New York doesn't yet have a comprehensive consumer privacy law like California or Texas, but it does have one of the strongest data security statutes in the country, along with sector-specific rules that give New Yorkers real protection. Here's what you need to know about privacy law in New York in 2026, and how to exercise the rights you already have.
The SHIELD Act: New York's Data Security Backbone
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) took effect in 2020 and remains the cornerstone of privacy law in New York. Unlike consumer rights laws in other states, the SHIELD Act focuses on what companies must do to protect your data, rather than giving you the right to access or delete it.
Under the SHIELD Act, any business that collects the private information of a New York resident must implement reasonable administrative, technical, and physical safeguards. It doesn't matter where the business is located. If they hold data on a single New Yorker, they're covered.
What Counts as Private Information?
The SHIELD Act broadly defines private information to include:
- Social Security numbers
- Driver's license or non-driver ID numbers
- Financial account numbers, credit and debit card numbers (even without a security code, in some cases)
- Biometric information like fingerprints and face templates
- Usernames or email addresses combined with passwords or security questions
- Medical and health insurance information
When one of these categories is accessed or acquired without authorization, companies must notify affected New Yorkers and, in serious cases, the New York Attorney General.
The SHIELD Act Expanded the Definition of a Breach
Prior to SHIELD, a breach only counted when data was acquired by an unauthorized party. SHIELD changed the rule so that merely accessing private information without authorization triggers the breach notification requirement, even if nothing was downloaded or exfiltrated.
Your Rights Under Current New York Law
Because the SHIELD Act is a security statute rather than a consumer rights statute, New Yorkers don't yet have broad rights to access, delete, or correct their personal data. But there are still several important protections you can enforce:
- The right to be notified of breaches. If a company loses control of your private information, they have to tell you in the most expedient time possible.
- The right to opt out of certain credit reporting uses under New York's credit laws.
- The right to protections under sector-specific laws, including the Department of Financial Services (DFS) cybersecurity rules for banks and insurers.
- The right to a free credit freeze at all three bureaus, thanks to state and federal law.
The New York Privacy Act: On the Horizon
The New York Privacy Act (NYPA) has been working its way through the legislature for several sessions. In May 2025, it passed a key Senate committee vote, advancing further than any previous version. If enacted, the NYPA would give New Yorkers the same kind of rights that Californians and Texans already have: access, deletion, correction, opt-out of sale and targeted advertising, and potentially a private right of action.
The NYPA is not law yet, but its progress suggests New York is moving toward a comprehensive privacy framework. Staying informed about its status is one of the best things you can do as a New Yorker concerned about data privacy.
No Private Right of Action Under SHIELD
If a company violates the SHIELD Act, you can't sue them directly. Only the New York Attorney General can bring enforcement actions, with penalties of up to $5,000 per violation and up to $20 per affected person for failure to notify. Filing complaints with the AG is the most powerful lever individual consumers have.
How New Yorkers Can Protect Themselves Today
- Freeze your credit. A credit freeze blocks new accounts from being opened in your name and is free for every New York resident. It's the single most effective protection against identity theft.
- Enable Global Privacy Control. Even though New York doesn't yet require businesses to honor GPC, many national platforms do, because they're complying with California and Texas rules.
- File data broker opt-outs. People-search sites that publish your address, phone number, and relatives operate nationwide. Opting out of each one is the only way to remove that data.
- Monitor your accounts. Free credit monitoring through the three major bureaus and dark web monitoring services can alert you when your information surfaces in a breach.
- File AG complaints when companies mishandle your data. This is how the SHIELD Act gets enforced in practice.
Removing Your Data With PrivacyOn
Because New York lacks a consumer rights law with deletion authority, New Yorkers have fewer legal levers to pull when their information appears on people-search sites. That makes proactive removal even more important. PrivacyOn opts you out of more than 100 data brokers, monitors them continuously, and re-files when your profile comes back. It's the fastest way for a New York resident to shrink a public digital footprint, even without a state privacy law backing you up.
Looking Ahead
New York is one of the largest markets for consumer data in the country, and comprehensive privacy legislation is almost certainly coming in the next few years. In the meantime, the SHIELD Act gives you security guarantees, and smart personal practices give you everything else. Stay alert, use the tools available to you, and keep an eye on the New York Privacy Act as it moves through Albany.