New York Data Privacy Laws: SHIELD Act & Consumer Rights (2026)

New York has one of the most active data privacy enforcement environments in the United States. While the state has not yet enacted a comprehensive consumer data privacy law comparable to California's CCPA or Virginia's CDPA, it maintains a robust framework of sectoral protections covering data breaches, biometric information, employee monitoring, student records, and health data.

The New York Attorney General's office has aggressively enforced existing laws, securing millions of dollars in penalties from companies that failed to protect New Yorkers' personal information. This guide covers every major New York data privacy statute currently in effect, pending legislation, and what rights residents have today.

The SHIELD Act: New York's Core Data Security Law

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) is the centerpiece of New York's data privacy framework. Governor Andrew Cuomo signed it into law on July 25, 2019, and it significantly expanded the state's existing data breach notification law.

The SHIELD Act is codified in two key sections of the New York General Business Law: Section 899-aa (breach notification requirements) and Section 899-bb (data security safeguard requirements).

Who the SHIELD Act Applies To

The SHIELD Act applies to any person or business that owns or licenses computerized data containing the private information of New York residents. This includes businesses located outside New York if they hold data belonging to New York residents.

There is no revenue threshold or employee count minimum for the breach notification requirements. Every business that holds New Yorkers' private information must comply.

Expanded Definition of Private Information

The SHIELD Act broadened the categories of data that qualify as "private information" beyond the original 2005 law. Protected data now includes:

• Social Security numbers
• Driver's license numbers or non-driver ID numbers
• Financial account numbers with access codes, PINs, or passwords
• Biometric information (fingerprints, voiceprints, retina images, or other unique physical representations)
• Username or email address combined with a password or security question and answer

A breach occurs when any of these data elements, combined with a person's name, is accessed by an unauthorized person. The SHIELD Act also expanded the definition of "breach" from "unauthorized acquisition" to any unauthorized "access" to private information, a lower and broader threshold.

Reasonable Data Security Safeguards

Section 899-bb of the General Business Law requires every business that owns or licenses private information of New York residents to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that data.

These safeguards fall into three categories.

Administrative safeguards require businesses to designate one or more employees to coordinate the security program, identify reasonably foreseeable internal and external risks, assess the sufficiency of existing safeguards to control identified risks, train and manage employees in security program practices and procedures, select service providers capable of maintaining appropriate safeguards and require them contractually to do so, and adjust the security program in light of business changes or new circumstances.

Technical safeguards require businesses to assess risks in network and software design, assess risks in information processing, transmission, and storage, detect and prevent attacks or system failures, and regularly test and monitor the effectiveness of key controls, systems, and procedures.

Physical safeguards require businesses to assess risks of information storage and disposal, detect and prevent intrusions, protect against unauthorized access to or use of private information during or after collection, transportation, and destruction, and dispose of private information within a reasonable amount of time after it is no longer needed by erasing electronic media so that the information cannot be read or reconstructed.

Small Business Flexibility

The SHIELD Act provides a scaled compliance standard for small businesses. A business qualifies for this flexible standard if it has fewer than 50 employees, less than $3 million in gross annual revenue for each of the last three fiscal years, or less than $5 million in year-end total assets.

Small businesses meeting these criteria must still implement reasonable safeguards appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of the personal information they collect.

Data Breach Notification Requirements

New York's breach notification requirements are among the most detailed in the country. As of December 21, 2024, a critical amendment added a specific 30-day notification deadline.

30-Day Notification Timeline

The December 2024 amendment made three significant changes. First, businesses must now notify affected individuals within a firm deadline rather than the previous "most expedient time possible" standard. Second, the amendment added the New York Department of Financial Services (NYDFS) to the list of agencies that must receive breach notifications alongside the AG and State Police. Third, the definition of "private information" was expanded to include medical information and health insurance information. The law now requires notification within 30 days of discovering the breach.

The only exception to this timeline is when the needs of law enforcement require a delay, such as during an active criminal investigation.

Who Must Be Notified

When a breach occurs, the business must notify:

• All affected New York residents whose private information was compromised
• The New York State Attorney General
• The New York State Division of State Police
• The Department of State's Division of Consumer Protection

Businesses must submit notifications to state agencies using the New York State Information Security Breach and Notification Act Reporting Form.

Methods of Notification

The primary method of notification is written notice sent by mail. Substitute notice through a combination of email, website posting, and media notification is permitted when:

• The cost of notification would exceed $250,000
• More than 500,000 people are affected
• The business does not have sufficient contact information

Substitute notice or no notice may also be permitted when an exposure was inadvertent by an employee or agent with authorized access and the exposure presents minimal risk of misuse. In this case, the business must document the determination in writing and retain the documentation for five years.

Penalties for Breach Notification Violations

Under N.Y. Gen. Bus. Law Section 899-aa, courts may impose the following civil penalties:

Violation Type	Penalty
Knowing or reckless failure to notify	Greater of $5,000 or up to $20 per failed notification (max $250,000)
Failure to maintain reasonable safeguards	Up to $5,000 per violation
Injunctive relief	Courts may order compliance and restitution

The Attorney General is authorized to bring an action on behalf of affected New York residents to enforce these provisions.

Recent SHIELD Act Enforcement Actions

The New York Attorney General's office has been actively enforcing the SHIELD Act with significant penalties against companies that failed to protect New Yorkers' data.

2024 Enforcement Actions:

• National Amusements, Inc. paid $250,000 for failing to protect the personal information of more than 23,000 New York employees and contractors. The investigation found the company failed to implement strong data security measures.

• Attorney General James and the Department of Financial Services secured $11.3 million from GEICO and Travelers for poor data security practices that led to breaches affecting tens of thousands of New Yorkers.

2025 Enforcement Actions:

• Wojeski & Company, a public accounting firm, agreed to pay $60,000 in penalties and implement cybersecurity improvements after a data breach exposed client information.

• Root Insurance paid $975,000 for failing to protect personal information, resulting in data exposure for over 45,000 New Yorkers.

These enforcement actions demonstrate that the Attorney General's office treats data security failures seriously regardless of company size or industry.

NYC Biometric Identifier Information Law

New York City enacted Local Law 3 of 2021, a biometric privacy ordinance that took effect on July 9, 2021. The law is enforced by the New York City Department of Consumer and Worker Protection (DCWP).

What the Law Covers

The law applies to "commercial establishments" in New York City, defined as places of entertainment, retail stores, and food and drink establishments. These businesses must comply if they collect, use, retain, convert, store, or share biometric identifier information from customers.

Biometric identifier information includes fingerprints, facial recognition data, retina or iris scans, voiceprints, and hand geometry scans.

Requirements for Commercial Establishments

Covered businesses must:

• Post a clear and conspicuous sign at all customer entrances notifying customers that biometric identifier information is being collected
• Use signage in the form prescribed by the DCWP (a template is available on the department's website)
• Refrain from selling, leasing, trading, sharing in exchange for anything of value, or otherwise profiting from the exchange of biometric identifier information

Penalties and Enforcement

Local Law 3 includes a private right of action, meaning affected individuals can sue directly. Statutory damages include:

Violation Type	Penalty Per Violation
Failure to post signage	$500 per violation
Negligent sale or profit from biometric data	$500 per violation
Intentional or reckless sale or profit from biometric data	$5,000 per violation

Reasonable attorneys' fees and costs are also recoverable. However, if a commercial establishment cures a signage violation within 30 days of receiving written notice and provides a written statement confirming the cure, the individual may not commence legal action for that specific violation.

Employee Electronic Monitoring Law

New York's employee monitoring notification law, codified as Civil Rights Law Section 52-c*2, requires employers to inform employees about electronic monitoring of their communications and internet use.

What Employers Must Disclose

Any employer with a place of business in New York State that monitors employees' electronic activity must provide prior written notice upon hiring. The notice must inform employees that their telephone conversations, electronic mail, internet access, and other electronic communications may be subject to monitoring at any and all times by any lawful means.

This includes monitoring through computers, telephones, wire, radio, electromagnetic, photoelectronic, or photo-optical systems.

How Notice Must Be Given

Employers must provide written notice to employees upon hiring or prior to the commencement of monitoring. The employer must also post the notice of monitoring in a conspicuous place that is readily available for viewing by employees.

Employees must acknowledge receipt of the notice in writing, either electronically or by signature.

Exceptions

The monitoring notification requirement does not apply to processes designed to manage the type or volume of incoming or outgoing email, telephone voicemail, or internet usage that are performed solely for computer system maintenance or protection purposes.

Penalties for Noncompliance

Offense	Civil Penalty
First violation	Up to $500
Second violation	Up to $1,000
Third and subsequent violations	Up to $3,000 each

The New York Attorney General is authorized to enforce these provisions.

Student Data Privacy (Education Law Section 2-d)

Education Law Section 2-d protects the personally identifiable information (PII) of students and certain teacher and principal data maintained by educational agencies in New York.

Protected Information

The law protects student personally identifiable information held by educational agencies, including school districts, boards of cooperative educational services (BOCES), and the New York State Education Department (NYSED). This includes names, addresses, Social Security numbers, student identification numbers, grades, disciplinary records, and any other information that could be used to identify a student.

Key Requirements

Educational agencies must maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of student PII. Specific requirements include:

• Publishing a Data Privacy and Security Policy on the agency's website
• Including data privacy provisions in every contract with third-party contractors who receive student data
• Ensuring that third-party contractors do not sell student PII or use it for commercial purposes
• Reporting data breaches to the Chief Privacy Officer at NYSED

Parents' Bill of Rights

Education Law Section 2-d establishes a Parents' Bill of Rights for Data Privacy and Security that must be published on each educational agency's website and included with every contract involving student data. Key rights include:

• A student's PII cannot be sold or released for any commercial purpose
• Parents have the right to inspect and review their child's complete education record
• State and federal laws protect the confidentiality of PII, and safeguards associated with industry standards and best practices must be in place
• Parents have the right to file complaints about possible breaches with NYSED

Third-Party Contractor Obligations

Third-party contractors that receive student data must adhere to the data security and privacy plan adopted by the educational agency. Part 121 of the Commissioner's Regulations strengthens these requirements by mandating that contracts include specific data privacy and security provisions, breach notification procedures, and data return or destruction requirements upon contract termination.

Health Information Privacy

New York provides health data protections that supplement and in some cases exceed federal HIPAA requirements.

Public Health Law Section 18

Under Section 18 of the Public Health Law, patients and other qualified persons have a right to access patient information maintained by health care facilities licensed by the New York Department of Health, including hospitals, home care facilities, hospices, health maintenance organizations, and shared health facilities.

The law contains specific procedures for making records available and the conditions under which a provider can deny access.

HIV/AIDS Confidentiality (Article 27-F)

Public Health Law Article 27-F provides strict confidentiality protections for HIV-related information. All HIV testing must include informed consent, and test results are protected from disclosure except in specific, narrowly defined circumstances authorized by law.

Providers must inform patients before testing that the test is voluntary, that results are confidential, and that the law prohibits discrimination based on HIV status.

Genetic Testing Privacy (Civil Rights Law Article 79-l)

Civil Rights Law Section 79-l requires written informed consent for all genetic testing and protects the confidentiality of genetic test results. Under this statute, all records, findings, and results of any genetic test are deemed confidential and cannot be disclosed without the written informed consent of the person tested.

The law also prohibits health insurers from misusing genetic information in coverage decisions.

The Proposed New York Privacy Act

New York has repeatedly introduced comprehensive consumer data privacy legislation, but none has been enacted as of March 2026.

The most recent versions are Senate Bill S3044, introduced by Senator Gonzalez on January 23, 2025, and its Assembly companion bills A4947 and A8158.

What the Proposed Law Would Do

If enacted, the New York Privacy Act would grant consumers several new rights:

• Clear notice of how personal data is being used, processed, and shared
• The right to access and obtain a copy of their data in a commonly used electronic format
• The right to correct inaccurate data
• The right to request deletion of their data
• The right to opt out of data processing, targeted advertising, and data sales
• Opt-in consent required for processing sensitive personal data
• The ability to transfer data between services (data portability)

Business Obligations Under the Proposed Act

The proposed legislation would require businesses to maintain reasonable data security for personal data, notify consumers of foreseeable harms arising from use of their data and obtain specific consent for that use, and conduct regular assessments to ensure data is not being used for unacceptable purposes.

Data brokers would be required to register with the Attorney General and pay an annual fee.

Enforcement

The New York Attorney General would be empowered to enforce the law and obtain civil penalties for violations. As introduced, the bill does not include a private right of action for consumers.

Current Status

Both S3044 and A4947 are currently in committee review. Previous versions of the New York Privacy Act were introduced in 2019, 2021, and 2023 legislative sessions without advancing to a floor vote. The bill passed a key Senate committee vote in May 2025, marking the furthest the legislation has progressed.

Summary of New York Data Privacy Penalties

Law	Violation	Maximum Penalty
SHIELD Act (899-aa)	Knowing/reckless failure to notify of breach	Greater of $5,000 or $20/person (max $250,000)
SHIELD Act (899-bb)	Failure to maintain reasonable safeguards	$5,000 per violation
NYC Biometric Law	Failure to post signage	$500 per violation (private action)
NYC Biometric Law	Intentional sale of biometric data	$5,000 per violation (private action)
Employee Monitoring (CVR 52-c*2)	First offense	$500
Employee Monitoring (CVR 52-c*2)	Second offense	$1,000
Employee Monitoring (CVR 52-c*2)	Third and subsequent offenses	$3,000 each

More New York Laws

Looking for information on other New York privacy and legal topics? Visit our Data Privacy Laws by State hub to compare New York with other states. You can also explore related topics:

• New York Recording Laws for rules on recording conversations
• New York Surveillance Camera Laws for video surveillance regulations
• New York Background Check Laws for employer screening rules
• New York Medical Records Retention Laws for health record storage requirements

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in New York for advice about your specific situation. Last reviewed: March 2026.