New York

New York Data Privacy Laws: SHIELD Act & Consumer Rights (2026)

By Recording Law Editorial TeamPublished March 21, 2026Reviewed May 20, 202619 min read

New York has one of the most active data privacy enforcement records in the United States. The state operates without a single comprehensive consumer privacy statute, but layers of targeted laws create obligations that, taken together, cover most of the ground that omnibus statutes cover elsewhere.

The cornerstone is the SHIELD Act (N.Y. Gen. Bus. Law sections 899-aa and 899-bb), which imposes breach notification duties and a "reasonable safeguards" standard on any business that holds private information about a New York resident, regardless of where that business is located. Governor Hochul signed amendments to the Act in December 2024, tightening notification deadlines to 30 days and expanding the definition of "private information" to include medical and health insurance data, effective March 21, 2025.

On top of the SHIELD Act, the Department of Financial Services (DFS) runs one of the strictest cybersecurity regimes in the country under 23 NYCRR Part 500. The New York City Biometric Identifier Information Law governs commercial use of biometrics within city limits. Labor Law section 52-c requires employers to disclose electronic monitoring. Education Law section 2-d protects student data. And the state AG has collected tens of millions of dollars in enforcement penalties just since 2024.

New York does not yet have a broad consumer privacy law comparable to California's CCPA or Virginia's VCDPA. Multiple versions of a "New York Privacy Act" have circulated in the legislature since 2019, but none has passed as of May 2026. Residents who want to understand what rights they currently have need to look at these sector-specific and security-focused laws rather than waiting for an omnibus statute.

The SHIELD Act: New York's Data Security and Breach Notification Law

Breach notification correspondence documents on a desk

New York General Business Law section 899-aa governs data breach notification. Section 899-bb governs the ongoing obligation to maintain reasonable data security. Together, these two provisions form the SHIELD Act, enacted in 2019.

Scope: Who Must Comply

The SHIELD Act applies to any person or business that owns or licenses "private information" of New York residents, even if that business has no physical presence in New York. There is no revenue or employee-count threshold. A sole proprietor in Texas that holds the email addresses and Social Security numbers of New York customers must comply.

Definition of Private Information

Before March 21, 2025, "private information" meant a name combined with one or more of: Social Security number, driver's license or non-driver ID number, financial account number plus security credentials, or account number plus security code that could permit access to the account. Biometric information was also included.

The December 2024 amendment, signed December 21, 2024 and effective March 21, 2025, added two new categories:

Medical information: any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
Health insurance information: an individual's health insurance policy number, subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including appeals history.

A business that stores policyholder claim records, explanation-of-benefits documents, or treatment histories must now treat those records as protected private information under the SHIELD Act.

Breach Notification Requirements

When a breach occurs, the December 2024 amendment (effective immediately upon signing, December 21, 2024) requires:

Notify affected New York residents within 30 days of discovering the breach. The prior standard was "in the most expedient time possible and without unreasonable delay" with no set limit.
Notify four state agencies: the Attorney General, Department of State, State Police, and now the Department of Financial Services (DFS was added by the December 2024 amendment).
If more than 500 residents are affected, provide the written determination to the Attorney General within 10 days of that determination.
Data custodians (companies that hold but do not own the data) must notify the data owner or licensee within 30 days of discovering the breach.

Law enforcement may request a delay in resident notification when notification would impede a criminal investigation. That exception remains. The prior exception allowing delays to "restore system integrity" was removed.

Reasonable Safeguards Requirement

Section 899-bb requires businesses that own or license private information to implement and maintain a data security program that includes:

Administrative safeguards: designate an employee to coordinate security, identify risks, train employees, select compliant service providers, and adjust the program as circumstances change.
Technical safeguards: assess and monitor network controls, encrypt data in transit over public networks and on portable devices, dispose of data securely.
Physical safeguards: assess risks related to document storage and disposal, detect and prevent unauthorized access, and dispose of private information in a reasonable time after it is no longer needed.

Small businesses (fewer than 50 employees, less than $3 million in gross annual revenue in each of the prior three years, or less than $5 million in year-end total assets) satisfy section 899-bb by implementing safeguards "appropriate to the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information it collects."

SHIELD Act Penalties

The AG enforces the SHIELD Act. Failure to maintain reasonable safeguards carries a civil penalty up to $5,000 per violation. Failure to provide timely breach notification carries a penalty of $20 per instance, capped at $250,000. Knowing or reckless violations may be charged at the greater of $5,000 per violation or $20 per notification failure with the $250,000 cap.

23 NYCRR Part 500: DFS Cybersecurity Regulation

Stethoscope on a desk beside a tablet in a clinical office, representing health data and regulated financial compliance

The New York Department of Financial Services cybersecurity regulation (23 NYCRR Part 500), first adopted in March 2017, applies to all entities licensed, registered, chartered, or authorized under the Banking Law, Insurance Law, or Financial Services Law. This covers banks, insurance companies, mortgage lenders, and other financial services businesses operating in New York.

The DFS finalized a second amendment to Part 500 in November 2023, with phased implementation running from November 2023 through November 2025.

Key Requirements

Section 500.4 (Chief Information Security Officer): Covered entities must designate a qualified CISO responsible for overseeing the cybersecurity program. The CISO reports to the board of directors or equivalent at least annually.

Section 500.5 (Penetration Testing and Vulnerability Assessment): Annual penetration testing, and bi-annual automated vulnerability scans (or more frequently if risk-based assessment warrants).

Section 500.9 (Risk Assessment): Periodic risk assessments inform the design of the cybersecurity program. Risk assessments must be documented and reviewed at least annually.

Section 500.12 (Multi-Factor Authentication): MFA is required for access to all systems, including remote access. The November 2025 deadline covered entities had to implement MFA program-wide.

Section 500.15 (Encryption): Covered entities must encrypt nonpublic information at rest and in transit over external networks. Effective November 1, 2025, unencrypted nonpublic information cannot be transmitted over external networks.

Section 500.16 (Incident Response Plan): Maintain a written incident response plan. The plan must cover recovery, communication (internal and external), remediation, and documentation.

Section 500.17 (Notices to Superintendent): Covered entities must notify DFS of cybersecurity incidents within 72 hours of determining a reportable incident has occurred. This is the DFS's independent reporting obligation, separate from the SHIELD Act's 30-day consumer notification window.

Class A Companies

The 2023 amendment introduced a new "Class A" category for large covered entities: those with at least $20 million in gross annual revenue in each of the prior two fiscal years AND either 2,000 or more average employees OR more than $1 billion in gross annual revenue. Class A companies must conduct annual independent audits of their cybersecurity programs, implement privileged access management systems, and meet stricter endpoint detection and monitoring requirements.

DFS Enforcement

DFS has authority to impose civil monetary penalties under the Financial Services Law. The Delta Dental enforcement action (April 30, 2026, $2.25 million) illustrates the penalties available: DFS penalized Delta Dental Insurance Company and Delta Dental of New York for inadequate incident response policies and delayed reporting following the 2023 MOVEit zero-day breach, which exposed approximately 60,000 files containing policyholder personal information.

NYC Biometric Identifier Information Law

Biometric data and identity concept representing facial recognition and fingerprint law

New York City enacted Local Law 3 of 2021, codified at NYC Administrative Code Title 22, chapter 12 (sections 22-1201 through 22-1205). The law took effect in July 2021 and is enforced by the Department of Consumer and Worker Protection (DCWP).

What the Law Covers

A "biometric identifier" under the NYC law is a physiological or biological characteristic used to identify an individual, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and similar identifiers. The law applies to commercial establishments in New York City.

Two core obligations:

Signage: Any commercial establishment that collects biometric identifier information must post a clear and conspicuous sign near all customer entrances informing the public that biometric identifier information is being collected. Failure to post the required sign is subject to a $500 penalty, with a 30-day cure period after written notice.
No sale: Commercial establishments may not sell, lease, trade, share in exchange for anything of value, or otherwise profit from biometric identifier information. Negligent violations carry a $500 penalty per violation. Intentional or reckless violations carry $5,000 per violation. The prevailing party recovers attorney fees in all cases.

Statewide Biometric Privacy Act: Still Pending

S1422A, the New York Biometric Privacy Act, would impose BIPA-style requirements statewide: written consent before collection, prohibition on sale, data retention limits, and a private right of action with statutory damages. As of May 2026, the Senate bill was reported favorably from the Consumer Protection Committee and referred to the Internet and Technology Committee, which then recommitted it. The companion Assembly bill (A6031) remained in the Consumer Affairs and Protection Committee. Neither chamber has held a floor vote.

If S1422A passes, it would apply to private entities across the state, not just to commercial establishments in New York City. It would create individual statutory damages similar to Illinois' BIPA, which has produced multi-billion-dollar class action settlements nationwide.

Employee Electronic Monitoring

New York Labor Law section 52-c (Civil Rights Law section 52-c, effective May 7, 2022) requires private employers with a place of business in New York to provide prior written notice before monitoring employee telephone conversations, electronic mail, or internet access.

What employers must do:

Provide written or electronic notice to each new employee upon hiring. The employee must acknowledge receipt in writing or electronically. Post the notice in a conspicuous place accessible to all employees.

The notice must state that telephone conversations, email, and internet use may be subject to monitoring at any time by any lawful means.

What the law does not do:

The law does not prohibit monitoring. It only requires advance disclosure. The AG enforces it. Penalties are $500 for a first offense, $1,000 for a second offense, and $3,000 for each subsequent offense. There is no private right of action.

Student Data Privacy: Education Law Section 2-d

Child-sized backpack on a school hallway hook representing student data privacy

New York Education Law section 2-d protects the personally identifiable information of students (and, in limited circumstances, teachers and principals) held by educational agencies and their contracted technology vendors.

Key Obligations Under Education Law 2-d

Parents' Bill of Rights: Each educational agency must adopt a "Parents' Bill of Rights for Data Privacy and Security" and post it publicly. Third-party contractors working with student data must sign a data protection agreement.

Chief Privacy Officer (state level): The New York State Education Department appoints a CPO for a three-year term. The CPO oversees compliance, manages breach notifications at the state level, and issues guidance.

Data Protection Officer (agency level): Each school district or BOCES must designate at least one employee as its data protection officer to implement section 2-d policies and serve as the point of contact.

NIST Framework: Each agency must implement a cybersecurity program aligned with the NIST Cybersecurity Framework covering the full data lifecycle.

Third-party contractor limits: Vendors may not sell student data, use it for advertising, or use it for any purpose other than the educational purpose stated in the agreement.

Enforcement

The State Education Commissioner has authority to investigate violations. Penalties can include contract termination, recovery of funds, and prohibition on future state contracts for persistent violators.

Health Information Protections

New York has several health-specific privacy laws that operate independently of HIPAA:

Public Health Law section 18 gives patients and their authorized representatives the right to inspect and copy medical records held by health care providers, facilities, and health maintenance organizations. Providers must respond within 10 days to a written request.

Public Health Law Article 27-F (HIV/AIDS Information): Clinical records, test results, and other information identifying an HIV-positive individual are confidential. Disclosure requires written consent, court order, or one of several narrow exceptions. Unauthorized disclosure is a misdemeanor. Civil liability attaches to knowing violations.

Civil Rights Law section 79-l: Protects genetic test results and DNA samples. Results may not be disclosed to insurers, employers, or creditors without written consent. Violations carry a civil penalty and a private cause of action.

Mental Hygiene Law section 33.13: Clinical records of persons receiving mental hygiene services are confidential. Disclosure without consent is permitted only in specified circumstances, such as emergencies, court orders, or mandatory reporting.

These state health privacy laws supplement HIPAA rather than replace it. Covered entities in New York must comply with both regimes, following whichever standard is more protective.

AG and DFS Enforcement Record: 2024-2026

Security measures concept representing enforcement and data security compliance requirements

New York's enforcement record since late 2024 has been among the most active of any state:

GEICO and Travelers (November 25, 2024): Joint AG and DFS settlement of $11.3 million. GEICO paid $9.75 million ($4.75 million to OAG; $5 million to DFS); Travelers paid $1.55 million ($350,000 to OAG; $1.2 million to DFS). Both insurers' online quote tools were exploited by hackers who stole driver's license numbers and dates of birth of more than 120,000 New Yorkers; that data was then used to file fraudulent COVID-era unemployment claims.

Noblr (December 2024): $500,000 settlement for inadequate data security in auto insurance quoting.

National Amusements (November 2024): $250,000 settlement for a data breach affecting more than 23,000 New York employees. The investigation found National Amusements delayed notifying affected workers for more than a year, violating the SHIELD Act's notification requirements.

Marriott International (October 9, 2024): Multistate settlement of $52 million total, with New York receiving $2.29 million. The breach affected 131.5 million customers worldwide through an intruder in Starwood's reservation system for four years.

Root Insurance (March 20, 2025): $975,000 settlement after Root's auto insurance quote tool allowed hackers to extract driver's license numbers in plain text from downloadable PDFs, exposing data of approximately 45,000 New Yorkers.

Allstate and National General (suit filed March 10, 2025): The AG filed suit against both companies for two separate data breaches that exposed driver's license numbers for more than 165,000 New Yorkers. As of May 2026, the suit is pending.

Wojeski and Company (October 2025): $60,000 settlement with an accounting firm that waited more than a year to notify more than 4,700 New Yorkers of two cybersecurity incidents. The late notification violated the SHIELD Act.

Car insurance multistate settlement (October 14, 2025): $14.2 million from eight auto insurers (including Liberty Mutual, Metromile, Farmers, and The Hartford) for breaches affecting more than 825,000 New Yorkers through exploited quoting tools.

Delta Dental (April 30, 2026): DFS consent order imposing $2.25 million for Part 500 violations arising from the 2023 MOVEit breach. Delta Dental's incident response was inadequate and breach reporting to DFS exceeded the 72-hour mandate.

The NY Privacy Act: Pending Legislation

New York has debated a comprehensive consumer privacy law since at least 2019. As of May 2026, no bill has passed.

The most active versions in the 2025-2026 session are S3044 (Senate) and A8158 / A4947 (Assembly). These bills share common features: consumer rights to access, correction, deletion, and portability; opt-out of targeted advertising and sale of personal data; obligations for controllers and processors; and an AG enforcement mechanism. Earlier versions (S5462, S6701) also included a private right of action that proved a sticking point in prior sessions.

S3044 passed the Senate Internet and Technology Committee in May 2025, then was referred again. A8158 was introduced in January 2026. None has reached a floor vote in either chamber.

The NY Health Information Privacy Act (NYHIPA), a separate proposal targeting health data collected outside HIPAA, was introduced in the 2023 session, vetoed by Governor Hochul, then revised and reintroduced in March 2026. Its status is pending.

Businesses operating in New York should monitor both bills. If either passes, they are likely to contain a 12-18 month implementation window similar to other state laws.

Federal Overlay

HIPAA: The Health Insurance Portability and Accountability Act covers most healthcare providers, health plans, and their business associates operating in New York. The Privacy Rule and Security Rule set baseline standards for protected health information. New York's state health privacy laws (Article 27-F, Civil Rights Law 79-l, Mental Hygiene Law 33.13) generally impose stricter obligations.

GLBA (Gramm-Leach-Bliley Act): Covers financial institutions. DFS-regulated entities in New York must comply with both GLBA and 23 NYCRR Part 500, following the stricter standard.

FCRA (Fair Credit Reporting Act) and FACTA: Govern consumer reporting agencies and the furnishers and users of consumer reports. New York has its own credit reporting law (General Business Law sections 380 et seq.) that parallels the FCRA with some additional protections.

COPPA (Children's Online Privacy Protection Act): Federal law requiring verifiable parental consent before collecting personal information from children under 13. New York's Education Law 2-d applies specifically to school-context data, but COPPA applies to all online services directed at children.

FTC Act Section 5: The FTC's deception and unfairness authority applies to businesses in New York as it does nationwide. The FTC has used Section 5 to impose consent decrees on companies that misrepresented their security practices.

TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025): Criminalizes the publication of nonconsensual intimate imagery (NCII), including AI-generated deepfakes. Criminal prohibitions took effect immediately at signing. Platform takedown obligations (covered platforms must remove confirmed NCII within 48 hours of a valid request) became effective May 19, 2026, with FTC enforcement.

APRA (American Privacy Rights Act): A bicameral draft advanced in the 118th Congress in 2024 but did not pass before Congress adjourned in January 2025. APRA 2.0 was discussed in the 119th Congress but had not advanced to a floor vote as of May 2026. New York residents do not have federal comprehensive privacy rights under APRA.

Practical Compliance Steps for Businesses

If your business holds personal information about New York residents, here is what to do now:

Assess your data inventory. Determine which categories of personal information you collect and hold. Since March 21, 2025, medical records and health insurance information trigger SHIELD Act security and breach notification obligations.

Update your breach notification procedures. The 30-day notification window under the amended SHIELD Act (effective December 21, 2024) is strict. Document your incident response plan with specific timelines for discovery, assessment, and notification. The AG, Department of State, State Police, and DFS all require notice for breaches involving New York residents.

Review safeguards against the SHIELD Act standard. Section 899-bb requires administrative, technical, and physical safeguards appropriate to the size and complexity of your business. Document your program.

If you are DFS-licensed, ensure your 23 NYCRR Part 500 program reflects the November 2023 amendments. All phase-in deadlines ran through November 1, 2025. Class A companies should have completed independent audits by November 1, 2025.

If you operate a business in New York City that collects any biometric data from customers (face geometry for access control, fingerprints for checkout), post the required signage and do not sell that data.

If you employ workers in New York, provide the electronic monitoring notice to each employee upon hiring and post it in the workplace if you monitor telephone, email, or internet use.

If you operate a school or education technology vendor that processes student data in New York, ensure you have a signed data protection agreement with each school district customer and designate a data protection officer.

How New York Residents Exercise Their Rights

New York residents currently do not have the broad state-law rights (access, deletion, opt-out of sale) that California, Virginia, or Colorado residents hold. Existing rights come from sector-specific laws:

Medical records: Under Public Health Law section 18, you can request a copy of your medical records. Providers must respond within 10 days. A reasonable charge for copying is permitted.

Credit reports: Under federal FCRA and New York's own credit reporting statute, you can request a free annual credit report from each of the three major bureaus and dispute inaccurate information.

Financial data: GLBA-governed institutions must provide annual privacy notices. You can opt out of sharing with non-affiliate third parties by following the opt-out procedure described in the notice.

Data breach notification: If your private information is breached, the business must notify you within 30 days and tell you what was exposed. You are not required to take any action to receive this notice.

Biometric data in NYC: If a business in New York City is selling your biometric data, you can bring a private lawsuit under the NYC Biometric Identifier Information Law. The business faces $500 per negligent violation or $5,000 per intentional violation, plus attorney fees.

Federal rights: HIPAA gives you the right to access your health records held by covered entities. COPPA gives parents the right to review and delete data collected about their children under 13.

When a comprehensive New York Privacy Act passes, residents will gain the right to request access to data held about them, correct inaccuracies, request deletion, and opt out of targeted advertising and sale of personal data.

More New York Laws

Frequently Asked Questions

Does the SHIELD Act give New York residents the right to delete their data?

No. The SHIELD Act focuses on security safeguards and breach notification. It does not give residents the right to access, correct, or delete data held about them. Those rights would come from a future comprehensive privacy law like the pending NY Privacy Act.

When did the SHIELD Act's 30-day breach notification deadline take effect?

The 30-day deadline took effect immediately when Governor Hochul signed the December 2024 amendments on December 21, 2024. Prior law required notification 'in the most expedient time possible' without a specific deadline.

What new categories of private information does the SHIELD Act cover as of 2025?

Effective March 21, 2025, 'private information' under the SHIELD Act includes medical information (medical history, conditions, treatments, diagnoses) and health insurance information (policy numbers, subscriber IDs, claims and appeals history). These were added by the December 2024 amendment to N.Y. Gen. Bus. Law section 899-aa.

Does the New York City Biometric Law apply to offices outside New York City?

No. NYC Administrative Code Title 22, chapter 12 applies only to commercial establishments operating within New York City. The statewide NY Biometric Privacy Act (S1422A) would extend similar rules across all of New York, but that bill has not passed as of May 2026.

What is the DFS cybersecurity regulation and who does it cover?

23 NYCRR Part 500 is the Department of Financial Services cybersecurity rule, covering banks, insurers, mortgage lenders, and other entities licensed under New York's Banking Law, Insurance Law, or Financial Services Law. It requires 72-hour breach reporting to DFS, multi-factor authentication, encryption of nonpublic information, and for large 'Class A' entities, annual independent cybersecurity audits.

Has New York passed a comprehensive consumer privacy law?

Not as of May 2026. Multiple versions of the New York Privacy Act have been introduced since 2019, most recently S3044 and A8158 in the 2025-2026 session. None has passed either chamber. New York does not have CCPA-style consumer rights under state law.

Can a New York employer monitor employee emails and texts without notice?

No. Civil Rights Law section 52-c (effective May 7, 2022) requires private employers with a New York place of business to provide prior written notice to employees before monitoring telephone conversations, email, or internet use. The notice must be acknowledged in writing. The law does not prohibit monitoring; it only requires disclosure.

What is the TAKE IT DOWN Act and how does it affect New York?

The TAKE IT DOWN Act (Pub. L. 119-12) was signed by President Trump on May 19, 2025. It criminalizes publishing nonconsensual intimate imagery including AI-generated deepfakes. As of May 19, 2026, covered online platforms must take down confirmed NCII within 48 hours of a valid request. The FTC enforces the platform takedown obligations. This is federal law and applies to New York residents and businesses.

How do I report a data breach as a New York business?

If a breach of New York residents' private information occurs, notify affected residents within 30 days. If more than 500 residents are affected, provide written notice to the AG, Department of State, State Police, and DFS. Report to the AG at ag.ny.gov. For DFS-regulated entities, also file a cybersecurity incident notice through the DFS portal within 72 hours of determining a reportable incident occurred.

Are there penalties for violating the NYC Biometric Identifier Information Law?

Yes. Failure to post required signage carries a $500 penalty with a 30-day cure period. Negligent sale or sharing of biometric data: $500 per violation. Intentional or reckless sale or sharing: $5,000 per violation. The prevailing plaintiff recovers attorney fees in all cases. DCWP also has enforcement authority.

Sources and References

SHIELD Act Overview - New York State Attorney General(ag.ny.gov).gov
N.Y. General Business Law Section 899-aa - Breach Notification(nysenate.gov).gov
N.Y. General Business Law Section 899-bb - Data Security Protections(nysenate.gov).gov
Data Security Breach Management - NY Department of State(dos.ny.gov).gov
Breach Notification and Incident Reporting - NY Office of IT Services(its.ny.gov).gov
NYC Biometric Identifier Information Rules - DCWP(rules.cityofnewyork.us).gov
N.Y. Civil Rights Law Section 52-c - Employee Monitoring Notification(nysenate.gov).gov
NYSED Data Privacy and Security Policy - Education Law 2-d(nysed.gov).gov
Parents Bill of Rights for Data Privacy and Security - NYSED(nysed.gov).gov
Patient Rights and Access to Information - NY Department of Health(health.ny.gov).gov
HIV/AIDS Laws and Regulations - NY Department of Health(health.ny.gov).gov
N.Y. Civil Rights Law Section 79-l - Genetic Testing Privacy(nysenate.gov).gov
Senate Bill S3044 - New York Privacy Act (2025)(nysenate.gov).gov
AG James Secures $250,000 from National Amusements (2024)(ag.ny.gov).gov
AG James Secures $975,000 from Root Insurance (2025)(ag.ny.gov).gov
23 NYCRR Part 500: DFS Cybersecurity Resource Center(dfs.ny.gov).gov
DFS Cybersecurity Settlement with Delta Dental, $2.25 million (April 30, 2026)(dfs.ny.gov).gov
AG James and DFS Secure $11.3 Million from GEICO and Travelers (November 25, 2024)(ag.ny.gov).gov
AG James Sues National General and Allstate Insurance (March 10, 2025)(ag.ny.gov).gov
AG James Secures $14.2 Million from Car Insurers Over Data Breaches (October 14, 2025)(ag.ny.gov).gov
AG James Settles with Wojeski Accounting Firm, $60,000 (October 2025)(ag.ny.gov).gov
AG James Secures $250,000 from National Amusements (November 2024)(ag.ny.gov).gov
AG James Announces $52 Million Multistate Settlement with Marriott (October 2024)(ag.ny.gov).gov
NYC Administrative Code Title 22, Ch. 12: Biometric Identifier Information(codelibrary.amlegal.com)
N.Y. Education Law § 2-d: Student Data Privacy (NY Legislature)(nysenate.gov).gov
TAKE IT DOWN Act: Federal Law Prohibiting NCII (CRS, Congress.gov)(congress.gov).gov
NY S1422A: Biometric Privacy Act (2025-2026 session)(nysenate.gov).gov
Hunton Andrews Kurth: NY AG and NYDFS Announce $11.3M Settlement with GEICO and Travelers(hunton.com)

Data Privacy Laws

New York Laws