US-New YorkWhat role does the NY Attorney General play in data privacy enforcement?
The NY Attorney General enforces data privacy laws like the SHIELD Act and NY Civil Rights Law § 50-a, investigating breaches, suing violators, and issuing guidance—but cannot bring private right-of-action claims.
What the Law Says
New York law grants the Attorney General broad authority to investigate and enforce data privacy obligations—especially under the Stop Hacks and Improve Electronic Data Security (SHIELD) Act and Civil Rights Law § 50-a.
The SHIELD Act (effective March 21, 2020) requires any person or business owning or licensing computerized data containing private information of New York residents to implement reasonable administrative, technical, and physical safeguards. It also mandates notification to affected individuals and the NY Attorney General within 72 hours of discovering a breach involving private information.
The NY Attorney General may bring an action in the name of the state to enjoin violations and obtain civil penalties: up to $5,000 per violation for knowing or reckless failures to comply with reasonable safeguards, and up to $20 per failed notification (capped at $250,000).
Additionally, NY Civil Rights Law § 50-a prohibits nonconsensual use of a person’s name, portrait, or picture for advertising or trade purposes—and the AG may enforce it where violations involve misuse of biometric or personal identifiers in digital contexts.
Statutory TextAny person or business that owns or licenses computerized data which includes private information shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information...
— General Business Law § 899-bb(2)(a) — Safeguards requirement
Statutory TextIn the event of a breach of the security of the system, such person or business shall disclose any breach... to any New York resident whose private information was, or is reasonably believed to have been, accessed...
— General Business Law § 899-aa(2) — Breach notification
Statutory TextThe attorney general may bring an action in the name of the state... to enjoin such violation and to recover damages...
— General Business Law § 899-aa(6) — Enforcement authority
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.