Disclaimer: The views or positions expressed below are my own and do not represent the views or positions of the Commissioner of Competition, the Competition Bureau of Canada, or the Government of Canada.

New York State legislature recently passed two consumer protection bills in response to the Covid-19 pandemic. As subscription products and services are readily available online, there is a risk that consumers may face ongoing charges on their accounts without their consent. Passed in July 2020, Bill S01475A prohibits businesses from making an automatic renewal or a continuous service offer to consumers in New York. In these circumstances, businesses must provide "clear and conspicuous" disclosures, which includes several elements. First, businesses must clearly state that the subscription will continue until the consumer cancels. This includes providing details of the cancellation policy, and a costeffective, timely, and easy-to-use mechanism for cancellation (e.g. a toll-free number or email). Second, businesses must disclose that recurring charges will be made to the consumer's account, the payment method, any changes in charges that may take place, and the minimum purchase obligation. Third, if there is a free gift or a free trial, it requires a clear and conspicuous explanation of the price that will be charged after the trial ends and/or how it will change. Finally, consumers who accept an auto-renewal should be able to terminate it exclusively online.

Tech solutions that respond to COVID-19 must adhere to Bill S8448D's ethical guidelines in order to maintain New Yorkers' privacy rights. This bill, passed in July 2020 restricts the conduct of entities who track, screen, monitor, contract trace, mitigate or respond to COVID-19 by using the emergency health data of New Yorkers. Important elements of the bill include consent, disclosure and security protocols. First, entities must obtain consent from individuals and disclose certain information, including the right to privacy; who will have access to the data; how the data will be used; and how long it could be stored. Second, an individual has the right to know, through a privacy policy, what emergency health data is being collected, processed, disclosed and deleted, including the reasons. Transparency reports must be readily and persistently available on an entity's website. Finally, security procedures and practices are required to ensure confidentiality, integrity, and availability of emergency health data. Entities must hire a neutral third party to conduct annual data protection audits. Notably, this bill allows for a private right of action and enforcement by the attorney general.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be ought about your specific circumstances.