Policy conversations are getting renewed attention following January’s implementation of California’s data privacy legislation, but lawmakers around the country have been at work crafting attempts at comprehensive privacy laws for their own states.
In New York, state Sen. Kevin Thomas’s S5642, known as the New York Privacy Act, has been heralded by data privacy advocates like the Electronic Frontier Foundation and Center for Digital Democracy as a more comprehensive version of the California Consumer Privacy Act—and seen by opponents and industry groups as a new obstacle to publishers and platforms.
The major provisions of the NYPA outline a higher standard of consumer protection on the part of companies that collect consumer data, give consumers more control over what data can be collected by companies and give individual consumers the right to sue companies directly in what’s known as a private right of action.
Here’s the thing: When the 2019 legislative session ended in June, the NYPA died in committee, so the bill didn’t receive a full Senate floor debate or vote. But lawmakers in the committee on consumer protection held a hearing earlier that month, where experts from around the country testified on the importance and risks of privacy legislation in general, as well as the merits and downfalls of the bill itself.
As filed, the NYPA lays out significantly more restrictive regulations than CCPA and stronger consumer privacy rights. One aspect of the legislation in particular, a “data fiduciary,” is truly “novel,” according to Mitch Noordyke, an intellectual property lawyer and former Westin Fellow at the International Association of Privacy Professionals.
New York’s stalled law introduces data fiduciaries
The concept of “data fiduciary” as defined in the bill would require companies that collect data from consumers to act in the best interest of the consumers, rather than the business. The concept is modeled after laws like the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, which prohibits the free exchange of patient data between health care providers. While HIPAA slowed down data transfer processes by requiring consent forms to be signed before providers can transfer records, the law also increased patients’ confidence and trust in their providers.
The goal in establishing data fiduciaries, according to the New York Civil Liberties Union, is to ensure that the same kind of care is being taken with the personal data collected by tech companies. Due to the specialized and sensitive nature of data collection and the difficulty faced by laypeople attempting to understand the fine print of privacy policies, the data fiduciary provision would place the responsibility of protecting consumers on the companies themselves, in a sense.
But rather than simply requiring companies to get consent before sharing consumer data, those companies would be prohibited from doing anything with that data that could cause harm to the consumer. Certain kinds of targeted advertising could fall into this category, according to the NYCLU’s Allie Bohm. For example, targeted ads that seek to shape a person’s voting habits or prevent a certain type of person from seeing a job posting or housing opportunity.
As with many aspects of these privacy laws, the implementation of such a provision raises a lot of questions surrounding workability for the companies affected. The data fiduciary concept sets up a different framework than that of the CCPA or the EU’s General Data Protection Regulation function, neither of which include a data fiduciary provision, noted Lisa Sotto, a global privacy and cybersecurity practice lawyer in New York. As such, the NYPA would add a significant level of complexity to compliance.
Several industry advocates testified against the legislation during the committee hearing, including the Business Council of New York State, the Retail Council for New York State, TechNet, Tech NYC, and the Internet Association, which represents dozens of major tech companies like Amazon, eBay, Facebook, Google, Lyft, Spotify and Uber.
Bill aims to increase transparency and ensure the right to private action
Another notable provision of the NYPA would allow individual consumers to sue companies for violating their data privacy rights, rather than only as part of a class-action lawsuit—something that was included in the original draft of the CCPA, but which lawmakers narrowed to apply only to security breaches in the version that passed into law.
Any form of private right of action is generally opposed by industry advocates “because they fear an onslaught of expensive litigation led by active plaintiff class-action attorneys,” Noordyke said. “At the least, they prefer to limit the private right of action to security violations only—because then a business only faces the risk of an expensive class action in the event of a data breach.”
Privacy advocates, however, argue that state attorneys general “lack the resources to adequately enforce a comprehensive privacy law in a meaningful way,” Noordyke said. Essentially, the threat of all those lawsuits is one of the only things that will compel companies to comply.
Other New York privacy legislation is in the pipeline
Sen. Thomas refiled the bill in early January for the 2020 legislative session, which is now underway in Albany, and it’s unlikely that political will has mounted sufficiently since the last session to move the bill forward. (Sen. Thomas’s office declined to comment on the likelihood that the bill moves this time around.)
But while a comprehensive privacy law may not be imminent in New York, the NYPA may be used as a blueprint for legislation in other states.
And there has been some momentum on other privacy statutes in the state. New York has passed smaller bills that address narrower aspects of consumer data protection, indicating an appetite for legislators in the state to take up privacy in a piecemeal manner.
For example, the “Stop Hacks and Improve Electronic Data Security” Act, known as the SHIELD Act, was signed into law in July 2019. The law, which was partially enacted in October 2019 and will be fully in effect in March, requires companies to put up “reasonable safeguards” against data breaches that put clients’ or employees’ personal or private information at risk.
It also expands the definition of personal or private information beyond just name and Social Security number to include credit card information, biometric information or account login information. (While provisions governing data breach notification requirements went into effect in October 2019, data privacy requirements will be effective on March 21, 2020.)
Another bill that was filed this session, S224 by Sen. Brad Hoylman, was referred to the Senate committee on consumer protection in early January. The bill would require companies to provide the personal data that they’ve collected back to the consumer upon request, in addition to regularly notifying consumers regarding what kind of personal data is being collected. Companies would have to respond to at least one request from each consumer per year.
An initial iteration of this bill was filed in the 2013-2014 session, and some version of it has been filed in every session since, though it’s never made it out of committee.