New York’s Privacy Bill Failed Last Session—But It Gives Us a Look at What Future Laws Might Look Like

The bill, refiled this session, introduces the idea of a 'data fiduciary'

A photo of New York State Sen. Kevin Thomas
New York State Sen. Kevin Thomas introduced the New York Privacy Act, which died in committee last session.
NY State Senate

Policy conversations are getting renewed attention following January’s implementation of California’s data privacy legislation, but lawmakers around the country have been at work crafting attempts at comprehensive privacy laws for their own states.

In New York, state Sen. Kevin Thomas’s S5642, known as the New York Privacy Act, has been heralded by data privacy advocates like the Electronic Frontier Foundation and Center for Digital Democracy as a more comprehensive version of the California Consumer Privacy Act—and seen by opponents and industry groups as a new obstacle to publishers and platforms.

The major provisions of the NYPA outline a higher standard of consumer protection on the part of companies that collect consumer data, give consumers more control over what data can be collected by companies and give individual consumers the right to sue companies directly in what’s known as a private right of action.

Here’s the thing: When the 2019 legislative session ended in June, the NYPA died in committee, so the bill didn’t receive a full Senate floor debate or vote. But lawmakers in the committee on consumer protection held a hearing earlier that month, where experts from around the country testified on the importance and risks of privacy legislation in general, as well as the merits and downfalls of the bill itself.

As filed, the NYPA lays out significantly more restrictive regulations than CCPA and stronger consumer privacy rights. One aspect of the legislation in particular, a “data fiduciary,” is truly “novel,” according to Mitch Noordyke, an intellectual property lawyer and former Westin Fellow at the International Association of Privacy Professionals.

New York’s stalled law introduces data fiduciaries

The concept of “data fiduciary” as defined in the bill would require companies that collect data from consumers to act in the best interest of the consumers, rather than the business. The concept is modeled after laws like the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, which prohibits the free exchange of patient data between health care providers. While HIPAA slowed down data transfer processes by requiring consent forms to be signed before providers can transfer records, the law also increased patients’ confidence and trust in their providers.

The goal in establishing data fiduciaries, according to the New York Civil Liberties Union, is to ensure that the same kind of care is being taken with the personal data collected by tech companies. Due to the specialized and sensitive nature of data collection and the difficulty faced by laypeople attempting to understand the fine print of privacy policies, the data fiduciary provision would place the responsibility of protecting consumers on the companies themselves, in a sense.

But rather than simply requiring companies to get consent before sharing consumer data, those companies would be prohibited from doing anything with that data that could cause harm to the consumer. Certain kinds of targeted advertising could fall into this category, according to the NYCLU’s Allie Bohm. For example, targeted ads that seek to shape a person’s voting habits or prevent a certain type of person from seeing a job posting or housing opportunity.

As with many aspects of these privacy laws, the implementation of such a provision raises a lot of questions surrounding workability for the companies affected. The data fiduciary concept sets up a different framework than that of the CCPA or the EU’s General Data Protection Regulation function, neither of which include a data fiduciary provision, noted Lisa Sotto, a global privacy and cybersecurity practice lawyer in New York. As such, the NYPA would add a significant level of complexity to compliance.

Several industry advocates testified against the legislation during the committee hearing, including the Business Council of New York State, the Retail Council for New York State, TechNet, Tech NYC, and the Internet Association, which represents dozens of major tech companies like Amazon, eBay, Facebook, Google, Lyft, Spotify and Uber.

Bill aims to increase transparency and ensure the right to private action

Another notable provision of the NYPA would allow individual consumers to sue companies for violating their data privacy rights, rather than only as part of a class-action lawsuit—something that was included in the original draft of the CCPA, but which lawmakers narrowed to apply only to security breaches in the version that passed into law.

Recommended articles