NY Privacy Act: If at first you don’t succeed….

In August of last year (2019) we posted an article concerning the New York Privacy Act (NYPA). At that time, New York’s bill was being heralded as an even stricter piece of privacy legislation than the California Consumer Privacy Act — a bigger, bolder version of the Golden State’s CCPA.

Unfortunately, a lack of support and a massive lobbying effort stopped it in its tracks.

The NYPA echoes many of the protections included in the CCPA, like disclosing to consumers what data is held on them, and who else has access to their data. New Yorkers would also be able to request correction or deletion of their data, as well as the right to refuse the sale or sharing of their data with third parties.

The Bill, which was introduced in May 2019 by New York state senator, Kevin Thomas, also Chairman of Committee on Consumer Protection, would have granted NY residents greater control over their personal data than in any other US state. It would also have required covered businesses to put their customers’ privacy first —instead of their own profits.

Unlike California’s CCPA, the NYPA applied to not-for-profit organizations as well as profit-making businesses. It also included a private right of action for data breaches of $10,000 per consumer.

But sadly for those who supported the bill, it failed to pass, some say because of the highly prescriptive nature of the law, plus the potential impact on small-and-medium (SME) businesses — though such reasons remain purely speculative.

Data Fiduciaries

According to the Electronic Frontier Foundation — a leading nonprofit organization that defends digital privacy, free speech, and innovation — New York’s legislation would have designated businesses that collect consumers’ personal information as “information fiduciaries” which would involve imposing a “duty to exercise loyalty and care”. Such businesses would be required to inform consumers of:

  • what information is collected;

  • the purpose of that collection; and

  • with whom their information was shared.

The idea of “data fiduciary” is not an entirely new concept, but is based on laws such as the Health Insurance Portability and Accountability Act — more commonly known as HIPAA — which prohibits the transfer of patients’ personal data between health care providers.

While HIPAA didn’t exactly speed up the data transfer processes, due to the requirement for consent forms to be signed prior to the transfer of records, the law did increase patients’ confidence and trust in their health care providers.

According to the New York Civil Liberties Union, the whole point of data fiduciaries is to ensure that the same level of care is applied to the personal information collected by tech companies.

Instead of simply requiring businesses to obtain proper consent before they share consumer’ personal data, they would be prohibited from any kind of processing of that data, which could potentially cause harm to the consumer.

Like many other aspects of privacy legislation, the implementation of a data fiduciaries provision prompts many ‘workability’ questions for affected businesses. The data fiduciary concept creates an entirely different framework compared to that of the EU’s GDPR or California’s CCPA, neither of which include a data fiduciary provision. Indeed, some critics have said such a provision would add a significant level of complexity to compliance.


Last November, New York state senators expressed their impatience and frustration on Congress’ lack of haste in addressing the issue of data collection and privacy with New York state businesses. And, legislators begun advocating for more legislation that would restrict how businesses would use and share consumer data. A 5-hour committee hearing was convened, where the Senate’s standing committees on Consumer Protection and Internet and Technology heard from 11 panels of witnesses, including representatives from business groups, consumer advocates, and state government officials.

During the hearing, several industry advocates testified against New York’s legislation. These included; the Retail Council for New York State, the Business Council of New York State, Google, TechNet, Tech NYC, and the Internet Association — representing major tech companies such as Amazon, Facebook, eBay, Spotify and Uber.

An Axe to Grind?

While we’re on the subject of intervention by industry groups, it’s hard to deny that pretty much any form of private right of action is bound to provide industry advocates with an axe to grind, which is precisely why the NYPA’s private right of action provision got the ‘thumb’s-down’ from industry advocates.

The NYPA would effectively allow an individual consumer to sue a company for violation of their data privacy rights, rather than only as part of a class-action suit.

Nitch Noordyke, an intellectual property lawyer and former Westin Fellow at the International Association of Privacy Professionals, commented that any form of private right of action is generally opposed by industry advocates:

because they fear an onslaught of expensive litigation led by active plaintiff class-action attorneys, … At the least, they prefer to limit the private right of action to security violations only — because then a business only faces the risk of an expensive class action in the event of a data breach.

Privacy advocates, however, argue that state attorneys general “lack the resources to adequately enforce a comprehensive privacy law in a meaningful way,” Noordyke added. Essentially, the threat of all those lawsuits is one of the only things that will compel companies to comply.

Meanwhile, discussions around privacy laws appear to be gaining renewed attention, following California’s successful implementation of the CCPA in January, as lawmakers are hard at work trying to build out far-reaching privacy laws for their own states — despite continued opposition from big tech corporations and industry groups.

Is your business based in New York state?

Share with us your opinions concerning the NYPA.

Contact Our Team Today
Your confidential, no obligation discussion awaits.