In May, New York State Senator Kevin Thomas introduced S. 5642, the New York Privacy Act, a piece of data privacy legislation that significantly departs from recent attempts to strengthen user privacy such as the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). The most novel and controversial aspects of the bill include the obligation of data fiduciary, and the ability for any New York resident “injured by reason of a violation” of the bill to file a lawsuit against the offending company. Meanwhile, the prospect of two populous states each enforcing strict and varying privacy laws sets the tone for ongoing efforts in Congress to draft a standard federal privacy regime.
Former Senior Research Analyst, Center for Technology Innovation - The Brookings Institution
Raj Karan Gambhir
Research Intern - Center for Technology Innovation
The New York Privacy Act builds upon a fundamental aim first elaborated by GDPR and expanded on by CCPA of giving consumers greater control over the data that companies collect. GDPR pursues this aim by mandating that companies allow users to access data about them and solicit user consent for data collection activities with hefty fines for violators. One of the most significant aspects of GDPR is that the law applies to corporations handling the data of EU citizens regardless of where the business is located, effectively giving the law international reach. Under CCPA, entities must meet a certain revenue threshold to be under its jurisdiction, while GDPR applies to “’controllers’ and ‘processors’ of data,” a grouping that includes a much larger collection of organizations.
How the New York BILL differs from its predecessors
Following the model of both GDPR and CCPA, the New York bill would grant state residents greater ability to access the information that companies collect on them and the power to ask that their data be corrected, deleted, or kept from third party entities. Like GDPR, the New York Privacy Act would reach most online companies in that the bill applies to any entity that holds the “sensitive data New York residents.” Unlike CCPA, there are no revenue requirements below which the New York Privacy Act does not apply. In the words of its sponsor, the aim of the bill is to “capture as many businesses as possible.”
Despite these similarities, some analysts have argued that the data fiduciary clause and the power the bill gives to citizens to personally sue offenders makes this bill stricter than its predecessors. First elaborated by Jack Balkin and Jonathan Zittrain in 2016, entities held to the standard of data fiduciary are expected to “exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker.” Significantly, the responsibility of data fiduciary supersedes “any duty owed to owners or shareholders.” The second major departure from past privacy legislation is that the New York Privacy Act allows for “private right of action” permitting individuals to personally sue offending entities rather than leaving enforcement to the attorney general, as is the case in California.
These novel concepts are facing opposition from technologists and academics alike. Antitrust scholar Lina Khan published a study questioning the efficacy of a data fiduciary model, claiming that “as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders).” Under the New York Privacy Act, entities shirking the responsibility of data fiduciary may be subject to a number of lawsuits privately brought forth by each individual whose data privacy was violated.
Implications for the future of data privacy in America
With the imminent possibility of states representing over 20% of the U.S. economy and over 18% of the nation’s population enforcing strict and distinct privacy laws, major technology companies are now seeking out the regulation that they once balked at. But even as the introduction of each new state law deepens the need for a federal standard, a proliferation of state laws could prolong the debate over national regulation. Each novel protection enumerated by states changes the policy landscape for federal lawmakers deciding whether national regulation should curtail, match, or extend state protections.
Even at this early stage of state-by-state data privacy law enactment, proposed federal legislation runs the gamut from less stringent proposals which would override the CCPA, such as that of Sen. Marco Rubio (R-FL), to proposals that would not preempt state legislation, such that of Sen. Catherine Cortez Masto (D-NV), to proposals that go further than the New York Privacy Act, such as that of Senator Ed Markey (D-MA). As the debate over a federal data privacy regime proceeds, proposals like the New York Privacy Act will both spur lawmakers to act and forestall their ability to come to a clear consensus in the near future.