New York Gives Businesses a Package of Six New Consumer Data Protection Laws to Unwrap During the Holiday Season

On December 21, 2024, while many Americans were busy signing holiday cards and exchanging gifts, New York Governor Kathy Hochul was signing six significant pieces of legislation aimed at enhancing online safety and strengthening consumer data protection.¹ This legislative package, which includes privacy and cybersecurity measures, collectively has a broad reach.  They create new requirements across multiple industries and expanding oversight of several state agencies, including the Department of Financial Services and the Attorney General.

According to the New York governor, the holiday timing was strategic. During the holiday season, there is typically an increase in fraudulent activities involving consumer data and so the bills were prioritized to address this heightened risk.²

As many were focused on holiday festivities over the past few weeks, we are providing this Legal Update to ensure you are informed about these important legislative developments as you return to the office.

Legislation S2376B/A4737B: Stronger Protections for Medical and Insurance Information Related to Identity Theft³

Health information has always been sensitive and protected under certain state and federal laws. However, the theft of health information for fraudulent purposes continues to grow. S2376B/A4737B modifies three areas of law in an effort to combat the fraudulent use of medical information.

• Enhances protections for medical and health information by modifying portions of the New York Penal Law, New York General Business Law, and New York State Technology law to provide notice requirements and enforce identity theft penalties on misuse of medical and health information.
• Expands the definitions related to identity theft in the penal law (including Section 190.77) to encompass medical and health insurance information. Additionally, S2376B/A4737B amends the state data breach notification law (Section 899-AA of the New York General Business Law) to include medical and health information in the definition of “private information,” which, if compromised, requires notice to individuals and regulators. The legislation makes similar changes to Subdivision 1 of Section 208 of the State Technology Law.
• Will be effective 90 days after becoming law on March 21, 2025. However, effective immediately, the addition, amendment, and/or repeal of any necessary rules or regulations for implementing the legislation is authorized to be made and completed.

Legislation S2659B/A8872A: Modifications to the Notice Requirements for a Data Breach⁴

Previously, NY data breach law required notice to individuals “in the most expedient time possible and without unreasonable delay,” without a specific timing requirement.⁵ Notices were also required to be made to the state attorney general, the Department of State, and the Division of State Police. With S2659B/A8872A, both the timing for notice and the number of departments to notify have changed.

• Includes a new timing requirement mandating that businesses notify consumers of a data breach within 30 days.  
• Adds the New York Department of Financial Services to the state agencies that must be notified of a data breach.
• Is effective immediately.

Legislation S5615/A2833: Requirements for Better Security Features in Devices Procured by State Government⁶

S5615/A2833 imposes new cybersecurity requirements on state agencies. 

• Mandates end point device security for devices procured by the commissioner and state agencies.
• Amends Section 165 of the State Finance Law by adding new Subdivision 9, which defines “end point device” and requires that certain devices, services, and solutions comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
• Will be effective 90 days after becoming law on March 21, 2025.

Legislation S5703B/A1035B: Prohibiting the Use of Social Media Platforms for Debt Collection⁷

S5703B/A1035B limits debt collection activity on social media websites. The stated intent of this law is to limit debt collection efforts to legitimate means.

• Prohibits the use of  social media platforms to collect debt from debtors by amending Section 601 of the New York General Business Law to add Subdivision 12 to the list of prohibited practices.
• Defines “social media platform” to exclude sites that only provide email or direct messaging while broadly encompassing interactive websites that may not typically be considered social media platforms.
• Is effective immediately.

Legislation S1759B/A1057C: Requirements for Further Disclosures and Transparency for Online Dating Services⁸

Romance scams alone have created a highly profitable industry for scammers. S1759B/A1057C is intended to limit the risk of these scams by providing more disclosures to users of online dating services to educate users.   

• Aims to limit fraud on dating services and enhance transparency to users through new disclosure requirements.
• Amends Section 394-C of the NY General Business Law to include specific definitions related to online dating services and establishes new requirements and prohibitions for contracts governing social referral services, including contractual and disclosure requirements for online dating services.
• Will be effective 60 days after becoming law on February 19, 2025.

Legislation S895B/A6789B: Requirements for Social Media Companies to Update Their Terms of Service Relating to Hate Speech⁹

Following recent trends in legislation governing social media, S895B/A6789B aims to promote further transparency for social media platform users. While many laws focus website privacy policies, this law focuses on creating more transparency within social media platforms’ terms of service.

• Amends the NY General Business Law by adding Article 42, which mandates required disclosures for social media terms of service, establishes terms of service reporting requirements, outlines violations and remedies, and specifies factors for determining applicability.
• Requires Semi-Annual Reporting by social media platforms on terms of service and content moderation policies, practices, and detailed statistics on the implementation of content moderation.
• Will be effective 180 days after becoming law on June 19, 2025.

¹ S2376B, S2659B, S5615, S5703B, S1759b, and S895b.

² Governor Hochul Signs Online Safety Legislation to Strengthen Protections for the Personal Data of Consumers | Governor Kathy Hochul.

³ S2376B, NY State Assembly Bill 2023-A4737B.

⁴ S2659B.

⁵ NYS Open Legislation | NYSenate.gov.

⁶ S5615.

⁷ S5703B.

⁸ S1759b.

⁹ S895b.