The New Tough Kid on the Block
In just 145 days the California Consumer Privacy Act (CCPA) will come into effect.
Based on, or at least heavily influenced by, Europe's General Data Protection Regulation (GDPR), the CCPA is the first state law of its kind to give California residents control over their personal data. The new legislation is in it's final stages of amendment before it becomes law on January 1, 2020.
However, it seems the CCPA may not be the toughest state-level privacy law, as lauded by its supporters…
On the other side of the U.S. there's a new kid on the block.
The New York Privacy Act (NYPA) is being heralded as an even stricter piece of privacy legislation. A law that goes much further than the CCPA.
New York's privacy bill echoes many of the protections included in the CCPA, like disclosing to consumers what data is held on them, and who else has access to their data. New Yorkers will also be able to request correction or deletion of their data, as well as the right to refuse the sale or sharing of their data with third parties.
But that's where any further similarity with California's law ends.
While it’s purely down to California’s attorney general to enforce the CCPA, with no form of civil redress for consumers, the NYPA allows New Yorkers to bring civil lawsuits directly, in the event of privacy violations. This could potentially lead to large numbers of businesses being sued by New York residents.
In California, lobbying groups fiercely opposed the provision of a private right of action and successfully had it removed from the CCPA. And while the CCPA applies only to companies with a gross annual turnover of $25 million, the NYPA applies to businesses of all sizes.
It appears that the main justification for the NYPA is to do with the use of social media. In 2018 it was discovered that 69 percent of Americans mostly used social media platforms for communication and news, as well as for engaging with political and social groups.
However, many users reported their concerns about the way in which their data was being handled. And their concerns have been fully justified, as an abundance of news stories broke, about the mishandling of personal data and incidents of data breaches involving big tech firms such as Facebook, Google and Yahoo, not to mention major banks like HSBC and Capital One.
New York's tough new privacy law
The New York Privacy Act (Bill S.5642) was introduced by Senator Kevin Thomas just two months ago, in May 2019. The bill is currently being reviewed by the Senate’s Consumer Protection Committee.
According to the statute, the NYPA would:
require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.
New York's privacy law, if passed, would require businesses to follow the “privacy before profits” approach. This is achieved by adopting a concept commonly known as “information fiduciary”.
In simple terms, companies would be expected to act in the best interests of their customers, without regard to the interests of the business. They would also owe a duty of care, that is, to act in the manner expected by a reasonable customer under the circumstances.
So, when a consumer provides personal information to an online company in order to obtain a service, that company has a fiduciary duty to exercise loyalty and care in the way it uses the consumer's information. This in no way replaces other privacy protections.
The NYPA provides that within this fiduciary duty, legal entities shall not use, process, or transfer to a third party a data subject’s personal data without their express and documented consent. Each legal entity and their affiliates collecting, selling or licensing personal data shall be bound by the fiduciary duty.
This basically means that a company cannot use a consumer’s personal data in any way that is harmful to the consumer (data subject), and that such harm could have been reasonably foreseen. This, in itself requires that companies have a duty to implement appropriate safeguards, in order to protect personal data, and to notify consumers promptly in the event of a data breach.
New York’s new privacy act also provides a wide range of privacy risks, from which businesses are obliged to protect consumers. These include:
financial losses (direct and indirect);
physical and psychological harm;
adverse consequences related to legal benefits of a data subject;
reputational harm; and
The statute states that any New York State resident “injured by reason of a violation” of the Act would have the right to file a lawsuit against the offending company. This is in stark contrast to the GDPR and CCPA, where any legal action is the responsibility of the Information Commissioner's Office (ICO) and the Attorney General respectively, and not by the data subject.
Challenges and expectations
The huge amount of news and discussion around data protection and consumer privacy has been a major contributor to the awareness and importance of privacy. However, achieving compliance with the NYPA is likely to be as big a challenge as the one experienced by European businesses with the GDPR. And, while the concept of “privacy before profits” might appear straightforward to some, most businesses are unlikely to have much of an idea of what it means in practice.
So, it’s just as well that a six-month period of grace will apply, allowing covered businesses to get their houses in order before the new law comes into effect.
Someone recently described the jurisdictional scope of the NYPA to be "just as extra-territorial as the GDPR". It is defined in the Bill as applicable to “legal entities that conduct business in New York State or produce product or services intentionally targeted to residents in New York State”.
But what exactly do the lawmakers mean by “intentionally targeted”? And there are plenty of otgher definitions that will require some clarification by data privacy practitioners and company attorneys.
Just like the CCPA, the described definitions and privacy risks contained within the NYPA are very broad. This will likely cause some consternation on the part of businesses looking to achieve a high degree of compliance by the due date.
So, while businesses will have an obligation to implement appropriate measures to exercise their fiduciary duty to protect consumers’ data against myriad privacy risks, many are likely to struggle without expert guidance.
Otherwise, those who wear the badge of Data Privacy Officer (DPO) will have the unenviable task of trying to figure out the best ways to mitigate such risks by themselves.