Privacy Laws 2025: Prepare for the 8 Laws Going into Effect
Businesses in the US will be subject to a lot more scrutiny from...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: December 4, 2024
Published: June 29, 2022
Every day, we share personal information online. Whether we’re paying bills, connecting with friends on social media, or simply browsing websites, we’re giving pieces of our personal information away.
And the sheer volume of shared information — coupled with rampant identity theft, data hacking, and other fraudulent activity — has prompted officials worldwide to adopt privacy laws. At their core, these laws regulate how personal information is collected, shared, and stored.
Still, at a federal level, the U.S. lacks its own overarching security law. Thus, individual states are taking matters into their own hands.
Over the last few years, several states have enacted a patchwork of privacy laws to protect consumers. And in 2019, lawmakers took a closer look at a long-standing New York state privacy law, discovered several evolutionary gaps and inefficiencies, then worked to amend and update it. Today, the latest iteration is known as the SHIELD Act.
The New York State SHIELD act, or the Stop Hacks and Improve Electronic Data Security Act, amends the state’s existing data breach notification law. It imposes more data security requirements on companies that collect private information of New York residents.
The SHIELD law became fully enforceable in March 2020 when Governor Andrew Cuomo signed the bill that was passed by both the state senate and state assembly.
But why were amendments introduced in the first place? The updated New York privacy law came after the New York State Attorney General discovered a 60% increase of state data breaches in 2016. Just weeks prior to the SHIELD law introduction, one of the largest credit reporting agencies in the country, Equifax, identified a consumer data breach that affected more than 8 million residents of New York.
Through the Act, companies incurred additional privacy requirements that, collectively, provide better overall breach protection for New York residents.
The SHIELD Act introduces significant changes to existing law:
The good news? Many companies already protect consumers' data (and have been, long before the SHIELD Act was ever a twinkle). And likely, they already meet SHIELD’s mandates.
For instance, an entity is already aligned with the SHIELD Act if it complies with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act, or New York’s cybersecurity requirements for financial services.
The department of state considers companies compliant if they implement and maintain reasonable safeguards to protect the data of New York residents. The bill offers several ways to ensure compliance:
Assess the risks of information storage and disposal.
Create systems to prevent, detect, and respond to physical intrusions.
Dispose of private information within a reasonable amount of time.
Protect against the unauthorized access of private information at any point during collection, transportation, and disposal.
If you own a small business and those bullets feel daunting, don’t worry: The SHIELD Act makes exceptions for businesses with fewer than 50 people and/or less than $3 million in annual revenue. Still, you must implement a reasonable security program that's appropriate for the size and complexity of your business.
If companies fail to comply with these security requirements, they could face civil penalties of up to $5,000 per violation. There are no caps on penalties, so fines can rack up quickly. Additionally, a $250,000 fine exists for failing to notify the state attorney general and state police when a data breach occurs.
As state legislation, the SHIELD Act encourages data protection and general breach notification. Following in its footsteps, individual states will continue to write and expand their own privacy laws. But because the New York privacy law applies to any business that collects or maintains private information on New York residents, its effects are far-reaching.
Obviously, the state of New York is economically significant. Most major companies hold some kind of private information on New York residents. These companies will be forced to abide by the new security requirements concerning respective residents.
But maintaining multiple security standards is complex, time-consuming, and inefficient. For the sake of expediency and cost, it’s easier for most companies to apply the SHIELD Act’s standards to all private information they collect and maintain, not just on New York residents.
Why is this so? Because we’ve seen it before with the European Union’s General Data Protection Regulation (GDPR). Rather than create and maintain multiple privacy standards, most companies that deal with EU customers simply declare GDPR as standard practice.
And we see similar action with the California Consumer Privacy Act (CCPA): Because entities that do business with California companies are obligated to abide by CCPA, it's easier for companies to meet those standards for all customers.
Will New York’s privacy law change how all companies behave? Probably not — at least not yet. Over time, as consumers learn to enjoy the protection provided by security standards, pressure to do the same among other state and local governments will ramp up.
If you're a company that collects and maintains private information, it's not a matter of if, but when you’ll endure a cyber incident. It's important to think proactively about how your organization handles data to protect customers, users, followers, and the livelihood of your business. And the sooner you take steps to protect consumer privacy, the sooner you’ll comply with inevitable requirements.
Keeping your business up-to-date with the latest privacy practices isn’t optional. Still, you don’t have to do it on your own. You can use tools like Osano to monitor changes in privacy laws, understand what vendors do with your data, and ask privacy professionals on-demand questions.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.