The New York Senate recently took up a paradigm-shifting data privacy bill intended to expand New Yorkers’ rights to control how companies use their personal data, and to force tech companies to make fundamental changes to the way they do business with the state’s residents.
The legislation, called the New York Privacy Act (“NYPA”), follows similar efforts in a number of state legislatures across the country, including the California Consumer Privacy Act of 2018 (“CCPA”). The bill mirrors the CCPA in many ways; however, in certain key respects it departs from the California model. Most notably, perhaps, the NYPA would establish a general principle that, beyond the bill’s particular prohibitions, companies must elevate the interests of their consumers over their shareholders and not utilize consumer data in ways that might be harmful or that would be unanticipated and “offensive” – even if the consumer has consented to the use. It also would deputize the public to help enforce its provisions.
The rights that the NYPA would extend to consumers include:
- Access: The law would provide consumers the right to know what information companies have or are collecting about them and with whom they are sharing it.
- Correction and Deletion: Consumers could request that a company correct their personal data if inaccurate, or even delete it.
- Affirmative Consent: Rather than providing consumers the right to opt out of the sale of their personal data to third parties, a right provided by the CCPA, the bill would require businesses to obtain consumers’ affirmative consent. This opt-in requirement would not just apply to the sale of data, but to any use or processing.
- Transparency: The NYPA would require companies to provide notice to consumers about their rights and to make consumers’ personal data available to them in a reasonably accessible form.
- Data breaches: The bill also seeks to protect consumers from data breaches. It would require companies to “reasonably secure” consumers’ data from unauthorized access and notify them when a breach occurs.
Like the CCPA and other privacy laws, the bill excludes de-identified data from its restrictions.
The NYPA would apply to any business, regardless of size, that conducts business in New York or counts residents of the state among its customers. That exceeds the scope of entities covered under the CCPA, which exempts certain small businesses and businesses that process limited amounts of data. It would apply to social media companies and other businesses that traffic in personal data, unlike the recently passed Maine internet privacy law, which only applies to internet service providers. Data held by state and local governments, maintained for employment purposes, or controlled by the federal statutes HIPAA, HITECH, or Gramm-Leach-Bliley, would be exempt.
Private Right of Action
Controversially, the NYPA would provide consumers with a private right of action, essentially granting individuals the right to sue businesses directly for violating the NYPA. The CCPA, for example, provides a private right of action only for violations of its data breach provisions; for violations of its provisions relating to data collection and processing, only the Attorney General can bring enforcement actions.
The NYPA private right of action provision may be designed to address the types of constraints on state resources that lead to under-enforcement, but tech companies fear that it will lead to a wave of litigation, as has a similar provision in Illinois’ Biometric Information Privacy Act (BIPA). In May, opponents defeated a proposed amendment to the CCPA that would have added a broader private right of action.
“Data Fiduciary” Principle
The NYPA includes a notable legal innovation: it creates a fiduciary duty of companies toward consumers whose data they hold, and obligates companies to put their consumers’ privacy before the interests of their shareholders or profits. Specifically, the NYPA prohibits companies from using consumer data in a way that causes consumers financial or physical harm, or that is “unexpected and highly offensive to the reasonable consumer.” By classifying companies that transact in consumers’ personal data as fiduciaries of consumers, the law would complicate longstanding legal principles that require companies to maximize value for their shareholders.
This provision is revolutionary in another respect: it establishes a baseline beyond the bill’s specific prohibitions that in itself could create a basis for a finding of violation. Companies will be obligated not only to abide by the particular requirements of the law; they will be required to consider whether a proposed use nonetheless might cause consumers “harm” or be “unexpected and highly offensive.” Put another way, a company cannot use data in a harmful, “unexpected” or “highly offensive” manner even if the consumer has consented to the use.
The NYPA must navigate a fraught path to enactment as its proponents seek to guide it to the Governor’s desk in Albany, and, given the controversy, is almost certain to undergo revision. If the bill’s most consequential provisions become law, it will contribute to a growing patchwork of state data privacy laws with which industry groups say will be difficult for businesses to comply.
Ultimately, this and other state efforts may add to the slowly gathering momentum for Congress to consider its own data privacy legislation, which could preempt the various state laws and create uniform national data privacy standards. That said, in our view, a divided Congress and polarized political environment continue to make any meaningful federal data privacy reform improbable.
*Jeremy is a law student and summer associate in Paul Hastings’ Washington, DC, office.