There are a lot of moving pieces here and you can go cross-eyed trying to comply with all the proposed rules. Still, here are some of the highlights from the New York bill.
The preamble to the New York bill reads: “Privacy is a fundamental right and an essential element of freedom; we need to do something about non transparency privacy notices and give NY consumers more control over their data and digital privacy.” On the heels of the Data Protection Commission Ireland’s 390 million Euro Meta decision on the scope of contractual necessary, the New York bill says, “Targeted advertising and sale of personal data shall not be considered processing purposes that are necessary to provide services or goods requested by a consumer.” New York is adopting the de-identification formulation of CPRA with the steps you need to take (policies, undertakings, etc.). This seems to now be the standard for the U.S. definition of de-identification, even though it is different from, and arguably stricter than, GDPR. GDPR terminology (controller, processor, personal data) and concepts (data minimization and retention limitation). “Sale” defined like California and Colorado: Monetary or other valuable consideration. The “sale” concept seems also here to stay. Similar definition of sensitive data, and specifically includes genetic and biometric data and precise geolocation. Jurisdiction threshold is similar to California, with a revenue or number of records thresholds. Carve outs are data based (NPI