1. United States
2. N.Y.
3. Letter

I am a New York constituent writing because recent expansions in sensitive data collection by major digital platforms, combined with growing government reliance on commercially collected data, expose a serious gap in privacy protections for New Yorkers. TikTok’s updated U.S. privacy policy explicitly permits the collection and processing of “sensitive personal information,” including precise location data, government-issued identification, financial information, immigration or citizenship status, and attributes users may disclose such as transgender or nonbinary status. This collection occurs through take-it-or-leave-it terms and without clear necessity or proportional limits, reflecting a broader trend of overcollection across the digital ecosystem. In tandem, recent reporting has shown how federal agencies, including ICE, rely on phone, internet, location, and other commercially collected data to identify and track individuals. When sensitive data is collected at scale by private companies, it can be repurposed or accessed in ways that extend far beyond the original context, affecting everyday New Yorkers without clear state-level guardrails. New York residents currently lack comprehensive, enforceable rights governing how sensitive personal data is collected, retained, used, or shared. Other jurisdictions have demonstrated that this problem is solvable. California has enacted a comprehensive privacy framework and is strengthening it further through updated CCPA/CPRA regulations effective January 1, 2026, reinforcing limits on sensitive data, purpose-based collection, and enforcement. The GDPR similarly shows that data minimization, retention limits, and heightened consent standards are workable at scale. I urge you to support and advance comprehensive, technology-neutral privacy legislation this session that limits sensitive data collection, requires clear purpose and proportionality, provides enforceable consumer rights, and ensures meaningful enforcement. New Yorkers should not have their privacy rights defined by evolving corporate policies or downstream data use. I would appreciate your position on this issue and any steps you are taking to move such legislation forward.