New York Privacy Bill: Bolder than CCPA?

New York State.jpg

It’s no secret that lobbying groups have been working overtime in their attempts to derail the California Consumer Privacy Act (CCPA) before it becomes law on January 1, 2020. It’s also widely known that some of these groups are lobbying on behalf of certain tech giants, who see the new privacy law as a threat to their data collection practices.

But here’s the thing. While the CCPA has, so far, been the leviathan of U.S. data privacy bills, another state is flexing bigger muscles with its own flavor of data privacy legislation.

Last month, the New York Privacy Act (NYPA), was announced by state senator Kevin Thomas. The bill looks set to give residents of the Empire state significantly greater control over their personal data than the protections offered by any other state. A co-sponsor for the bill is currently being sought in the state assembly. However, senator Thomas believes he has majority support in the senate and is hoping the bill will be passed during the summer.

Ever since California passed the CCPA last year, industry lobbyists and consumer groups have been in dispute over its language. Countless businesses have complained that the CCPA is way too broad and, to be expected to comply with a plethora of different state privacy laws is unreasonable and unworkable. Increasingly, companies that do business across the U.S. are indicating a preference for a nationwide privacy regulation at the federal level.

Going further than the CCPA

New York’s privacy bill echoes some of the protections in the CCPA, such as allowing consumers to see what data is being collecting on them, and who else has access to that data. They can also request correction or erasure, as well as the right to refuse their data being sold or shared with third parties.

However, in its current draft, the NYPA goes further than the CCPA. While the enforcement of California’s law is purely down to the attorney general, the New York Act allows New Yorkers to bring civil lawsuits directly, in the event of privacy violations. This could potentially lead to large numbers of businesses being sued by New York residents.

In California, lobbying groups fiercely opposed the provision of a private right of action and successfully had it removed from the CCPA before it was finally enacted in last year. And while the CCPA applies only to companies with a gross annual turnover of $25 million, the NYPA would apply to businesses of all sizes.

Just like the CCPA, New York’s draft is already being attacked by certain members of the technology sector. One particularly high profile critic of the bill is John Olsen, of the Internet Association, who said:

The NY Privacy Act, in its current form, is unworkable for businesses that want to comply and fails to provide New York residents meaningful control over how their data is collected, used, and protected,

Interestingly, Olsen’s firm represents the interests of Google, Amazon, Facebook, and Microsoft.

Before introducing the New York Bill, Sen. Thomas had a meeting with members of the Internet Association to hear what they liked and disliked about other consumer privacy regulations such as the CCPA and Europe’s General Data Protection Regulation (GDPR). However, despite industry opposition to several provisions in the NYPA, Thomas went ahead with the draft as written, which includes protections such as, the private right of action, and the requirement that businesses must obtain consumers’ positive consent before they process, share or sell their personal information - as per the GDPR.

Data Fiduciaries

Another strong protection of the New York bill would require businesses to act as “data fiduciaries.” The inclusion of this term basically means that companies would be legally barred from using personal data in ways that benefit their businesses to the detriment of consumers. The concept originated from Yale Law School professor Jack Balkin, a strong advocate of the idea, as an alternative solution to data privacy issues. Balkin and his coauthor, Harvard professor Jonathan Zittrain, wrote in The Atlantic:

To deal with the new problems that digital businesses create, we need to adapt old legal ideas to create a new kind of law; one that clearly states the kinds of duties that online firms owe their end users and customers, …The most basic obligation is a duty to look out for the interests of the people whose data businesses regularly harvest and profit from.

Apparently, Thomas agreed with this sentiment when he said:

Fiduciaries, like an attorney or a doctor, hold onto your information. They don't share it, unless there is a need for the purpose for which they collected it, …That's not what's going on here with these data companies and these data brokers. They're sharing it, and we're getting targeted.

He elaborated by saying that it’s time businesses that collect people’s data start looking out for those people, not just their bottom lines. To this end, the New York bill would not only require that businesses "reasonably secure" users' data, and inform them of data breaches, - stipulations most tech giants are already on board with - but it would also prohibit them from using data in a way that causes users some sort of financial or physical harm or in a manner that would be "unexpected and highly offensive to a reasonable consumer."

The bill states that any entity the business shares or sells data with must assume these same duties, requiring companies to follow the often circuitous trail of data as it moves around the web. It also states that this duty supersedes businesses' other fiduciary duties to shareholders.

After the bill was introduced, Kia Floyd, one of Facebook's policy managers, met with Senator Thomas about the social media giant’s concerns about the data fiduciary requirements. "Facebook was basically like, 'We can't comply with this. We'd have to shut Facebook down in New York,'" Thomas recalled.

A spokesman for Facebook argued that this was an “inaccurate characterization of the meeting”, while conceding that Facebook has concerns about New York’s bill. Facebook is vehemently opposed to the inclusion of a private right of action and, what it says is some overly broad language regarding data fiduciaries, referring to a line in the bill stating that businesses would be required to "act in the best interests of the consumer." Facebook argues that different consumers have different interests when it comes to the use of their data…” In a statement Floyd said:

While the concept of the data fiduciary is certainly worth exploring further, we believe privacy legislation should provide consumers a clear set of rights that they can exercise, and this bill will need further work to do that,

It’s not just tech industry players that are scrutinizing the concept of data fiduciary. Lina Khan, of the House Subcommittee on Antitrust, Commercial, and Administrative law, argues that it is incompatible with existing laws in Delaware, where countless tech firms are incorporated. The state already requires businesses to maximize returns for shareholders. "A fiduciary with deeply divided loyalties teeters on the edge of contradiction," Khan and fellow Columbia Law professor David Pozen wrote in March…

Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties [to end users] under the new body of law that Balkin proposes.

NYPA: The next battleground for state-level privacy regulation?

Meanwhile, the Data Care Act - a federal privacy bill introduced in the Senate late last year by Hawaii Democrat Brian Schatz, also included requirements for data fiduciaries. However, this act differs from the NYPA, by leaving enforcement to the FTC and state attorney generals. Unsurprisingly, tech companies seem to prefer this approach. Also, there are no rules regarding consent or other controls consumers should have concerning the ways in which their personal information is stored, shared, or sold.

It is pretty obvious that the tech industry's ultimate goal is to see privacy laws at a federal level, nullifying all of the state laws. Businesses have already made clear their views that complying with myriad rules is too huge a burden to bare. And this is considered to be the downside to increasingly cogent bills introduced by California and New York.

Ashkan Soltani is a former chief technologist at the FTC, who assisted with the creation of the CCPA. Soltani commented that the more state laws differ from one another in terms of their definitions and requirements, the easier it becomes for business groups to convince Congress that compliance with state laws is an insurmountable obstacle. He added:

There's a number of companies and lobbying groups that have been pushing different states to come up with slightly different versions of privacy law, …The industry has a strategy to try to divide the states, so they can justify preemption.

Thomas hopes to pass the bill before the last session of the New York legislature, on June 19. A battle of wills is expected to ensure, with both the Internet Association and consumer advocacy groups like the New York Civil Liberties Union planning to testify at the hearing on Tuesday.

If the New York Privacy Act is passed, it is likely that it will follow in California’s footsteps and will see several amendments before it is finally made law. And, just like the CCPA, it will guarantee unprecedented data protections for the citizens of New York state.

Meanwhile, warriors of the tech industry will undoubtedly rearm themselves, in their relentless battle on Capitol Hill, to prevent state privacy laws from ever being enacted.

 

This article is provided for informational purposes only. The Data Privacy Group strongly recommends that you engage the services of an experience data privacy practitioner when preparing for compliance with any data protection and privacy legislation.

Sources, credits & further reading: Wired,