The city and state are constructing an ambitious legal barrier around residents’ data, pushing the limits of how far a local democracy can counter global technology giants without waiting for federal action.
A growing pushback against the quiet dominance of Big Tech
New York does not operate under a flashy banner of “digital sovereignty” or a single, neatly packaged strategy. Instead, it is methodically putting together a robust framework made up of laws, regulatory offices, and procurement standards. Taken together, these measures steadily shift control away from companies such as Meta, Google, Amazon, and Microsoft.
The objective is both simple and politically charged: to prevent the data, infrastructure, and everyday lives of New Yorkers from being shaped primarily by the profit-driven models of a small group of private corporations.
In this approach, data is treated as critical infrastructure, not merely a side effect of using digital services.
Three parallel tracks reshaping digital governance
This transformation has unfolded simultaneously on three fronts. First, New York has been tightening regulations governing how companies collect, share, and sell personal information. Second, it has begun restricting the technologies that local authorities are allowed to purchase. Third, it is establishing new public institutions to oversee digital assets and cybersecurity.
Individually, each step appears technical. Together, they outline a regulatory model that unsettles Big Tech legal teams: a US city and state adopting an approach to data regulation that increasingly resembles the European Union.
The New York Privacy Act and its GDPR-style impact
At the heart of this shift is the New York Privacy Act, a far-reaching bill currently moving toward adoption. It would apply to any company, domestic or foreign, that conducts business involving New York residents.
The act draws heavily on European-style rules while introducing its own variations. Companies would need to secure explicit consent before processing or sharing personal data, ending reliance on vague consent banners buried in dense legal text.
Businesses would also be required to clearly explain what data they collect, how it is used, who receives it, and for what purpose. Residents would gain enforceable rights, including the ability to correct inaccurate information, request deletion, and refuse certain data uses.
For global platforms, the message is direct: access to New Yorkers comes with New York’s rules.
Wide reach beyond state and national borders
The scope of the law is broad. A small European game studio with paying users in Manhattan, a California-based AI firm harvesting data from New Yorkers, or a retail chain analysing customer behaviour in Brooklyn would all fall under its authority.
Using public procurement as regulatory leverage
Consumer rights are only part of the strategy. New York has also adopted standards that limit which technologies city and state agencies can purchase.
Certain computers, components, and information systems are now excluded if they pose recognised cybersecurity risks. This gives lawmakers influence over both foreign-manufactured hardware and opaque cloud-based services.
By shaping procurement rules, New York simultaneously protects public networks from vulnerabilities and signals to vendors that higher security and transparency standards are mandatory for access to public funds.
A dedicated office for blockchain and digital assets
Another element of this framework is more forward-looking: a municipal office focused on digital assets and blockchain, established last year.
Its mandate is to coordinate blockchain initiatives across city departments and encourage responsible use of digital technologies. This includes practical issues such as registering transactions on tamper-resistant ledgers, managing city-issued digital credentials, and defining who controls these systems.
By centralising evaluation, the office prevents private vendors from unilaterally setting technical standards.
Protecting children by redesigning default data practices
The next phase of legislation targets one of the most sensitive areas in the digital economy: children’s data.
Scheduled to take effect at the end of 2025, the New York Child Data Protection Act (NYCDPA) focuses on platforms that profile minors and prioritise screen time above all else.
- No targeted advertising based on personal data for users under 18
- A ban on dark patterns that encourage prolonged use or excess data sharing
- Privacy-by-default settings for all minor accounts
Violations can result in fines of up to $5,000 per incident, enforced by the state Attorney General. For large platforms, repeated breaches could quickly escalate into multimillion-dollar penalties.
Beyond financial risk, the law challenges engagement-first design models, requiring age-sensitive interfaces, reduced tracking, and clearer parental controls.
Stricter rules for health and wellness data
New York is also strengthening protections around health-related data, which has become increasingly valuable to advertisers, brokers, and AI developers.
The New York Health Information Privacy Act, active since 2024 and expanded in 2025, imposes tougher rules on medical and wellness information.
Residents gain the right to have certain health data erased, closing gaps that previously allowed outdated or inaccurate records to persist. The law also prohibits the sale of health information without explicit authorisation.
These provisions affect not only hospitals but also period-tracking apps, mental health platforms, fitness devices, and genetic testing services operating in New York.
DIGIT: centralising the state’s digital oversight
As part of the State of the State 2026 agenda, Governor Kathy Hochul has proposed creating the Office of Digital Innovation, Governance, Integrity & Trust (DIGIT).
DIGIT would unify oversight of cybersecurity, data protection, and technology policy across state agencies. Rather than fragmented responsibilities, a single office would coordinate responses to cyber threats, standardise privacy practices, and review major technology projects.
This approach treats digital policy as a long-term public obligation, comparable to transport or housing.
A political shift unsettling Silicon Valley
This regulatory push developed gradually, beginning under former Republican mayor Eric Adams, who highlighted the power imbalance between cities and technology giants.
The momentum is expected to grow under his successor, Democrat Zohran Mamdani, who assumed office on 1 January 2026. His appointment of Lina Khan, known for her assertive stance on antitrust enforcement, to lead the municipal transition team sent a clear signal.
Khan’s views on regulating dominant platforms are now positioned to influence how New York contracts with and oversees major technology firms.
Why one city can reshape national standards
While these measures apply to a single city and state, many global platforms are unlikely to maintain separate systems exclusively for New York.
Companies must choose between applying stricter New York-style standards across the US or managing complex, location-based variations that increase legal risk.
There is also the possibility of imitation. If New York’s model proves workable, other major cities may adopt similar rules, potentially creating a strong local patchwork long before Congress enacts federal privacy legislation.
Making “digital sovereignty” tangible
Often seen as an abstract concept, digital sovereignty becomes concrete in New York’s approach. It centres on who defines data rules, who controls essential infrastructure, and who benefits economically from digital services.
Through procurement controls, strict privacy laws, and dedicated governance bodies, the city and state aim to ensure that public interests are not fully overshadowed by private platform incentives.
Everyday life under a new digital order
A teenager in Queens using social media under the NYCDPA would encounter fewer targeted ads, clearer privacy settings, and reduced pressure to overshare.
A patient using an online therapy platform would know their sensitive health data cannot be quietly sold without clear consent and could be deleted if they change their mind.
City agencies deploying smart infrastructure would be restricted from purchasing insecure technology and encouraged to use transparent systems with clearly defined access rules.
Benefits, limits, and what comes next
Residents may gain stronger privacy protections, more secure public systems, and greater control over how their data is used. Local businesses could face initial compliance costs but also benefit from a fairer competitive environment.
There are trade-offs. Stricter rules may slow certain innovations or deter some smaller foreign startups. Enforcement capacity will be tested as regulators monitor fast-evolving digital ecosystems.
The key question is whether New York remains an exception or becomes a model. If other cities follow this path, the balance of power between Big Tech and local governments across the US could shift faster than anticipated.
