Can a company sell my personal data to third parties in New York?

What the Law Says

New York does not have a comprehensive consumer privacy law like California’s CCPA, but two key laws govern how companies handle and share personal data: the Stop Hacks and Improve Electronic Data Security (SHIELD) Act and the NYDFS Cybersecurity Regulation. Neither bans data sales outright, but both require transparency, reasonable safeguards, and breach notification.

The SHIELD Act (General Business Law § 899-aa) applies to any person or business that owns or licenses computerized data containing private information of New York residents. It requires 'reasonable' administrative, technical, and physical safeguards to protect that data — including when sharing or selling it with third parties.

While the SHIELD Act does not define 'sale' or require opt-in consent for data sharing, it mandates that businesses disclose their data practices in privacy policies and implement safeguards proportional to the size and complexity of their operations and the sensitivity of the data.

The NYDFS Cybersecurity Regulation (23 NYCRR Part 500) applies to financial services firms licensed by NYDFS. It requires covered entities to assess risks related to third-party service providers — including those receiving personal data — and ensure contracts include security protections and audit rights.

Statutory Text

Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information...

— General Business Law § 899-aa(2) — Duty to protect private information

Statutory Text

Each covered entity shall establish written policies and procedures designed to ensure the security of nonpublic information... including guidelines for secure disposal of such information.

— 23 NYCRR 500.3 — Cybersecurity policy

Sources