Data & Privacy

New York's data breach notification law requires businesses to notify affected residents when private information is compromised, including names combined with SSNs, account numbers, or biometric data.

Yes, New York law requires companies to notify you within a reasonable time after discovering a data breach involving your private information.

Under New York law, a 'data breach' is the unauthorized acquisition or access of computerized data containing private information that compromises the security, confidentiality, or integrity of that information.

A company must notify you of a data breach in New York within 10 days after discovering the breach, unless law enforcement requests a delay.

Yes, a company can sell your personal data to third parties in New York unless you opt out — but new rules under the NYDFS Cybersecurity Regulation and the SHIELD Act impose strict safeguards and disclosure requirements.

No, New York does not yet have a comprehensive consumer privacy law like California’s CCPA. The NY Privacy Act (S.6072/A.5434) has been introduced multiple times but has not passed as of 2024.

Yes, websites can track your online activity in New York without disclosure unless they collect 'personal identifying information' under NY Civil Rights Law § 50-e or fall under specific privacy laws like the SHIELD Act.

Violating New York's eavesdropping law is usually a class E felony, punishable by up to 4 years in prison; if the offense involves a public official or is committed for commercial gain, it becomes a class D felony with up to 7 years imprisonment.

Yes, you can request deletion of your personal data from certain companies in New York under the NY Privacy Act (effective July 2025) and the SHIELD Act, but only if the company meets specific size or data-handling thresholds.

In New York, you may recover actual damages, profits the defendant gained from unauthorized use, and in some cases, statutory damages up to $1,000 — but only if the use was for advertising or trade purposes without consent.

No, in New York, someone cannot use your name or likeness for advertising or trade purposes without your written consent.

No — New York law prohibits using deepfakes that depict you in sexually explicit content without your consent, and bans unauthorized use of your name, voice, signature, photograph, or likeness for commercial purposes.

No, New York's statutory right to privacy does not extend to deceased persons.

New York does not have a comprehensive biometric privacy law like Illinois’ BIPA, but it regulates biometric data through the SHIELD Act and proposed legislation; biometric data is classified as 'private information' requiring reasonable safeguards.

Generally, no — your employer cannot monitor your personal phone calls at work in New York without your consent, unless the call is made on company equipment or falls under narrow exceptions.

Yes, in New York, your employer must notify you before monitoring your email or phone calls — unless the monitoring is done for legitimate business purposes and you have no reasonable expectation of privacy.

No, employers in New York cannot require you to provide your social media passwords or access to your private accounts.

New York is a one-party consent state for recording conversations — you may legally record a conversation if at least one participant (including yourself) consents.

No, police in New York generally cannot wiretap your phone without a court order. Exceptions exist only in narrow emergency situations or with your consent.

Yes, your landlord can install surveillance cameras in common areas in New York, as long as they do not record audio or target private spaces like bathrooms, bedrooms, or inside apartments.

Businesses must implement reasonable administrative, technical, and physical safeguards to protect private information, as defined by New York’s SHIELD Act.

No, the SHIELD Act does not give private individuals the right to sue a company for data security failures — only the New York Attorney General can enforce it.

The NY Attorney General enforces data privacy laws like the SHIELD Act and NY Civil Rights Law § 50-a, investigating breaches, suing violators, and issuing guidance—but cannot bring private right-of-action claims.

Yes, New York law restricts the display, transmission, and use of Social Security numbers to protect against identity theft and unauthorized exposure.

Health care providers in New York must safeguard patient data under state and federal law, including HIPAA, the NY Public Health Law, and the NY General Business Law, with strict requirements for breach notification, consent, and security safeguards.