Can I use third-party email marketing tools that collect personal information in New York? What are the requirements?

Using Third-Party Email Marketing Tools in New York

If you are using third-party email marketing tools that collect personal information in New York, you must comply with the state’s laws and regulations regarding the use and disclosure of personal information.

Under NYCL GBS § 640, a manufacturer or distributor of a home-use medical diagnostic device shall not disclose to a marketer of goods or services or to a third party acting on behalf of any such marketer any personal identifiable information of a user for target marketing purposes without having first afforded such user the right to prohibit such disclosure. The warranty registration card, owner’s registration card or other similar form shall conspicuously disclose, if applicable, that a user’s personal identifiable information may be used for target marketing purposes and shall provide such user the opportunity to be excluded from any such target marketing list by means of a check-off box contained on the card or other similar form. Such notice shall include a pre-addressed postage-paid form by which a user can exercise the right to prohibit disclosure.

Under 11 NYCRR 420.13, the opt-out requirements in sections 420.7 and 420.10 of this Part do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with section 420.4 of this Part and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information.

Under NYCL STT § 208, any state entity that owns or licenses computerized data that includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.

Additionally, under 21 NYCRR 2053.4, a corporation may not disclose any record or personal information unless such disclosure is pursuant to a written request by or the voluntary written consent of the data subject, provided that such request or consent by its terms limits and specifically describes the personal information which is requested to be disclosed, the person or entity to whom such personal information is requested to be disclosed, and the uses which will be made of such personal information by the person or entity receiving it.

Therefore, if you are using third-party email marketing tools that collect personal information in New York, you must provide users with the opportunity to opt-out of any target marketing lists and ensure that any third-party service providers you use are contractually obligated to protect the personal information they receive and use it only for the purposes for which it was disclosed. Additionally, if there is a breach of the security of the system, you must disclose the breach to any affected residents of New York state. Finally, you must obtain written consent from the data subject before disclosing any personal information to a third party.

Jurisdiction

New York

• Privacy