Can I use third-party social media tools that collect personal information in New York? What are the requirements?

Using Third-Party Social Media Tools that Collect Personal Information in New York

Yes, you can use third-party social media tools that collect personal information in New York, but you must comply with the Personal Privacy Protection Law and the regulations therein ^[1.1].

To ensure compliance with the Personal Privacy Protection Law, you should consider the following requirements:

• Designate a privacy compliance officer responsible for ensuring compliance with the law and coordinating the department’s response to requests for records or amendment of records ^[1.1][3.1].
• Develop procedures by which a data subject can learn if a system of records contains any information pertaining to the data subject ^{[1.1][4.2][1.3]}.
• Deny access to personal information to which a data subject is otherwise prohibited by law from gaining access ^{[1.1][2.1][2.2][1.2]}.
• Deny access to attorney’s work product or material prepared for litigation before a judicial, quasi-judicial or administrative tribunal unless disclosure is mandated by a statute, a grand jury subpoena, a subpoena issued in the course of a criminal action or proceeding, a court-ordered subpoena, a search warrant or a court order ^[1.1].
• Notify affected persons of any breach of the security of the system following discovery or notification of the breach in the security of the system ^[2.3].

It is important to note that the definition of “private information” under New York law includes personal information consisting of any information in combination with any one or more of the following data elements: social security number, driver’s license number or non-driver identification card number, account number, credit or debit card number, in combination with any required security code, access code, password or other information which would permit access to an individual’s financial account, account number, or credit or debit card number, if circumstances exist wherein such number could be used to access to an individual’s financial account without additional identifying information, security code, access code, or password, or biometric information ^[2.3].

Therefore, if the third-party social media tool collects any of the above data elements, you must take appropriate measures to protect the privacy of the data subjects and comply with the notification requirements in case of a breach.

Conclusion

You can use third-party social media tools that collect personal information in New York, but you must comply with the Personal Privacy Protection Law and the regulations therein. This includes designating a privacy compliance officer, developing procedures for data subject requests, denying access to certain types of personal information, and notifying affected persons in case of a breach. Additionally, you should take appropriate measures to protect the privacy of the data subjects and comply with the notification requirements in case of a breach.

Source(s):

• [1.1] Privacy compliance officer; personal information procedures.
• [2.1] Access to personal information
• [2.2] Collection and disclosure of personal information
• [3.1] Personal privacy compliance officer.
• [2.3] Notification; person without valid authorization has acquired private information
• [4.2] Requests for records.
• [1.2] Purpose and scope.
• [1.3] Requests for records.

Jurisdiction

New York

• Privacy