New York Governor Kathy Hochul signed the New York Privacy Act into law on June 10, 2026, creating the strictest consumer data privacy law in the United States and giving New York residents a private right of action to sue companies for privacy violations without needing government enforcement.

The law, which takes effect January 1, 2028, requires companies collecting data on more than 100,000 New York residents annually to obtain opt-in consent before processing sensitive data, conduct data protection impact assessments for high-risk processing activities, and honor universal opt-out signals like the GPC browser header.

The private right of action provision, which allows individual consumers to sue for up to $15,000 per intentional violation, sets New York apart from California’s CCPA and other state laws where enforcement is limited to state attorneys general. Legal experts described it as the “most consequential change in US privacy law since HIPAA.”

Key Provisions of the New York Privacy Act

Opt-in consent is required before processing “sensitive data” including race, ethnicity, religious beliefs, mental health information, precise geolocation, biometric data, sexual orientation, and immigration status. This is more protective than California’s CPRA, which requires opt-out rather than opt-in for some sensitive categories.

Data minimization requirements limit companies to collecting only data “reasonably necessary” for the stated purpose of collection. Purpose limitation rules prohibit using data for a materially different purpose without new consent. These provisions mirror the EU’s GDPR principles and are new to US privacy law.

Children under 18 receive additional protections. Companies must treat all users whose data they reasonably should know belongs to someone under 18 as a minor, disabling behavioral advertising, dark patterns, and data selling by default without explicit parental consent.

Comparison: New York Privacy Act vs. Other US Privacy Laws

Industry Reaction and Compliance Timeline

The US Chamber of Commerce and TechNet, a technology industry group, issued statements criticizing the private right of action as “litigation risk that will burden businesses of all sizes with nuisance lawsuits.” Both groups said they would explore legal challenges before the law takes effect.

Privacy law firms in New York said the private right of action will create a new category of class action litigation similar to Illinois BIPA lawsuits, with plaintiffs’ firms likely to file cases targeting large-scale data collectors immediately after the law takes effect.

Frequently Asked Questions

Who does the New York Privacy Act apply to?

The New York Privacy Act applies to businesses that process personal data of 100,000 or more New York residents annually, or that process data of 25,000 or more residents and derive more than 25 percent of revenue from selling personal data. Small businesses below these thresholds are exempt.

When does the New York Privacy Act take effect?

The New York Privacy Act takes effect January 1, 2028, giving companies approximately 18 months to achieve compliance from the June 2026 signing date. The New York Attorney General’s office will begin enforcement on the effective date, and private lawsuits can be filed by any affected New York resident.

What is a private right of action in privacy law?

A private right of action means individual consumers can file lawsuits directly against companies for privacy violations, without waiting for a government agency to bring an enforcement action. Most US state privacy laws rely on attorney general enforcement only. The private right of action in the New York Privacy Act, with damages up to $15,000 per intentional violation, makes individual lawsuits economically viable.