
+## Which privacy laws apply to your business in New York? {#which-privacy-laws-apply}
+
+**Short answer.** New York has no comprehensive consumer-privacy statute, but it is far from unregulated — the state runs a layered, sector-by-sector framework with unusually broad practical reach. The SHIELD Act supplies the spine: any person or business that owns or licenses computerized data including the private information of a New York resident must develop, implement, and maintain reasonable safeguards to protect it [^q1-shield-duty], and must notify affected residents of a data breach in the most expedient time possible, with a hard outer limit of thirty days after discovery [^q1-breach-timing]. Since June 20, 2025, the Child Data Protection Act has barred operators of websites, apps, and connected devices from processing the personal data of New York users under 18 except on narrow statutory terms [^q1-cdpa-default]. And on the employment side, Labor Law § 203-d restricts what an employer may do with employee personal identifying information [^q1-labor-203d].
+
+The structural point to absorb first is that the SHIELD Act's safeguards duty carries no in-state-presence, revenue, or data-volume threshold — it turns solely on holding a New York resident's *private information* — so a business with a handful of New York customers or employees is covered even if it has never set foot in the state. What New York does not have is an omnibus law of the California, Virginia, or Colorado type: residents hold no general state-law rights to access, delete, or correct their personal data, and no general right to opt out of its sale (the under-18 sale ban in the Child Data Protection Act is the exception). General Business Law § 349 supplies the UDAAP and deception rule and the SHIELD safeguards enforcement hook, but breach-notice violations, Child Data Protection Act violations, and employee personal-identifying-information violations run through their own statutory enforcement provisions. The federal overlay fills the remaining lanes: FTC Act § 5 polices deceptive or unfair privacy practices nationwide, GLBA governs financial institutions, HIPAA governs covered health entities and their business associates, and COPPA governs services directed to children under 13.
+
+The landscape is also moving. A Health Information Privacy Act passed both houses in 2025 but was vetoed in December 2025; revised S9269/A10357 passed both houses on June 3-4, 2026 and would create the health-data regime if signed. Until signature, veto, or chapter amendment, it is not in force. The separate comprehensive New York Privacy Act lineage has not advanced in 2026, so New York remains a non-comprehensive state for now — but businesses handling health-adjacent consumer data should confirm the health bill's status before relying on the current sectoral-only picture.
+
+## What does the SHIELD Act require your data-security program to include? {#security-program}
+
+**Short answer.** The SHIELD Act gives a business two ways to satisfy its reasonable-safeguards duty: be a compliant regulated entity under an enumerated regime (GLBA, HIPAA/HITECH, New York's financial-services cybersecurity regulation, or other federal or state data-security rules), or implement a data-security program with the statute's enumerated administrative safeguards [^q2-program-elements], technical safeguards [^q2-technical-safeguards], and physical safeguards [^q2-physical-safeguards]. Small businesses — fewer than fifty employees, under three million dollars in gross annual revenue in each of the last three fiscal years, or under five million dollars in year-end total assets [^q2-small-business-def] — comply with a program whose safeguards are appropriate to their size, complexity, activities, and the sensitivity of the data they hold [^q2-small-business-proviso].
+
+This is the closest thing New York has to a general privacy-program mandate, and it is the prong most businesses should build to first. The statutory safeguard lists work as a program checklist: administrative safeguards (coordinator, risk identification, sufficiency assessment, training, vendor selection and contracting, program adjustment), technical safeguards (risk assessment in network and software design and in processing, transmission, and storage; attack detection, prevention, and response; testing and monitoring of key controls), and physical safeguards (storage and disposal risk, intrusion detection and response, protection during collection, transport, and destruction, and timely disposal by erasing media so the information cannot be read or reconstructed). The deemed-compliance path matters for regulated entities: a business already subject to and in compliance with GLBA, HIPAA, or the Department of Financial Services cybersecurity regulation does not need a second, parallel program for SHIELD purposes. The small-business proviso scales the duty but does not waive it — a five-person shop should be able to document a reasoned set of safeguards.
+
+A safeguards failure is deemed a General Business Law § 349 violation, and the Attorney General may sue to enjoin violations and collect civil penalties [^q2-349-hook] — up to five thousand dollars per violation under the companion penalty section [^q2-350d-penalty]. Per-violation math across a large data set is what turns a paper duty into a board-level number.
+
+## What must your New York privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No New York statute requires a general consumer privacy policy or fixes what it must say. The governing rule is instead that whatever you publish has to be true: General Business Law § 349 declares unfair, deceptive, or abusive acts and practices in any business, trade, or commerce in the state unlawful [^q3-gbs-349], and FTC Act § 5 reaches the same conduct federally [^q3-ftc5] — so a privacy policy that misstates how you collect, use, share, retain, or secure data is itself the violation. Where a sectoral regime applies, that regime supplies the required contents; a HIPAA covered entity, for example, must give individuals notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^q3-hipaa-notice].
+
+In practice the drafting question for a New York-facing policy is less what must be included than does the policy match actual practice. Build the contents from the overlay that applies to you — GLBA privacy notices for financial institutions, the HIPAA Notice of Privacy Practices for covered entities, HIPAA business-associate agreements where a business associate handles PHI, and a COPPA notice for services directed to children under 13 — and, for everyone else, follow best practice: describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer, then honor every word of it. Two New York-specific notes sharpen the risk. First, § 349 was amended effective February 17, 2026 to reach *unfair* and *abusive* practices, not just deceptive ones, so the Attorney General can now pursue data practices that involve no affirmative misstatement at all — think onerous consent flows or data uses a consumer cannot reasonably avoid. Second, because § 349 carries a private right of action for deceptive practices (covered in the lawsuit section below), an inaccurate privacy policy is one of the few privacy failures in New York that consumers themselves can sue over.
+
+## Can you collect personal data from users under 18 in New York? {#minors-data}
+
+**Short answer.** Only on the statute's terms. Since June 20, 2025, New York's Child Data Protection Act has flipped the default for minors' data: subject to the statute's express subdivision-six deletion/transition rule and § 899-jj exception, an operator may not process — or let a processor or third-party operator collect — the personal data of a covered user unless, for users 12 or younger, COPPA permits the processing, or, for users 13 through 17, the processing is strictly necessary for an enumerated activity or the user has given informed consent [^q4-cdpa-default]. A covered user is a New York user the operator actually knows to be a minor, or any user of a service primarily directed to minors [^q4-covered-user], and a minor is anyone under eighteen [^q4-minor-def]. Selling a covered user's personal data is prohibited except as provided in § 899-jj [^q4-sale-ban].
+
+The strictly-necessary lane is narrow by design: it covers providing a service the user requested, internal operations (expressly excluding marketing, advertising, research and development, and re-engagement prompts), fixing technical errors, fraud and security, legal compliance and claims, and vital interests. Everything else for the 13-to-17 band requires informed consent collected the statute's way — the request must be separate from other transactions, free of interface design that obscures or impairs the choice, must state clearly that the processing is not strictly necessary and can be declined without losing the service, and must present refusal as the most prominent option [^q4-consent]; consent is freely revocable, and a declined or revoked request cannot be repeated for the following calendar year [^q4-revocation]. Operators also may not punish a non-consenting user by degrading or charging more for the service [^q4-no-degradation], must delete a covered user's non-permitted data within thirty days of learning the user is covered [^q4-deletion], and must honor device-level decline signals [^q4-device-signal].
+
+Enforcement belongs to the Attorney General, who may sue any person within or outside the state for injunctions, restitution, disgorgement — including destruction of unlawfully obtained data — damages, and civil penalties of up to five thousand dollars per violation [^q4-remedies]. The Attorney General published implementation guidance in 2025 signaling enforcement discretion for good-faith compliance while formal rules under the act remain outstanding, but the statute itself is in force and per-violation exposure across a youth user base scales quickly. Note the act's relationship to federal law: for under-13 users it harmonizes with COPPA rather than displacing it, so a COPPA-compliant program is the starting point, not the finish line, for a New York audience that includes teenagers.
+
+## What privacy rights and opt-outs do New York consumers have? {#consumer-rights-opt-outs}
+
+**Short answer.** New York does not give adult consumers a general state-law right to access, delete, correct, or port personal data, a general sale opt-out, or a general universal-opt-out-signal right. The state-specific choice regime is targeted to covered users under 18: for users 13 through 17, processing that is not strictly necessary requires informed consent collected through the CDPA's prescribed request or device-signal path [^q5-consent], and the sale of covered users' personal data is prohibited except as provided in § 899-jj [^q5-sale-ban].
+
+For adults, the practical right is indirect: a deceptive privacy statement can support a consumer suit under General Business Law § 349(h), but that is a deception remedy, not an omnibus data-rights regime [^q5-349h-pra]. For minors, the CDPA gives the meaningful opt-out architecture. Consent must be separate from other transactions, free of mechanisms that obscure or impair the user's choice, and paired with refusal as the most prominent option [^q5-consent]. Once consent is declined or revoked, the operator generally cannot ask again for that processing for the following calendar year [^q5-revocation]; if the covered user's device communicates a decline signal, the operator cannot request informed consent for that processing [^q5-device-signal]. New York therefore has a strong minor-specific consent and signal rule, but no across-the-board adult universal-opt-out requirement.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** New York has no omnibus data-processing-agreement statute, but two state-law contract duties do exist. Under the SHIELD Act, a compliant security program includes selecting service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract [^q5-shield-vendor]. And under the Child Data Protection Act, no operator or processor may disclose a covered user's personal data to a third party — or allow a third party to process it — without a written, binding agreement setting out processing instructions and the parties' rights and obligations [^q5-cdpa-processor].
+
+For general adult-consumer data, the SHIELD clause is the floor: a New York-facing business should be able to show that its vendor diligence and its contracts impose safeguards on everyone who touches *private information*, because a vendor-caused breach will be evaluated against that statutory element. Where minors' data is in scope, the Child Data Protection Act turns the contract into a gating requirement — the statute also obliges processors to follow the operator's instructions, to assist with the operator's deletion duties, to demonstrate compliance on request, to cooperate with assessments, and to give advance notice before handing data to further processors, so a compliant agreement should track each of those elements. The federal overlay supplies the rest where it applies: the GLBA Safeguards Rule requires financial institutions to bind service providers by contract to implement and maintain safeguards [^q5-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor flow-down terms before protected health information changes hands [^q5-hipaa-baa]. Outside those lanes, carrying the same terms forward — documented instructions, confidentiality, reasonable security, breach notice back to you, return or deletion at the end of the engagement — is best practice that also evidences SHIELD compliance.
+
+## When must you notify people of a data breach in New York? {#breach-notification}
+
+**Short answer.** Any person or business that owns or licenses computerized data including private information must notify every New York resident whose private information was, or is reasonably believed to have been, accessed or acquired without valid authorization — in the most expedient time possible, and in any event within thirty days after the breach is discovered [^q6-breach-trigger]. The trigger is broad: a breach includes unauthorized *access* to private information, not just its acquisition [^q6-breach-def]. And whenever any New York residents are notified, the business must also notify the Attorney General, the Department of State, the State Police, and — for covered financial-services entities — the Department of Financial Services [^q6-regulator-notice].
+
+What counts as *private information* drives the analysis. It means personal information combined with an unencrypted (or key-compromised) data element — Social Security number, driver's license or non-driver ID number, financial-account or card numbers that permit account access, biometric information, medical information, and health-insurance information — or a username or email address combined with a password or security credentials permitting access to an online account [^q6-private-info]. The medical and health-insurance additions matter operationally: incident-response playbooks written before 2025 often classify those elements as non-triggering, and in New York they now trigger. A business that merely maintains data it does not own must alert the data's owner within thirty days of discovery [^q6-maintainer-notice], and notice to individuals may be written, electronic with express consent, telephonic with a log, or by substitute notice for very large or unreachable classes [^q6-notice-methods]. A narrow carve-out excuses notice for inadvertent disclosures by authorized persons that the business reasonably determines are unlikely to cause misuse or harm — but the determination must be documented in writing, retained for five years, and, if more than five hundred residents are affected, provided to the Attorney General within ten days [^q6-harm-carveout]. When more than five thousand residents are notified at once, the consumer reporting agencies must be notified as well [^q6-cra-notice].
+
+Non-compliance is an Attorney General matter: in the Attorney General's action, the court may award damages for actual losses of persons entitled to notice [^q6-aa-damages], and for knowing or reckless violations may impose a civil penalty of the greater of five thousand dollars or up to twenty dollars per failed notification, capped at two hundred fifty thousand dollars [^q6-ag-penalty]. A late-notice case needs no underlying security failure, so the thirty-day clock deserves a hard-coded place in any incident-response plan. Businesses already notifying under GLBA, HIPAA/HITECH, or the Department of Financial Services cybersecurity regulation need not send duplicate individual notices, but the New York regulator and credit-agency notices still apply, and HIPAA-covered entities reporting a breach to federal health authorities must copy the New York Attorney General within five business days [^q6-hipaa-ag-copy].
+
+## Can a consumer sue your business in New York over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under the SHIELD Act. The safeguards section says expressly that nothing in it creates a private right of action [^q7-shield-no-pra], and the breach-notification statute routes consumer redress through the Attorney General — in the Attorney General's action, the court may award damages for actual costs or losses of people who should have been notified but were not [^q7-aa-damages]. The consumer's own door is General Business Law § 349(h): any person injured by a deceptive act or practice may sue in their own name for actual damages or fifty dollars, whichever is greater, with discretionary treble damages up to one thousand dollars for willful or knowing violations and attorney's fees for a prevailing plaintiff [^q7-349h-pra].
+
+The practical consequence is that New York privacy litigation by consumers is framed as deception, not as a statutory data-rights claim: a privacy policy or security promise that did not match reality is the classic § 349(h) theory, often pleaded alongside common-law negligence and implied-contract claims after a breach. Two limits keep that exposure bounded. The § 349(h) action reaches *deceptive* acts and practices — the statute's newer unfair and abusive prongs are the Attorney General's to enforce — and the modest statutory minimum means individual claims aggregate into class actions rather than standing alone. On the public side, the Attorney General is an active privacy enforcer, using the SHIELD safeguards hook, the breach statute, and § 349 directly, typically resolving matters by assurance of discontinuance with monetary payments and mandated security programs; the auto-insurer and notice-timing settlements described in the security-program and breach sections above show the pattern. Employee data has its own enforcement lane: the Commissioner of Labor may impose a civil penalty of up to five hundred dollars for a knowing violation of the employee personal-identifying-information rules, and a violation is presumed knowing if the employer has no safeguard policies in place — which makes a short written policy the cheapest compliance step in this entire note [^q7-labor-penalty].
+
+One forward-looking caveat belongs here. Revised S9269/A10357 passed both houses on June 3-4, 2026 and would create a Health Information Privacy Act if signed; until signature, veto, or chapter amendment, it is not in force. In its passed form, it would keep enforcement exclusively with the Attorney General — no private right of action — at civil penalties of up to fifteen thousand dollars per violation.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York. This article synthesizes New York primary law and is not legal advice. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^q1-shield-duty]: **N.Y. Gen. Bus. Law § 899-bb(2)(a)** — "Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data." *N.Y. Gen. Bus. Law § 899-bb(2)(a).* <https://www.nysenate.gov/legislation/laws/GBS/899-BB>
+
+[^q1-breach-timing]: **N.Y. Gen. Bus. Law § 899-aa(2)** — "The disclosure shall be made in the most expedient time possible and without unreasonable delay, provided that such notification shall be made within thirty days after the breach has been discovered, except for the legitimate needs of law enforcement, as provided in subdivision four of this section." *N.Y. Gen. Bus. Law § 899-aa(2).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q1-cdpa-default]: **N.Y. Gen. Bus. Law § 899-ff(1)** — "Except as provided for in subdivision six of this section and section eight hundred ninety-nine-jj of this article, an operator shall not process, or allow a processor to process, the personal data of a covered user collected through the use of a website, online service, online application, mobile application, or connected device, or allow a third-party operator to collect the personal data of a covered user collected through the operator's website, online service, online application, mobile application, or connected device unless and to the extent: (a) the covered user is twelve years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations; or (b) the covered user is thirteen years of age or older and processing is strictly necessary for an activity set forth in subdivision two of this section, or informed consent has been obtained as set forth in subdivision three of this section." *N.Y. Gen. Bus. Law § 899-ff(1).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q1-labor-203d]: **N.Y. Lab. Law § 203-d** — "An employer shall not unless otherwise required by law: (a) Publicly post or display an employee's social security number; (b) Visibly print a social security number on any identification badge or card, including any time card; (c) Place a social security number in files with unrestricted access; or (d) Communicate an employee's personal identifying information to the general public." *N.Y. Lab. Law § 203-d(1).* <https://www.nysenate.gov/legislation/laws/LAB/203-D>
+
+[^q2-program-elements]: **N.Y. Gen. Bus. Law § 899-bb(2)(b)** — "A person or business shall be deemed to be in compliance with paragraph (a) of this subdivision if it either: (i) is a compliant regulated entity as defined in subdivision one of this section; or (ii) implements a data security program that includes the following: (A) reasonable administrative safeguards such as the following, in which the person or business: (1) designates one or more employees to coordinate the security program; (2) identifies reasonably foreseeable internal and external risks; (3) assesses the sufficiency of safeguards in place to control the identified risks; (4) trains and manages employees in the security program practices and procedures; (5) selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and (6) adjusts the security program in light of business changes or new circumstances" *N.Y. Gen. Bus. Law § 899-bb(2)(b).* <https://www.nysenate.gov/legislation/laws/GBS/899-BB>
+
+[^q2-technical-safeguards]: **N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(B)** — "reasonable technical safeguards such as the following, in which the person or business: (1) assesses risks in network and software design; (2) assesses risks in information processing, transmission and storage; (3) detects, prevents and responds to attacks or system failures; and (4) regularly tests and monitors the effectiveness of key controls, systems and procedures" *N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(B).* <https://www.nysenate.gov/legislation/laws/GBS/899-BB>
+
+[^q2-physical-safeguards]: **N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)** — "reasonable physical safeguards such as the following, in which the person or business: (1) assesses risks of information storage and disposal; (2) detects, prevents and responds to intrusions; (3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed." *N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C).* <https://www.nysenate.gov/legislation/laws/GBS/899-BB>
+
+[^q2-small-business-def]: **N.Y. Gen. Bus. Law § 899-bb(1)(c)** — "‘Small business’ shall mean any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles." *N.Y. Gen. Bus. Law § 899-bb(1)(c).* <https://www.nysenate.gov/legislation/laws/GBS/899-BB>
+
+[^q2-small-business-proviso]: **N.Y. Gen. Bus. Law § 899-bb(2)(c)** — "A small business as defined in paragraph (c) of subdivision one of this section complies with subparagraph (ii) of paragraph (b) of subdivision two of this section if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers." *N.Y. Gen. Bus. Law § 899-bb(2)(c).* <https://www.nysenate.gov/legislation/laws/GBS/899-BB>
+
+[^q2-349-hook]: **N.Y. Gen. Bus. Law § 899-bb(2)(d)** — "Any person or business that fails to comply with this subdivision shall be deemed to have violated section three hundred forty-nine of this chapter, and the attorney general may bring an action in the name and on behalf of the people of the state of New York to enjoin such violations and to obtain civil penalties under section three hundred fifty-d of this chapter." *N.Y. Gen. Bus. Law § 899-bb(2)(d).* <https://www.nysenate.gov/legislation/laws/GBS/899-BB>
+
+[^q2-350d-penalty]: **N.Y. Gen. Bus. Law § 350-d** — "Any person, firm, corporation or association or agent or employee thereof who engages in any of the acts or practices stated in this article to be unlawful shall be liable to a civil penalty of not more than five thousand dollars for each violation, which shall accrue to the state of New York and may be recovered in a civil action brought by the attorney general." *N.Y. Gen. Bus. Law § 350-d(a).* <https://www.nysenate.gov/legislation/laws/GBS/350-D>
+
+[^q3-gbs-349]: **N.Y. Gen. Bus. Law § 349(a)** — "Unfair, deceptive, or abusive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state are hereby declared unlawful." *N.Y. Gen. Bus. Law § 349(a).* <https://www.nysenate.gov/legislation/laws/GBS/349>
+
+[^q3-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q3-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^q4-cdpa-default]: **N.Y. Gen. Bus. Law § 899-ff(1)** — "Except as provided for in subdivision six of this section and section eight hundred ninety-nine-jj of this article, an operator shall not process, or allow a processor to process, the personal data of a covered user collected through the use of a website, online service, online application, mobile application, or connected device, or allow a third-party operator to collect the personal data of a covered user collected through the operator's website, online service, online application, mobile application, or connected device unless and to the extent: (a) the covered user is twelve years of age or younger and processing is permitted under 15 U.S.C. § 6502 and its implementing regulations; or (b) the covered user is thirteen years of age or older and processing is strictly necessary for an activity set forth in subdivision two of this section, or informed consent has been obtained as set forth in subdivision three of this section." *N.Y. Gen. Bus. Law § 899-ff(1).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q4-covered-user]: **N.Y. Gen. Bus. Law § 899-ee(1)** — "‘Covered user’ shall mean a user of a website, online service, online application, mobile application, or connected device, or portion thereof, in the state of New York who is: (a) actually known by the operator of such website, online service, online application, mobile application, or connected device to be a minor; or (b) using a website, online service, online application, mobile application, or connected device primarily directed to minors." *N.Y. Gen. Bus. Law § 899-ee(1).* <https://www.nysenate.gov/legislation/laws/GBS/899-EE>
+
+[^q4-minor-def]: **N.Y. Gen. Bus. Law § 899-ee(2)** — "‘Minor’ shall mean a natural person under the age of eighteen." *N.Y. Gen. Bus. Law § 899-ee(2).* <https://www.nysenate.gov/legislation/laws/GBS/899-EE>
+
+[^q4-sale-ban]: **N.Y. Gen. Bus. Law § 899-ff(5)** — "Except as provided for in section eight hundred ninety-nine-jj of this article, an operator shall not purchase or sell, or allow a processor or third-party operator to purchase or sell, the personal data of a covered user." *N.Y. Gen. Bus. Law § 899-ff(5).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q4-consent]: **N.Y. Gen. Bus. Law § 899-ff(3)** — "Requests for such informed consent shall: (i) be made separately from any other transaction or part of a transaction; (ii) be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing; (iii) clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and (iv) clearly present an option to refuse to provide consent as the most prominent option." *N.Y. Gen. Bus. Law § 899-ff(3)(a).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q4-revocation]: **N.Y. Gen. Bus. Law § 899-ff(3)(b)-(c)** — "Such informed consent, once given, shall be freely revocable at any time, and shall be at least as easy to revoke as it was to provide. (c) If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent." *N.Y. Gen. Bus. Law § 899-ff(3)(b)-(c).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q4-no-degradation]: **N.Y. Gen. Bus. Law § 899-ff(4)** — "Except where processing is strictly necessary to provide a product, service, or feature, an operator may not withhold, degrade, lower the quality, or increase the price of any product, service, or feature to a covered user due to the operator not obtaining verifiable parental consent under 15 U.S.C. § 6502 and its implementing regulations or informed consent under subdivision three of this section." *N.Y. Gen. Bus. Law § 899-ff(4).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q4-deletion]: **N.Y. Gen. Bus. Law § 899-ff(6)** — "Within thirty days of determining or being informed that a user is a covered user, an operator shall: (a) dispose of, destroy, or delete and direct all of its processors to dispose of, destroy, or delete all personal data of such covered user that it maintains, unless processing such personal data is permitted under 15 U.S.C. § 6502 and its implementing regulations, is strictly necessary for an activity listed in subdivision two of this section, or informed consent is obtained as set forth in subdivision three of this section" *N.Y. Gen. Bus. Law § 899-ff(6).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q4-device-signal]: **N.Y. Gen. Bus. Law § 899-ff(3)(d)** — "If a covered user's device communicates or signals that the covered user declines to provide informed consent for processing pursuant to the provisions of subdivision two of section eight hundred ninety-nine-ii of this article, an operator shall not request informed consent for such processing, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent." *N.Y. Gen. Bus. Law § 899-ff(3)(d).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q4-remedies]: **N.Y. Gen. Bus. Law § 899-mm** — "Whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the state, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this article, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of New York to enjoin any violation of this article, to obtain restitution of any moneys or property obtained directly or indirectly by any such violation, to obtain disgorgement of any profits or gains obtained directly or indirectly by any such violation, including but not limited to the destruction of unlawfully obtained data, to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to five thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief." *N.Y. Gen. Bus. Law § 899-mm.* <https://www.nysenate.gov/legislation/laws/GBS/899-MM>
+
+[^q5-consent]: **N.Y. Gen. Bus. Law § 899-ff(3)(a)** — "Requests for such informed consent shall: (i) be made separately from any other transaction or part of a transaction; (ii) be made in the absence of any mechanism that has the purpose or substantial effect of obscuring, subverting, or impairing a covered user's decision-making regarding authorization for the processing; (iii) clearly and conspicuously state that the processing for which the consent is requested is not strictly necessary, and that the covered user may decline without preventing continued use of the website, online service, online application, mobile application, or connected device; and (iv) clearly present an option to refuse to provide consent as the most prominent option." *N.Y. Gen. Bus. Law § 899-ff(3)(a).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q5-sale-ban]: **N.Y. Gen. Bus. Law § 899-ff(5)** — "Except as provided for in section eight hundred ninety-nine-jj of this article, an operator shall not purchase or sell, or allow a processor or third-party operator to purchase or sell, the personal data of a covered user." *N.Y. Gen. Bus. Law § 899-ff(5).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q5-349h-pra]: **N.Y. Gen. Bus. Law § 349(h)** — "In addition to the right of action granted to the attorney general pursuant to this section, any person who has been injured by reason of any deceptive act or deceptive practice made unlawful by this section may bring an action in such person's own name to enjoin such deceptive act or deceptive practice, an action to recover such person's actual damages or fifty dollars, whichever is greater, or both such actions. The court may, in its discretion, increase the award of damages to an amount not to exceed three times the actual damages up to one thousand dollars, if the court finds the defendant willfully or knowingly violated this section. The court may award reasonable attorney's fees to a prevailing plaintiff." *N.Y. Gen. Bus. Law § 349(h).* <https://www.nysenate.gov/legislation/laws/GBS/349>
+
+[^q5-revocation]: **N.Y. Gen. Bus. Law § 899-ff(3)(b)-(c)** — "Such informed consent, once given, shall be freely revocable at any time, and shall be at least as easy to revoke as it was to provide. (c) If a covered user declines to provide or revokes informed consent for processing, another request may not be made for such processing for the following calendar year, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent." *N.Y. Gen. Bus. Law § 899-ff(3)(b)-(c).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q5-device-signal]: **N.Y. Gen. Bus. Law § 899-ff(3)(d)** — "If a covered user's device communicates or signals that the covered user declines to provide informed consent for processing pursuant to the provisions of subdivision two of section eight hundred ninety-nine-ii of this article, an operator shall not request informed consent for such processing, however an operator may make available a mechanism that a covered user can use unprompted and at the user's discretion to provide informed consent." *N.Y. Gen. Bus. Law § 899-ff(3)(d).* <https://www.nysenate.gov/legislation/laws/GBS/899-FF>
+
+[^q5-shield-vendor]: **N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(A)(5)** — "selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract" *N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(A)(5).* <https://www.nysenate.gov/legislation/laws/GBS/899-BB>
+
+[^q5-cdpa-processor]: **N.Y. Gen. Bus. Law § 899-gg(1)** — "Except as provided for in section eight hundred ninety-nine-jj of this article, no operator or processor shall disclose the personal data of a covered user to a third party, or allow the processing of the personal data of a covered user by a third party, without a written, binding agreement governing such disclosure or processing. Such agreement shall clearly set forth instructions for the nature and purpose of the processor's processing of the personal data, instructions for using or further disclosing the personal data, and the rights and obligations of both parties." *N.Y. Gen. Bus. Law § 899-gg(1).* <https://www.nysenate.gov/legislation/laws/GBS/899-GG>
+
+[^q5-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^q5-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information" *45 C.F.R. § 164.504(e).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information>
+
+[^q6-breach-trigger]: **N.Y. Gen. Bus. Law § 899-aa(2)** — "Any person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, provided that such notification shall be made within thirty days after the breach has been discovered, except for the legitimate needs of law enforcement, as provided in subdivision four of this section." *N.Y. Gen. Bus. Law § 899-aa(2).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-breach-def]: **N.Y. Gen. Bus. Law § 899-aa(1)(c)** — "‘Breach of the security of the system’ shall mean unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business." *N.Y. Gen. Bus. Law § 899-aa(1)(c).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-regulator-notice]: **N.Y. Gen. Bus. Law § 899-aa(8)(a)** — "In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the department of state, the division of state police, and the department of financial services as to the timing, content and distribution of the notices and approximate number of affected persons and shall provide a copy of the template of the notice sent to affected persons" *N.Y. Gen. Bus. Law § 899-aa(8)(a).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-private-info]: **N.Y. Gen. Bus. Law § 899-aa(1)(b)** — "(1) social security number; (2) driver's license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; (4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual's financial account without additional identifying information, security code, access code, or password; or (5) biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual's identity; or (6) medical information, meaning any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (7) health insurance information, meaning an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual or any information in an individual's application and claims history, including but not limited to, appeals history; or (ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account." *N.Y. Gen. Bus. Law § 899-aa(1)(b).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-maintainer-notice]: **N.Y. Gen. Bus. Law § 899-aa(3)** — "Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately, provided that such notification shall be made within thirty days following discovery, if the private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization." *N.Y. Gen. Bus. Law § 899-aa(3).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-notice-methods]: **N.Y. Gen. Bus. Law § 899-aa(5)** — "The notice required by this section shall be directly provided to the affected persons by one of the following methods: (a) written notice; (b) electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction. (c) telephone notification provided that a log of each such notification is kept by the person or business who notifies affected persons; or (d) substitute notice, if a business demonstrates to the state attorney general that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or such business does not have sufficient contact information." *N.Y. Gen. Bus. Law § 899-aa(5).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-harm-carveout]: **N.Y. Gen. Bus. Law § 899-aa(2)(a)** — "Notice to affected persons under this section is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials as found in subparagraph (ii) of paragraph (b) of subdivision one of this section. Such a determination must be documented in writing and maintained for at least five years. If the incident affects over five hundred residents of New York, the person or business shall provide the written determination to the state attorney general within ten days after the determination." *N.Y. Gen. Bus. Law § 899-aa(2)(a).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-cra-notice]: **N.Y. Gen. Bus. Law § 899-aa(8)(b)** — "In the event that more than five thousand New York residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons." *N.Y. Gen. Bus. Law § 899-aa(8)(b).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-aa-damages]: **N.Y. Gen. Bus. Law § 899-aa(6)(a)** — "In such action the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to this article, if notification was not provided to such person pursuant to this article, including consequential financial losses." *N.Y. Gen. Bus. Law § 899-aa(6)(a).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-ag-penalty]: **N.Y. Gen. Bus. Law § 899-aa(6)(a)** — "Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to twenty dollars per instance of failed notification, provided that the latter amount shall not exceed two hundred fifty thousand dollars." *N.Y. Gen. Bus. Law § 899-aa(6)(a).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q6-hipaa-ag-copy]: **N.Y. Gen. Bus. Law § 899-aa(9)** — "Any covered entity required to provide notification of a breach, including breach of information that is not ‘private information’ as defined in paragraph (b) of subdivision one of this section, to the secretary of health and human services pursuant to the Health Insurance Portability and Accountability Act of 1996 or the Health Information Technology for Economic and Clinical Health Act, as amended from time to time, shall provide such notification to the state attorney general within five business days of notifying the secretary." *N.Y. Gen. Bus. Law § 899-aa(9).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q7-shield-no-pra]: **N.Y. Gen. Bus. Law § 899-bb(2)(e)** — "Nothing in this section shall create a private right of action." *N.Y. Gen. Bus. Law § 899-bb(2)(e).* <https://www.nysenate.gov/legislation/laws/GBS/899-BB>
+
+[^q7-aa-damages]: **N.Y. Gen. Bus. Law § 899-aa(6)(a)** — "whenever the attorney general shall believe from evidence satisfactory to him or her that there is a violation of this article he or she may bring an action in the name and on behalf of the people of the state of New York, in a court of justice having jurisdiction to issue an injunction, to enjoin and restrain the continuation of such violation. In such action, preliminary relief may be granted under article sixty-three of the civil practice law and rules. In such action the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to this article, if notification was not provided to such person pursuant to this article, including consequential financial losses." *N.Y. Gen. Bus. Law § 899-aa(6)(a).* <https://www.nysenate.gov/legislation/laws/GBS/899-AA>
+
+[^q7-349h-pra]: **N.Y. Gen. Bus. Law § 349(h)** — "In addition to the right of action granted to the attorney general pursuant to this section, any person who has been injured by reason of any deceptive act or deceptive practice made unlawful by this section may bring an action in such person's own name to enjoin such deceptive act or deceptive practice, an action to recover such person's actual damages or fifty dollars, whichever is greater, or both such actions. The court may, in its discretion, increase the award of damages to an amount not to exceed three times the actual damages up to one thousand dollars, if the court finds the defendant willfully or knowingly violated this section. The court may award reasonable attorney's fees to a prevailing plaintiff." *N.Y. Gen. Bus. Law § 349(h).* <https://www.nysenate.gov/legislation/laws/GBS/349>
+
+[^q7-labor-penalty]: **N.Y. Lab. Law § 203-d(3)** — "The commissioner may impose a civil penalty of up to five hundred dollars on any employer for any knowing violation of this section. It shall be presumptive evidence that a violation of this section was knowing if the employer has not put in place any policies or procedures to safeguard against such violation, including procedures to notify relevant employees of these provisions." *N.Y. Lab. Law § 203-d(3).* <https://www.nysenate.gov/legislation/laws/LAB/203-D>