Online Privacy in New York: Laws, Rights & Protection Guide

The SHIELD Act, in plain English

New York's central data-protection statute is the Stop Hacks and Improve Electronic Data Security Act, signed into law on July 25, 2019 as Chapter 117 of the Laws of 2019 (NY State Senate, S5575B). It rolled out in two stages: the expanded breach-notification rules took effect on October 23, 2019, and the data-security safeguard requirements followed on March 21, 2020 (NY Assembly, S05575).

The SHIELD Act does two things. First, it requires businesses to maintain reasonable safeguards over the private information of New York residents. Second, it requires them to notify affected residents when that information is breached. It does not grant you the kind of access, deletion, or opt-out rights you may have read about in connection with California law.

Who it covers

This is the part most people get wrong. The SHIELD Act applies to any person or business that owns or licenses computerized data containing the private information of a New York resident. The earlier requirement that a company "conduct business" in the state was removed (NY State Senate, S5575B). A retailer in Texas or a SaaS company in Berlin that holds data on New Yorkers is within scope. Geography of the business is irrelevant; what matters is whose data it holds.

What counts as "private information"

Under GBL § 899-bb, private information is personal information combined with any of the following: a Social Security number; a driver's license or non-driver ID number; a financial account number together with the credentials that would allow access to it; biometric data; or a username or email address combined with a password or a security-question answer that would permit access to an online account. Health information held by HIPAA-covered entities is also included.

That last category is worth pausing on. An email address on its own is not protected data under the statute. An email address paired with a password is, because together they unlock an account. This is one reason a throwaway address used for low-stakes signups carries less downside if a service is breached: there is no reused password tied to it that opens your real accounts.

What businesses must do, and what happens if they fail

The safeguard requirements in GBL § 899-bb are organized into three buckets. Administrative safeguards mean designating someone to coordinate the security program, identifying risks, and training employees. Technical safeguards mean assessing risks in network and software design, detecting and responding to attacks, and regularly testing key controls. Physical safeguards mean assessing storage and disposal risks, preventing intrusions, and disposing of private information within a reasonable time.

The standard scales with size. A small business, defined under the statute as one with fewer than fifty employees, less than three million dollars in gross annual revenue in each of the last three fiscal years, or less than five million dollars in year-end total assets, need only implement safeguards appropriate to the size and complexity of its operations (GBL § 899-bb). There is also a safe harbor: an entity already complying with the Gramm-Leach-Bliley Act, HIPAA/HITECH, or applicable state regulations is deemed compliant with the SHIELD Act's data-security requirements (GBL § 899-bb). The framework the statute gestures at maps closely onto the NIST Cybersecurity Framework, the industry baseline most organizations already use.

Enforcement and penalties

The SHIELD Act has no private right of action. You cannot sue a company under it; only the New York Attorney General can (Jackson Lewis, SHIELD Act FAQs). For violations of the safeguard requirements, the Attorney General may seek injunctive relief and civil penalties of up to $5,000 per violation (NY Attorney General, SHIELD Act).

For breach-notification failures under GBL § 899-aa, the math depends on intent. A knowing or reckless violation carries a civil penalty of the greater of $5,000 or up to $20 per failed notification, capped at $250,000. A negligent violation is measured by actual damages. The Attorney General has three years to bring an enforcement action.

Enforcement is real, not theoretical. In January 2022 the Attorney General announced a $600,000 SHIELD Act settlement with EyeMed Vision Care over a 2020 breach that exposed roughly 2.1 million people, including nearly 99,000 New Yorkers (Data Protection Report). In 2024 the Attorney General and the Department of Financial Services secured a combined $11.3 million from GEICO and Travelers over breaches affecting more than 120,000 New Yorkers (NY Attorney General).

What changed in December 2024

New York tightened its breach rules at the end of 2024. On December 21, 2024, Governor Hochul signed S2659B (Chapter 647), amending GBL § 899-aa to require breach notification within thirty days of discovery (NY State Senate, S2659B). The old standard was the vaguer "most expedient time possible and without unreasonable delay." The current text keeps that language but adds the hard deadline: "such notification shall be made within thirty days after the breach has been discovered." The same amendment added the Department of Financial Services to the list of regulators that must be notified.

A second 2024 law, S2376B, expanded the definition of private information under § 899-aa to include medical and health-insurance information, effective March 21, 2025 (Governor Hochul, press release). For New Yorkers, the practical effect is that a breach involving your health-insurance details now triggers the same notification obligations as a breach involving your Social Security number.

Separately, financial-sector firms operate under a stricter, sector-specific regime. The NYDFS Cybersecurity Regulation, 23 NYCRR Part 500, covers entities licensed under New York's Banking Law, Insurance Law, or Financial Services Law. It first took effect on March 1, 2017; a second amendment was finalized on November 1, 2023, with the final requirements phasing in through November 1, 2025 (NY Department of Financial Services). If you bank or hold insurance with a New York-licensed institution, your data sits under both the SHIELD Act and Part 500.

The right New York doesn't give you (yet)

Here is the gap. The SHIELD Act is a security statute, not a consumer-rights statute. It does not let you ask a company what data it holds on you, demand a correction, or order a deletion (Jackson Lewis, SHIELD Act FAQs). Those rights exist in California under the CCPA and its successor, the CPRA. A Californian can tell a data broker to delete their file; a New Yorker, as of May 2026, generally cannot.

The bill meant to close that gap is the New York Privacy Act (S3044/A4947). It would give New Yorkers rights to access, correct, delete, and opt out of the sale of their personal data. It passed a Senate committee on May 27, 2025, but it has not been signed into law and remains pending (NY State Senate, S3044). Similar versions have been introduced in prior sessions without enactment. New York also has no standalone data-broker registration law in force; bills such as S9088 have been introduced in the 2025-2026 session but none has been signed (NY State Senate, S9088).

That absence has weight given the scale of the data-broker economy, a market valued at over $250 billion (IAPP). In California, residents can use legal rights to pull their records back from brokers. In New York, the practical lever is to limit what brokers can collect in the first place. For a fuller comparison of how email-related rights differ across jurisdictions, see our privacy laws and email rights guide; for the rights New Yorkers don't yet have but Californians do, see the California privacy laws guide.

Why this matters for New Yorkers specifically

New York is a large target. The Office of the New York State Comptroller reported that cyberattack complaints in the state rose 53% between 2016 and 2022, from 16,426 to 25,112 incidents, with estimated 2022 losses exceeding $775 million (NY State Comptroller). The same analysis ranked New York third nationally for corporate data breaches in 2022 with 238 incidents, behind only California and Florida, with healthcare and financial services the two most attacked sectors.

The FBI's Internet Crime Complaint Center ranked New York fourth among U.S. states for cybercrime losses in 2023. Business email compromise was the second-costliest category nationally that year, with 21,489 complaints and $2.9 billion in reported losses (FBI IC3 2023). Most of those scams start in an inbox. Phishing was involved in roughly 36% of breaches in Verizon's 2024 Data Breach Investigations Report, and the Anti-Phishing Working Group counts about 3.4 billion phishing emails sent daily (APWG). Email is a heavily abused channel in general: Kaspersky found 47.27% of all email worldwide in 2024 was spam (Kaspersky).

The cost of a single exposed record is not abstract. IBM's 2024 report puts the average cost per stolen record at $169 (IBM), and breach-tracking service Have I Been Pwned has catalogued over 17.5 billion compromised accounts (HIBP). The historical picture for New York specifically: a 2014 Attorney General report found breaches affecting the state tripled between 2006 and 2013, exposing 22.8 million records of New Yorkers across nearly 5,000 breaches, with hacking accounting for 64% of records exposed (NY Attorney General). That figure describes the 2006-2013 window, not today, but it set the context for the SHIELD Act that followed.

Practical steps to protect your email and your data

Since New York gives you a security floor but no deletion rights, the most useful move is to reduce your exposure before data is collected. These steps are concrete and take effect immediately.

1. Use a disposable address for low-trust signups. Newsletters, one-time downloads, store loyalty programs, app trials, and event tickets rarely need your primary inbox. A temporary address keeps your real one out of marketing lists and out of any breach those services later suffer.
2. Never reuse a password. The SHIELD Act treats an email-plus-password pair as private information for a reason: that pair unlocks accounts. A password manager generating a unique credential per site means a single breached service exposes one account, not all of them.
3. Turn on two-factor authentication for accounts tied to your real email, especially banking and health portals, which in New York may also sit under NYDFS Part 500.
4. Check whether you have already been exposed. Run your real address through Have I Been Pwned and reset the password on any service that shows up.
5. Keep a record after any breach notice. Under New York's thirty-day rule, companies must notify you within thirty days of discovering a breach. Save the notice, note the date, and consider credit monitoring if financial data was involved.
6. Report failures to the regulator. If a company fails to notify you of a breach, the New York Attorney General is the enforcer. File at ag.ny.gov.

Where temporary email fits

A disposable inbox is one privacy tactic, not a legal shield. It does not make you anonymous, exempt you from any law, or guarantee compliance with anything. What it does is narrow the surface: fewer services hold your real address, so fewer breaches can reach it. TempMailSpot is a free, no-registration disposable-email tool. You open a page, get an address, and new mail appears automatically within seconds; it polls frequently at first and then eases off as the session ages. The default mailbox lasts ten minutes with unlimited extension, and unlike most receive-only competitors it can also send a reply behind a CAPTCHA. You can export messages as PDF, JSON, or EML, and there is a public REST API and an embeddable widget for developers. For a sense of local context, our New York landing page covers the city-specific picture. Use a throwaway address for the verification email a sketchy site demands, and keep your real inbox for the handful of services that genuinely need it.