Just as legal experts have been predicting for nearly a year, individual U.S. states are starting to develop their own privacy legislation similar in form and content to the California Consumer Privacy Act (CCPA). The first state to follow the lead of California is New York State, which has proposed new privacy legislation (NY Senate Bill 224) that would be considerably tougher than California’s bill. The New York Privacy Act is still looking for a sponsor in the state assembly, but New York legislators are confident that the new legislation will be passed by the end of the summer.
Until lawmakers in Washington, D.C. act to introduce sweeping federal legislation on privacy, the United States could be headed for a “50-state solution” to privacy that would be complex, onerous and confusing for any company trying to remain in compliance on a nationwide basis. A patchwork system of state-by-state privacy legislation would require companies to be much more careful and cautious in order to avoid running afoul of any state laws. Law experts are now calling New York State “the next battleground in the fight for state privacy laws.”
Terms of the New York Privacy Act
While there could be some changes to the New York Privacy Act between now and its final passage later this year, it largely resembles the existing CCPA. Similar to the California Consumer Privacy Act, the new legislation would give state residents much more control over their personal data. For example, the New York Privacy Act allows New Yorkers to find out what data is collected on them and with whom the data is being shared. State residents will also gain the right to request any personal data be corrected or deleted, and ask that companies not share or sell that data with any third parties. Companies would need to respond to general information requests within 30 days, and provide customers a 12-month “look back period.”
This empowering of everyday citizens largely follows the spirit of the European General Data Protection Regulation (GDPR), which in turn provided the basis for the California Consumer Privacy Act. It also follows the logic of other data breach notification laws around the world, in which companies must take a much more proactive role when it comes to protecting citizens from the harmful implications of data breaches.
However, there are several notable exceptions between the New York Privacy Act and the CCPA. For example, the New York Privacy Act gives New Yorkers the right to sue companies directly, without waiting for the State Attorney General to take action on their behalf. This so-called “private right of action” is typically a non-starter when it comes to hammering out a privacy solution with the nation’s largest tech companies. For example, consider that nearly 10 million people live in New York City. That means, under the terms of the New York Privacy Act, a tech giant like Facebook or Google might face tens of thousands of lawsuits, if not more, simply from New Yorkers in Manhattan who feel that their privacy rights may have been violated.
Another notable – and more stringent – difference between the New York Privacy Act and the CCPA is the fact that the New York privacy legislation does not impose any minimum sizes on which companies would be covered by the new sweeping legislation. California, by way of contrast, says that companies must have at least $25 million in gross annual revenue in order to fall within the purview of the CCPA. In New York State, a small social media startup with just a few employees and zero revenue would also be expected to follow the full scope and spirit of the New York Privacy Act.
Perhaps one of the thorniest issues raised by the New York Privacy Act relates to the legal notion of “data fiduciaries.” Under the current interpretation of the New York Privacy Act, businesses must act as “data fiduciaries” when interacting with state residents. In such a way, they would be expected to act much more like attorneys or doctors, which must adhere to very stringent guidelines when it comes to protecting the privacy of citizens. A doctor is not allowed to monetize health information about patients (e.g. selling that data to big pharmaceutical companies), and an attorney must abide by strict client-attorney privilege when discussing the details of any case. The big question is whether large tech companies like Facebook and Google – which have constructed very profitable business models around the idea of trading in personal data – would ever be able to transform into data fiduciaries.
Reaction to the New York Privacy Act
As might be expected, reaction to the forthcoming New York Privacy Act was mixed. Many privacy advocates praised the bill, calling it a great example of what states should be doing to protect the data rights of their citizens. In the absence of any federal privacy legislation, it is states like California and New York that are setting the example for what other states must do.
However, tech companies – at least, indirectly – were much more negative about the new legislation The Internet Association, which represents some of the biggest names within the tech industry, has called the New York Privacy Act “unworkable,” and rumors are already circulating that Facebook has threatened to stop doing business in New York State if the New York Privacy Act passes in its current form.
Next steps towards federal privacy legislation
The notion of “data fiduciaries,” which is a new favorite topic of privacy advocates, is likely to cause the most consternation in Corporate America. Companies are currently required to maximize the interests of shareholders, not to protect the personal data of customers, clients, partners and vendors. So, a shift to a data fiduciary model would do more than just shake up the world of online privacy – it also has the potential to lead to Supreme Court cases challenging the very fundamentals of American-style capitalism. Another big sticking point will be who should be the primary entity (or government agencies) responsible for consumer protection. Should it be the Federal Trade Commission (FTC) at the federal level, for example?
The good news for privacy advocates is that the right to data privacy is now becoming law enforceable. In California, it is the state Attorney General who can bring legal actions against tech giants, while in New York State, it is individual citizens themselves, via a private right of action made possible by the New York Privacy Act. For the likes of Facebook and Google, which are eager to avoid a massive legal nightmare and tens of millions of dollars in fines and penalties, the impetus will now be to throw their collective weight around a watered-down federal privacy bill.