If you thought the California Consumer Privacy Act (CCPA) was strict privacy legislation, you would be correct. However, on the opposite end of the USA, an even more strict law was proposed a couple of months ago. That law is the New York Privacy Act, or NYPA (not to be confused with the New York Power Authority!).
The CCPA would most likely come into effect in 2020 and it’s unclear what the final law would look like. Whatever it may be, though, it’s the first state law of the kind designed to give consumers back the control over their data. The NYPA, while somewhat mirroring its Californian counterpart, goes even further, reminiscent of the European GDPR I recently wrote about.
The justification for the NYPA Bill provided by the authors relates to social media usage. It was found that 69% of Americans used a social media platform in 2018 for communication, following the news and engaging with social and political organizations.
Many of those users, however, reported concerns related to how their data was being handled. And judging by the number of news stories about the mishandling of personal data by Facebook etc., those concerns are more than justified, especially when it comes to selling the data to third parties like advertisers. The Bill purports to fill the void of privacy regulations and address these concerns.
What does NYPA entail?
Introduced in May 2019 by the New York Senator Kevin Thomas, the New York Privacy Act, or Bill S.5642, is currently under review by the Senate’s Consumer Protection Committee. The NYPA would “require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared”.
In its essence, the NYPA requires businesses to follow the “privacy before profits” approach. This is done via a concept known as the “data fiduciary”.
A fiduciary duty is the highest standard of care imposed by law. So, under the NYPA, businesses would have fiduciary duties to their consumers in terms of their data. The NYPA provides that within this fiduciary duty, legal entities shall not use, process, or transfer to a third party a data subject’s personal data without their express and documented consent. Each legal entity and their affiliates collecting, selling or licensing personal data shall be bound by the fiduciary duty.
That means that they won’t be allowed to use the data in any way that’s harmful to the data subjects, and that harm could have been reasonably foreseen. That implies imposing safeguards on the data to ensure its security and notify the customer promptly about any breach. Even a company’s responsibilities to its shareholders are trumped by the personal data fiduciary duty.
The NYPA also provides a wide framework of privacy risks from which companies are obliged to protect consumers. These include, but aren’t limited to, financial losses (direct AND indirect), physical and psychological harm, significant inconvenience, adverse consequences related to legal benefits of a data subject, reputational harm, and price discrimination.
Under the NYPA, any resident of New York State “injured by reason of a violation” of the Act would have the right to file a lawsuit against the offending legal entity. This is a major departure from the law’s European and Californian counterparts – under the GDPR and the CCPA, the action is taken by data protection authorities and the Attorney General respectively, and not the data subjects themselves. And unlike the CCPA, there’s no requirement for a company to have specific revenue benchmarks to fall under the NYPA.
How effective would NYPA be?
The legislation, if passed, would become effective six months after the enactment, which in theory gives businesses some room to take steps towards compliance. In practice, however, a lot of European companies had about two years to bring their activities in line with the GDPR, and here we are, one year on, and that did not happen in many cases, despite the hefty fines. So it doesn’t seem as though the term of six months is sufficient, especially given the wide jurisdictional scope of the NYPA.
That being said, the GDPR has sparked unprecedented levels of consumer awareness of privacy and data protection in the EU. And judging by the amount of data breach notifications issued (almost 90 000!), the efforts of the legislators haven’t been in vain.
Consumer awareness of privacy is very important, especially given the large extent to which the issues of privacy and cybersecurity are discussed today. However, one of the GDPR’s problems is that it’s not especially “user-friendly” – and that applies to both companies and consumers. The NYPA appears to have the same problem. Whilst the concept of “privacy before profits” might seem clear to some of us, the majority of the population would be unlikely to have a clear idea of what that actually entails in practice.
Moreover, the NYPA’s jurisdictional scope appears to be just extra-territorial as the GDPR’s, and no less clear. It’s defined in the Bill as application to “legal entities that conduct business in New York State or produce product or services intentionally targeted to residents in New York State”. The primary question I and many others have is what is meant by “intentionally targeted”. Not many businesses would have a “we sell to New York residents” clause contained somewhere in their Ts and Cs.
The privacy risks listed in the NYPA are very broad. On the one hand, it’s commendable to see that the legislators are finally recognizing the significance of harm to mental health and how it can affect a person and are addressing it as a serious consequence of the same level as physical harm. This could have a very positive impact on organizations’ attitudes towards mental health which is very much needed.
On the other hand, however, organizations would be obliged to take measures to exercise their fiduciary duty with respect to securing the consumers’ data against all of those privacy risks, some of which many businesses have never had to take into account before. Their compliance and legal departments would have to figure out by themselves the best ways to mitigate these risks, which could prove very difficult due to their novelty, as well as the NYPA’s extraterritorial application.
If a European company, for instance, sells goods or services to New York, they might be aware, to an extent, of some American consumer regulation, but the NYPA would be a brand-new issue to contend with. Also, many European companies have clauses in their contracts that exclude consequential and indirect damages from their liabilities. The NYPA does the opposite with direct and indirect financial losses being posed as privacy risks.
There are many examples of the kind, for European and American companies alike. Similarly to the GDPR, the NYPA would most likely cause a lot of confusion amongst these businesses.
Hopefully, therefore, the American legislators would issue some kind of guidance materials elaborating on the specifics on the NYPA once it comes into force, like the ICO and other data protection authorities have done in the EU.
It’s not surprising that the NYPA is already facing a lot of challenges from tech companies. Since they make a lot of money from selling the users’ behavioral information (“likes”, location data, etc.), it would be quite tricky for them to comply with the fiduciary requirement to only use data for the purposes for which it was collected.
Under the NYPA, for instance, Facebook would’ve faced consequences far more adverse than it had had for their discriminatory housing ads since it would’ve likely been found to have caused both direct and indirect financial and psychological harm to many social groups that didn’t see the relevant ads. The NYPA would’ve given these groups a chance to sue Facebook directly.
It’s understandable, though, that two of the most densely populated American states are pushing for such strict privacy regulations. And that’s a big reason for tech companies’ opposition to them. Should Facebook be forced to shut down in New York, it’d lose a big market.
And should the NYPA’s ripple effect amongst other states be as strong as they fear, perhaps the tech giants would finally take care of their data protection issues in favor of consumers. And maybe the USA would, by that time, have a relevant federal regulation in place.