New York has attempted to pass comprehensive data privacy legislation for several consecutive sessions without success. The New York Privacy Protection Act (NYPPA) was most recently introduced in the 2024 legislative session as Senate Bill S 365 and Assembly Bill A 3312. It passed the Senate Consumer Protection Committee but stalled in the full Senate amid intense lobbying from the technology and financial services industries based in New York City. The NYPPA has consistently been one of the most consumer-friendly proposed privacy laws in the country — which is precisely why it has faced such fierce opposition. It includes a robust private right of action (allowing individuals to sue companies directly) and data minimization requirements that would significantly constrain how companies use personal data. Business groups have argued these provisions would expose companies to excessive litigation and stifle innovation. Consumer advocates counter that without a private right of action, any privacy law is unenforceable in practice. New York's political dynamics are complex: the state legislature is controlled by Democrats who broadly support privacy rights, but the New York financial and tech industries are powerful economic forces with significant lobbying clout. Governor Hochul has not yet publicly committed to signing a comprehensive privacy bill.
The New York Privacy Act introduced by Sen. Kevin Thomas — one of the earliest and most ambitious state privacy proposals, including data fiduciary requirements.
A broader coalition bill, the New York Privacy Protection Act, introduced with support from privacy advocates. Passes committee but stalls on floor.
A revised NYPPA with modified private right of action language advances further in the legislative process than any prior version, generating renewed optimism.
Despite strong committee support, the 2024 legislative session ends without a full floor vote. Business groups cite litigation risk; advocates vow to reintroduce in 2025.
Advocates and legislative sponsors have confirmed plans to reintroduce the NYPPA in the 2025 session with modifications aimed at addressing business concerns while preserving core consumer rights.
The NYPPA is among the most ambitious state privacy proposals in the country. Key features include: data minimization requirements (companies may only collect data reasonably necessary for a disclosed purpose); a private right of action allowing individuals to sue companies for violations without waiting for government enforcement; data protection impact assessments for high-risk processing; opt-in consent for sensitive data; and all standard consumer rights (access, correction, deletion, portability, opt-out of sale and targeted advertising). Unlike most other state laws, the NYPPA would also establish a data fiduciary duty — treating companies that handle personal data as having a legal obligation to act in users' interests, similar to how financial advisors are required to act in their clients' interests.
If enacted as currently drafted, New York residents would receive the following privacy rights:
Confirm whether a business processes your personal data and request a copy of it.
Request correction of inaccurate personal data a business holds about you.
Request deletion of personal data that has been collected about you.
Receive your data in a portable, machine-readable format.
Prevent businesses from selling your personal data to third parties.
Stop businesses from using your data for cross-context behavioral advertising.
Opt out of automated decision-making in significant life decisions.
Businesses cannot penalize you for exercising your privacy rights.
The rights listed above are proposed, not enacted. They reflect the bill's current draft language and may change significantly before passage — or the bill may not pass at all. Until New York enacts a comprehensive privacy law, residents have limited state-level data privacy rights. Check our Active Laws page to see which states have enacted protections.
The NYPPA's failure to pass despite multiple attempts comes down to three core disagreements: (1) The private right of action — business groups warn this would trigger a wave of class action lawsuits; advocates say without it the law has no teeth; (2) The data fiduciary duty — requiring companies to act in consumers' best interests is a radical departure from existing U.S. privacy law and industries have vigorously opposed it; (3) The scope of data minimization — companies that have built entire business models on collecting and monetizing data argue that strict minimization requirements would make many current business practices illegal overnight. Finding compromise language that satisfies both consumer advocates and the business community has proven elusive across multiple sessions.
| Feature | New York (Proposed) | Virginia (Active) | California (Active) |
|---|---|---|---|
| Comprehensive privacy rights | Proposed | ✅ Yes | ✅ Yes |
| Right to delete | Proposed | ✅ Yes | ✅ Yes |
| Opt out of sale of data | Proposed | ✅ Yes | ✅ Yes |
| Sensitive data protections | Proposed | ✅ Yes | ✅ Yes |
| Enforcement agency | TBD | VA Attorney General | CA Privacy Protection Agency |
| Private right of action | TBD | No | Yes (breach only) |
| Currently enforceable | ❌ No | ✅ Yes | ✅ Yes |
Even though New York does not yet have a comprehensive privacy law, you are not without options:
Privacy laws pass because constituents demand them. If you believe New York residents deserve strong data privacy rights, contact your state legislature. Find your representatives at OpenStates.org — it takes only a few minutes to send a message that matters.
Use our Opt-Out Guide to see what rights you have today and get direct opt-out links for major companies.
Privacy legislation moves quickly. Subscribe to our newsletter and we'll alert you the moment New York passes a new privacy bill, a vote is scheduled, or a major amendment changes the bill's scope. You'll also receive our monthly digest of all U.S. privacy law changes — free, always.