New York State Data Privacy Laws

In New York and nationwide, data privacy laws aim to protect consumers and their personal information from being accessed by unauthorized third parties. Data breaches can cause significant damage to victims’ lives, and identity theft is a real threat. Privacy laws in New York aim to prevent data breaches and give residents the information and access they need to protect themselves after a breach occurs.

Home • What is a Data Breach • New York State Data Privacy Laws

Last Modified date: July 8, 2025

At Class Action U, our goal is to help victims of data breaches protect their personal information and facilitate connections with law firms so victims can take legal action against the entities that recklessly allowed their data to be accessed. We offer a platform for those impacted by data breaches to join any class action lawsuits that may arise after breaches occur.

Data Privacy Laws in New York

Data privacy laws are crucial to protect the identities, finances, and personal information of consumers across New York. The state takes a proactive stance on data protection to minimize the impact of data breaches on residents and businesses alike. Because there is no comprehensive federal law governing data privacy, many individual states, including New York, have established their own privacy laws to safeguard consumer data.

As of 2025, New York’s two main data privacy laws include the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and the New York Personal Privacy Protection Law (PPPL). However, several other data privacy laws with more comprehensive protections are pending in the state legislature.

The New York SHIELD Act: Key Provisions and Scope

In 2005, New York implemented the New York State Information Security Breach and Notification Act, which was updated in 2019 with the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The SHIELD Act expanded the 2005 legislation by including not only organizations that conduct business in New York but also any person or business that owns or licenses the private information of New York residents.

Under the SHIELD Act, businesses holding personal data on New York residents must take active steps to implement reasonable cybersecurity protections to prevent hackers from accessing consumer data. The act defines private information as social security numbers, driver’s license numbers, financial account numbers, biometric information, and usernames and passwords for website access. Additionally, the Act requires businesses to notify consumers if their data is accessed in a breach.

If a company fails to provide adequate notice of a data breach, affected individuals do not have legal recourse under the SHIELD Act. In that case, only the New York Attorney General can take action against the company by applying for an injunction and asking courts to impose civil penalties.

New York Personal Privacy Protection Law

In 1984, New York enacted the Personal Privacy Protection Law (PPPL) to recognize public concern about privacy and the relationship between government and the people. Unlike the SHIELD Act, the PPPL applies only to government entities that collect and store residents’ personal information. The PPPL regulates how the state can collect, maintain, and disseminate that information and gives residents the right to access, correct, and amend those records.

Additionally, the PPPL prohibits government agencies from collecting personal information unless it is “relevant and necessary” and requires agencies to tell residents why the information is being collected, where it will be kept, and how it will be used. The law protects residents against disclosures of personal information without their consent, except in specific circumstances.

Proposed New York Privacy Laws

New York Privacy Act

The proposed New York Privacy Act has been introduced in four legislative sessions since 2019, with the latest introduction in early 2025. As of June 2025, it is pending in the Assembly Committee on Consumer Affairs and Protection. The Act would establish a Consumer Data Privacy Bill of Rights, address the purpose for which consumer data is collected, and require entities to use that data solely for that purpose. Under the Act, businesses would have to let users access the data, review it, and request deletion.

New York Health Information Privacy Act

First introduced in the 2023-2024 legislative session, the 2025 version of Senate Bill S929, or the New York Health Information Privacy Act, would enact further protections for residents’ health information. It passed the Senate and Assembly in January and is awaiting delivery to the governor as of June.

If enacted, the Health Information Privacy Act would establish requirements for communicating with individuals about their health information and require either written consent or a designated necessary purpose for processing that information.

Experienced a BREACH?

Data Breach Notification Requirements in New York

Under New York law, consumers whose personal data was obtained illegitimately by a third party must be notified of the breach by writing, telephone, email, or substitute notice. This notice must include information on the breached business or agency, contact details for relevant state and federal agencies, and a description of what information was accessed. All businesses must inform New York residents of data breaches, regardless of the businesses’ size.

If the breach affected more than 5,000 New Yorkers, notice must also be sent to a list of consumer reporting agencies mandated by the state Attorney General.

Consumer Rights and Protections Under New York Data Privacy Laws

New York offers a number of consumer protections to victims of data breaches, including notification rights, access to credit monitoring services, and legal protection against identity theft. Under state law, residents are entitled to one free credit report per year from each of the three major credit reporting agencies. Additionally, the New York State Attorney General requires businesses to provide consumers with “timely and accurate notice” of any breach, and the notice must contain clear, material information about the breach.

What to Do If Your Data Is Compromised in New York

If your data is breached as a New York resident, the first step to recovery is learning as much as possible about the incident. Then, change any relevant passwords and login information, and consider using tools like two-factor authentication for extra security. If your financial data was affected, monitor your accounts for unusual activity and check your credit reports regularly to spot unauthorized actions. You can also place a fraud alert or freeze your credit to prevent new accounts from being opened in your name.

After a breach occurs, stay alert for signs of fraud like unexpected charges or account activity. You may also wish to explore your legal options, including joining a class-action lawsuit if your data was part of a large breach. An experienced New York data breach attorney can advise you on the best legal course of action for your situation.

"*" indicates required fields

Name*

First Name Last Name

Email*

Phone Number*

Zip Code*

Tell Us About Your Case

By submitting this form, I agree to the Terms, Disclaimer and Privacy Notice and to receiving calls and emails from the law firm handling this investigation

TCPA*

By checking this box and clicking "Submit", I am providing my electronic signature expressly consenting to receive marketing phone calls, emails, and SMS text messages from Kopelowitz Ostrow Ferguson Weiselberg Gilbert (KO), or parties acting on its behalf, related to the products or services that I am inquiring about on the landline and/or mobile phone number that I provided, regardless of whether it is on any Do Not Call registry. I confirm that the phone number set forth above is accurate and that I am the regular user of the phone number. I understand that these calls may be generated using an automatic telephone dialing system and may contain pre-recorded and/or artificial voice messages. I understand that consent is not required as a condition for purchasing or obtaining any products or services. For SMS messages campaigns, text "STOP" to stop and "HELP" for help. Msg & data rates may apply.

This field is for validation purposes and should be left unchanged.