Inside the proposed New York Privacy Act
New York promises to change the privacy landscape with its proposed bill, increasing consumer protections as well as compliance burdens on companies.
Step aside, California.
The proposed New York Privacy Act, if enacted in its current form, will be even more expansive than California’s Consumer Privacy Act (CCPA), providing consumers with even greater control over their personal information, while at the same time being much more demanding for businesses to comply with.
The bill was expected to be voted on this legislative term. Still, due to the shift in priorities for the Legislature as a result of the 2019 coronavirus pandemic, it was set aside. However, the pandemic has also brought to the surface privacy issues in the public health arena, with emerging fears that there is a lag between the protection of individuals’ private data and the use of technology. This may revive efforts to enact privacy laws at the state level or a federal privacy law that may preempt state laws.
Indeed, several federal privacy bills are already under consideration, such as the Consumer Online Privacy Rights Act and the United States Consumer Data Privacy Act. As such, privacy regulation in the United States remains unsettled, but the next year may bring marked changes.
Data privacy laws in N.Y. at present
New York has had in place some form of a data breach notification law since 2005. The New York State Information Security Breach and Notification Act, enacted on December 7, 2005, required state entities and persons conducting business who own or license data that includes the private information of New York residents to inform residents, as well as credit reporting agencies, if a breach occurred that compromised such personal information.
In the last few years, however, amidst the European Union’s passage of the General Data Protection Regulation 2016/679 (GDPR), as well as the CCPA, the New York Legislature has begun contemplating expanding the cybersecurity legislation and enacting additional privacy protections for its own residents.
Some of this legislation has been successfully passed.
For example, in the 2018-2019 session, the Legislature passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which broadened the scope of the data breach notification law, including by expanding the definition of a data breach, the scope of the information covered by the law, and the data security measures that would be required to protect information to be commensurate with the size of the entity.
Alongside the revised SHIELD Act, Senator Kevin Thomas also introduced the NYPA during the 2018-2019 legislative term and reintroduced the bill in the 2019-2020 term. The NYPA follows in the footsteps of other recent privacy regulations — notably, the GDPR and the CCPA, but is even more imposing than those regulations. For example, the NYPA establishes a fiduciary obligation on all controllers of (i.e., businesses that have) personal data and requires an “opt-in” consent process.
As such, this law has proven more controversial and has not yet passed. In May 2019, the NYPA was referred to the Consumer Protection Committee of the New York State Senate, and on June 4, 2019, the Committee on Consumer Protection and Committee on Internet and Technology held a Joint Public Hearing on proposed privacy and cybersecurity legislation, including the NYPA.
Concerns over the NYPA
At the hearing, a number of panelists raised issues with the NYPA in its current form, including concerning the burdens that would be imposed on businesses. Indeed, as discussed further below, the requirements that businesses must serve as “data fiduciaries” to consumers and that consumers must opt-in for entities to be able to collect, use, and sell their data, is more burdensome than the CCPA, and the creation of a private right of action by consumers to sue entities for non-compliance with such provisions will create more vulnerability to businesses in New York.
The New York State Senate held another public hearing on privacy legislation on November 22, 2019, in New York City. Business and technology groups raised concerns about the development of a patchwork of state privacy regulations and advocated for a uniform federal standard. They also raised concerns about the expense associated with compliance and continued to push back against the creation of a private right of action.
Consumer advocacy groups generally lauded the state Legislature’s efforts and provided specific commentary on proposed definitions or specific aspects to the regulation, such as addressing the secondary use of personal data, enhanced protections against discrimination, or clarifying certain definitions.
Provisions proposed to the NYPA
Although the bill may still be revised before it is likely introduced in the next legislative term, and at multiple points, before it is ultimately voted on by members of the New York State Legislature (and becomes effective six months after passing), a summary and analysis of the noteworthy aspects of the current draft bill are provided below to help understand the provisions at play.
No minimum threshold on covered entities. The NYPA is broader than the CCPA in not having a minimum revenue or consumer threshold; it would impact all entities “that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state.” Some opponents of the NYPA have argued that the compliance costs associated with the NYPA will stifle business, especially start-ups and small businesses.
Broad definition of personal data. The NYPA applies to any “information relating to an identified or identifiable natural person,” and includes but is not limited to identifiers such as real name, gender identity, alias, signature, email address, employment history, financial information, commercial information such as income and assets, biometric information, internet activity information, geolocation data, education records, political information, and protected class characteristics such as religion, age, race, and natural origin. This definition of “personal data” has been criticized by opponents of the NYPA as very broad.
It has also been criticized by certain consumer groups, who advocate for a narrower definition of “de-identified” data, such that the definition would only exempt personal data that “companies believe in good faith … could not be reassociated with unique individuals.”
Fiduciary obligation. The NYPA imposes a fiduciary duty on controllers, data brokers, and every entity (or affiliate of any entity) that “collects, sells or licenses personal information of consumers.” The NYPA defines “controller” as someone who “determines the purposes and means of the processing of personal data” and “data broker” as a business that “earns its primary revenue from supplying data or inferences about people gathered mainly from sources other than the data sources themselves.”
These entities must “exercise the duty of care, loyalty, and confidentiality expected of a fiduciary concerning securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker.”
The fiduciary obligation is imposed regardless of any consent provided by a consumer. The seriousness of this obligation is highlighted by the requirement that the fiduciary duty owed to a consumer under this regulation “shall supersede any duty owed to owners or shareholders of a legal entity or affiliate thereof, controller or data broker.”
For example, the NYPA states that entities that possess personal data may not use that data in a way that “will benefit the online service provider to the detriment of an end-user.”
Furthermore, any entity subject to these regulations may not disclose, sell or share personal data with any other person or entity, unless that other person or entity assumes the same fiduciary obligations. This fiduciary obligation is a novel concept in the privacy regulation sphere and may put officers and directors, who owe a duty to shareholders as well as, if the NYPA is enacted in its current form, a duty to consumers, into an untenable position of having to breach their duty to one of these two groups.
Opt-in requirement. Unlike the CCPA, which gives consumers the right to “opt-out” from the sale of their personal data, the NYPA requires consumers to “opt-in” for the use of their personal data, and not just with respect to selling and sharing personal data, but even in the collection and processing of it. The “opt-in” process requires the consumer to make—and the company to record—“a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the agreement to the processing of personal data relating to the consumer.”
However, certain language elsewhere in the statute suggests that New York’s opt-in framework will effectively operate in a manner similar to that of opt-in regimes. However, the distinction between an “opt-in” and “opt-out” framework may create additional hurdles for companies depending on the documentation requirements imposed on businesses. This requirement can also more significantly disadvantage start-ups and small businesses that rely on the use of personal data for advertising and sales and are not as well-equipped to maintain records of consent.
Private Right of Action. In addition to permitting the attorney general to bring an action in the name of the state or on behalf of residents, the NYPA creates a private right action for consumers who were injured by reason of a violation of the NYPA to pursue civil remedies. Unlike the CCPA, which allows for the recovery of statutory damages or actual damages, whichever are greater, the NYPA limits recovery for violations of the Act in the form of injunctive relief and “actual damages.”
This may be one of the few ways in which the NYPA is less onerous than the CCPA, as actual damages may be difficult to prove with respect to a data breach. On the other hand, whereas the CCPA limits the private right of action to where an individual’s personal information was compromised in a data breach, the NYPA has no such restriction, stating that a right of action can be brought by “any person who has been injured by reason of a violation of this article.”
Thus, as long as actual damages can be proven, a private right of action can be brought for any violation of the Act. This can range from violations for an entity’s sale of personal data without obtaining a consumer’s consent to an entity’s failure to provide a transparent notice to a consumer containing all the information required by the NYPA.
Furthermore, while the CCPA actually restricts the private right of action to only certain personal information—namely, an individual’s name, social security, identification card number, credit or debit card or account number with code or password, or medical or health insurance information, the NYPA has not such restrictions, thus applying to all personal data as defined in the Act. In addition, a successful plaintiff may recover attorney fees.
Viola Trebicka is partner at Quinn Emanuel Urquhart & Sullivan. Serafina Concannon and Sophia Qasir are associates at the firm.
Related: