What is the NY Shield Act?

The NY Shield Act, also known as the New York Privacy Act, is a data privacy law that was signed into law in New York in July 2022. The law places strict regulations on organizations that collect and process the personal data of New York residents.

When does the NY Shield Act take effect?

The NY Shield Act was signed into law on July 8, 2022, with an effective date of July 1, 2023. This means organizations have a year to make necessary changes to comply with the law before it takes effect.

What is the purpose of the NY Shield Act?

The NY Shield Act aims to strengthen data privacy rights for New York residents. Some key goals of the law include:

  • Giving consumers more control over their personal data
  • Increasing transparency around data collection practices
  • Limiting unnecessary data collection
  • Holding organizations accountable for data breaches

By placing strict standards around data privacy, the law aims to better protect New Yorkers’ personal information.

What organizations does the NY Shield Act apply to?

The NY Shield Act applies broadly to organizations that conduct business in New York or target products and services to New York residents and meet one of the following criteria:

  • Have over $25 million in gross annual revenue
  • Buy, receive, sell, or share the personal information of over 100,000 New Yorkers annually
  • Derive over 50% of annual revenue from selling or sharing personal information

This means large technology companies, data brokers, retailers, financial institutions, and many other organizations must comply if they meet these criteria.

What is considered personal data under the law?

The NY Shield Act defines personal data very broadly. It includes any information that identifies or could reasonably be used to identify a specific New York resident. This can include:

  • Names
  • Addresses
  • Email addresses
  • IP addresses
  • Account usernames
  • Phone numbers
  • Purchase histories
  • Biometric data
  • Geolocation data
  • And more

What are the key requirements of the NY Shield Act?

The NY Shield Act puts in place strict standards for organizations that collect and process New Yorkers’ personal data. Key requirements include:

Consent and Purpose Limitation

Organizations must obtain consent from consumers to process their personal data. This consent must be explicit, informed, and easy to withdraw. Data can only be used for the purposes outlined when consent was obtained.

Data Minimization

Organizations should only collect the minimum amount of personal data needed to accomplish a specific purpose. Data collection should be limited and targeted.


Reasonable security measures must be in place to protect personal data. This includes implementing cybersecurity technologies, policies, and procedures to reduce the risk of breaches.


Personal data must be kept accurate, complete, and up-to-date to the extent possible.

Access and Correction

New York residents have the right to access, correct, delete, and obtain a copy of their personal data. Organizations must put processes in place to enable consumers to exercise these rights.

Data Retention

Personal data should not be kept for longer than reasonably needed for the purposes outlined during collection. Data must be securely disposed of when no longer necessary.

Privacy Impact Assessments (PIAs)

Organizations must conduct PIAs to evaluate privacy risks associated with new technologies, practices, and partnerships involving personal data.

Data Protection Assessments (DPAs)

DPAs evaluate an organizations data protection practices and compliance with the law. They must be conducted annually by independent auditors.

Algorithmic Accountability

Organizations must identify and correct sources of algorithmic bias and discrimination when processing personal data to make decisions about consumers.

How are consumer rights expanded under the law?

The NY Shield Act significantly expands the rights of New York residents when it comes to their personal data. Key rights include:

  • Right to access data: Consumers can request details on what personal data a company has collected about them.
  • Right to correction: Consumers can require inaccuracies in their data to be corrected.
  • Right to deletion: Individuals can request their personal data be deleted.
  • Right to obtain a copy: Consumers are entitled to electronic copies of their personal data.
  • Right to opt-out: New Yorkers can opt-out of data sales and refuse the processing of their sensitive personal data.
  • Right to non-discrimination: Individuals cannot be discriminated against for exercising their rights under the law.

By providing these rights, New Yorkers gain more control over their digital footprint.

What are the penalties for non-compliance?

There are steep fines and penalties for organizations that fail to comply with the requirements of the NY Shield Act. These include:

  • Up to $250 per violation
  • Up to 20% of worldwide revenue for intentional violations
  • Private right of action allowing consumers to take violators to court

With large potential fines, companies have significant financial motivation to comply properly with the law.

How does the NY Shield Act compare to other data privacy laws like the CCPA and GDPR?

The NY Shield Act is similar to other leading data privacy laws like the California Consumer Privacy Act (CCPA) and EU’s General Data Protection Regulation (GDPR). Key comparisons:

Law Key Components
NY Shield Act Consumer rights, consent requirements, data minimization, restrictions on data sales, algorithmic accountability, private right of action
CCPA Consumer rights, consent requirements, data minimization, restrictions on data sales, private right of action
GDPR Consumer rights, consent requirements, data minimization, restrictions on data transfers, significant fines

While the laws share some core components, the NY Shield Act establishes its own standards and requirements tailored to protect New York residents.

What steps do organizations need to take to comply?

To comply with the NY Shield Act, organizations should take the following steps:

  1. Review data collection, processing, and security practices to identify compliance gaps.
  2. Update consent processes to meet the law’s strict requirements.
  3. Minimize data collection and retention periods.
  4. Facilitate data access, correction, and deletion requests.
  5. Establish protocols to conduct PIAs and DPAs.
  6. Implement reasonable security measures for protecting data.
  7. Document compliance efforts in case of an investigation.
  8. Train staff on the new policies and procedures.

Achieving full compliance requires time and resources. Organizations should review requirements in detail and get started well before the law takes effect in 2023.

What are some examples of non-compliance under the law?

Some examples of non-compliance that could lead to penalties include:

  • Collecting excessive amounts of personal data without a clear purpose
  • Using consents that do not meet the law’s strict requirements
  • Failing to put reasonable security technologies and policies in place
  • Not facilitating access and deletion requests from consumers
  • Retaining personal data longer than reasonably needed
  • Sharing data with third parties not disclosed when initially obtained
  • Experiencing a breach and failing to notify authorities and impacted residents

Even organizations making a good faith effort can run into issues if practices are not carefully aligned with the law’s requirements.

What are the benefits of complying with the law?

Some benefits organizations can realize by properly complying include:

  • Avoiding heavy fines and lawsuits
  • Building trust and strengthening relationships with customers
  • Enhancing cybersecurity and reducing risk exposure
  • Forcing beneficial data minimization practices
  • Providing transparency into data practices
  • Following ethical data standards

While compliance requires an investment of resources, aligning data privacy programs with the law’s goals can produce long-term benefits for consumers and businesses alike.


The NY Shield Act ushers in a new era of data privacy for New York residents. With stringent standards around transparency, security, and consumer rights, the law aims to give individuals more control over their personal data. All organizations that collect and process significant amounts of New Yorkers’ data must comply with the law or risk facing hefty penalties. To successfully comply, companies need to critically evaluate their data practices and systems to identify and address any gaps. While compliance will require time and resources, organizations have an opportunity to strengthen trust and relationships with customers by properly aligning themselves with the goals of the NY Shield Act before it takes effect.