States scrutinize tech firms as federal privacy lags behind

Federal versus stateprivacy law.jpg

With no signs of a new federal law any time soon, despite successive hearings in Congress on the subject of consumer privacy, states across the U.S. are continuing to focus their own spotlight on the tech industry.

For example, New York is busily perfecting what is claimed to be the most stringent data privacy legislation in the U.S., going even than further than California's CCPA, to protect residents' personal information. And, Nevada is planing to enact its "Security and Privacy of Personal Information" law on October 1 this year.

Texas and Colorado are also among the growing numbers of states pushing hard to strengthen their protections of consumer privacy.

New York state has introduced Senate Bill (S5642) which includes tough new measures that would require companies to disclose the methods they use to:

  • de-identify personal information;

  • place special safeguards around data sharing and allow consumers to obtain the names of all entities with whom their information is shared, and;

  • create a special account to fund a new state office of privacy and data protection.

The Bill, entitled The NY Privacy Act, is currently in Committee. Sen. Kevin Thomas, Dem., who drafted the Bill said in a statement:

The legislation will improve transparency and strengthen protections over consumers’ personal data, ...Social media companies routinely capture users’ personal information, which can be shared or sold to external parties without the user’s consent. The NY Privacy Act would require social media companies to disclose their methods for gathering personal information and allow consumers to find out what companies have access to their personal data.

Thomas added; “In this technology-based world that we live in, consumers should have the right to know how their personal information is being used, ...These large social media platforms continue to compromise our personal data. The time has come for properly regulating Facebook and other social media sites.”

According to Mary Hildebrand of law firm Lowenstein Sandler, New York’s efforts are so important because it puts “more companies at issue since it includes far more companies under its jurisdiction. State law also allows private causes of action for violating the NY Privacy Act, although New York might make the individual litigant prove damages.” Hildebrand continued:

Companies seeking to comply will be confronted by complexity and entirely new (and ill-defined) concepts such as ‘data fiduciary’ and ‘privacy risk,’ ” she added. “The law is unclear, so it is harder to follow.

Furthermore, mergers and acquisitions involving the transfer of personal data of a New York state residents must have affirmative consent to the transfer from each NY resident before any such transfer is permitted.

Thomas also sponsored the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which the New York State Senate passed last week. It aims to “return control of personal data back to New Yorkers and require businesses to put customers’ privacy over profits.”

The SHIELD Act will:

  1. Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under HIPAA.

  2. Broaden the definition of a data breach to include unauthorized access to private information. It applies the notification requirement to any person or entity with the private information of a New York resident, not just to those that conduct business in New York State.

  3. Update the notification procedures companies and state entities must follow when there has been a breach of private information.

  4. Create reasonable data security requirements tailored to the size of a business and provides protection from liability for certain entities that take steps to verify their safeguarding of private information.

The Internet privacy legislation, which gained support from both sides of the house, and unanimous approval in the Maine Senate, prevents the use, sale, or distribution of a customer’s personal information by Internet service providers, without the express consent of the customer.

It also prohibits service providers from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount, if the customer does or does not consent to the use, disclosure, sale, or access of their personal information.

Sources & further reading: StateScoop, NY State Senate

Peter BornerComment