New York's website compliance landscape is shaped by the SHIELD Act (data security + breach notification), New York City's Local Law 144 governing automated hiring tools, a robust biometric privacy statute, and the highest volume of ADA web-accessibility lawsuits in the country. There is no comprehensive state privacy law yet, but proposed bills are pending.
Last reviewed 2026-06-01 · Risk rating rationale: More than 60% of US ADA web-accessibility lawsuits are filed in the Southern District of New York. Settlements average $25,000–$75,000 and a single non-compliant page generates exposure.
Find out in 10 seconds whether your site meets New York's requirements
Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most New York sites we scan fail at least three.
No credit card · Email required so we can send you the full results.
Key New York laws affecting websites
The statutes most likely to apply to a commercial website serving New York residents. Click a citation to read the official text where available.
SHIELD Act
— Stop Hacks and Improve Electronic Data Security Act· Effective 2020
Applies to: Any business that owns or licenses computerized data containing private information of a New York resident. There is no revenue threshold and no NY office requirement.
What your website must do
Implement reasonable administrative, technical, and physical safeguards for private information
Designate a person responsible for the security program
Conduct risk assessments and train workforce
Notify affected NY residents 'in the most expedient time possible' after a breach
Applies to: Employers and employment agencies in NYC that use Automated Employment Decision Tools (AEDT) to substantially assist or replace discretionary decision-making for hiring or promotion of NYC residents.
What your website must do
Publish a summary of the AEDT bias audit on the careers website
Notify candidates at least 10 business days in advance that an AEDT will be used
Disclose what data the AEDT uses
Conduct annual independent bias audits before deployment
Citation: N.Y.C. Admin. Code § 20-870 et seq.
NYC Biometric Privacy Law
— Biometric Identifier Information Law· Effective 2021
Applies to: Commercial establishments in NYC that use biometric identifier information.
What your website must do
Post conspicuous signage at the entrance of the establishment disclosing biometric collection
Do not sell, lease, or share biometric information
On a website that supports such an establishment: include a privacy disclosure of biometric collection practices
Citation: N.Y.C. Admin. Code § 22-1201 et seq.
New York compliance by topic
Consumer data protection
State-specific rule applies
What your site has to disclose, ask consent for, and allow consumers to do with their personal information.
New York doesn't have a comprehensive consumer privacy law like California, but the SHIELD Act creates substantial obligations around data security and breach notification. The New York Privacy Act (S. 365) has been reintroduced multiple sessions and is the bill most likely to fill the gap.
Practical requirements for your website
Implement reasonable security safeguards for any system that holds NY residents' private information
Designate a workforce role with security responsibility
Conduct documented risk assessments
Provide a privacy policy on the website disclosing data practices (good practice; required for sectoral laws)
Notify affected residents and the NY AG after a breach
Cookies and tracking
Federal law applies
When you need consent, opt-outs, or universal-signal honor for cookies and analytics scripts.
No state-specific cookie law in New York. EU GDPR cookie consent obligations apply if you serve EU users, and CCPA-style opt-outs apply to California residents — both common reasons NY-based sites add cookie banners regardless.
Practical requirements for your website
Disclose third-party tracking cookies in the privacy policy
Provide opt-out controls when serving users in jurisdictions that require them (CA, CO, CT, etc.)
Treat cookies as 'private information' under the SHIELD Act when they identify a NY resident
Accessibility (ADA + state)
State-specific rule applies
WCAG conformance expectations and how the state's accessibility cases tend to be litigated.
The New York State Human Rights Law (NYSHRL) and NYC Human Rights Law (NYCHRL) both prohibit discrimination by places of public accommodation, including commercial websites. Combined with federal ADA litigation, NY is the highest-volume jurisdiction for website accessibility lawsuits in the US.
Practical requirements for your website
Conform to WCAG 2.1 Level AA — the de facto standard in NY accessibility settlements
Provide an accessibility statement with a contact route for users encountering barriers
Train customer-facing teams to receive and respond to accessibility complaints
Document remediation efforts; courts treat documented progress as a mitigating factor
Cybersecurity and breach response
State-specific rule applies
What 'reasonable security' looks like under state law and how fast you have to notify after a breach.
The SHIELD Act imposes one of the most prescriptive reasonable-security requirements in any state law, with specific administrative, technical, and physical safeguards enumerated. The NY DFS Cybersecurity Regulation (23 NYCRR 500) layers additional requirements on financial-services businesses.
Practical requirements for your website
Designate a security program owner and conduct workforce training
Implement access controls, multi-factor authentication for privileged access, and encryption of sensitive data in transit and at rest
Conduct annual risk assessments and penetration testing
Maintain documented incident response and recovery procedures
If you're a covered financial entity, comply with 23 NYCRR 500 in full
Email and SMS marketing
State-specific rule applies
How federal CAN-SPAM and TCPA interact with state-level marketing rules in this jurisdiction.
New York follows federal CAN-SPAM with one notable addition — N.Y. Gen. Bus. Law § 396-o prohibits the use of automatic dialing or pre-recorded messages without prior express consent. SMS marketing campaigns aimed at NY residents must follow it in addition to TCPA.
Practical requirements for your website
Comply with federal CAN-SPAM for email
Obtain prior express written consent for SMS marketing and automated calls
Include working unsubscribe (email) and STOP (SMS) mechanisms
Include the marketer's identity in every commercial message
AI regulation
State-specific rule applies
Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.
New York City's Local Law 144 is the country's first operational AI-in-hiring statute. Employers using automated decision tools for NYC-located candidates must conduct annual bias audits and disclose the use of the AEDT to candidates and to the public.
Practical requirements for your website
If using an AEDT for NYC hiring/promotion: commission an annual independent bias audit
Publish the bias-audit summary on the careers website
Notify candidates at least 10 business days in advance that an AEDT will be used
Disclose to candidates what data the AEDT collects and processes
Frequently asked questions about New York website compliance
Does my website have ADA liability in New York?
If you have any commercial website serving New York consumers, you should assume yes. The Southern District of New York leads the country in ADA Title III web-accessibility lawsuits — roughly 60% of all such cases are filed there. Settlements average $25,000–$75,000 per defendant and serial plaintiffs file in volume. WCAG 2.1 Level AA is the de facto compliance standard.
Do I need to comply with NYC Local Law 144 if I'm not in NYC?
Yes if you use an Automated Employment Decision Tool to make hiring or promotion decisions about NYC-located candidates. The law applies based on the candidate's location, not the employer's. National recruiting platforms serving NYC users have all updated to comply, and you should publish the bias-audit summary on your careers page even if you only occasionally hire there.
What is the SHIELD Act and does it apply to my site?
The SHIELD Act applies to any business that owns or licenses computerized data containing 'private information' of a New York resident — name plus SSN, driver's license, financial account number, biometric information, or email-and-password combination. There's no revenue threshold, so virtually every commercial site is covered. The act requires reasonable security safeguards and breach notification.
Is there a New York equivalent of CCPA on the way?
The New York Privacy Act (S. 365) has been introduced in multiple sessions but hasn't passed. It would give NY residents the standard modern set of privacy rights — access, correction, deletion, opt-out — and impose CCPA-style obligations on businesses. Watch it during the 2025–2026 session; pressure has been building each year.
Ready to check your own site against New York's requirements?
The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.
Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-01. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in New York.