New York's Privacy Bill Is Even Bolder Than California's
As tech giants and lobbying groups race to defang California’s landmark consumer privacy law before it takes effect next year, lawmakers on the other side of the country are considering a bill that's even more drastic.
The New York Privacy Act, introduced last month by state senator Kevin Thomas, would give residents there more control over their data than in any other state. It would also require businesses to put their customers’ privacy before their own profits. The bill is still seeking a cosponsor in the state assembly, but Thomas says he is confident that he has majority support in the senate and hopes to pass the bill this summer. The Committee on Consumer Protection, which Thomas chairs, is scheduled to hold a hearing on the bill Tuesday.
With it, the Empire State is poised to become the next battleground in the fight for state privacy laws. California became the first state to pass such a law last year with the California Consumer Protection Act; industry groups and consumer advocates have been sparring over its language ever since. Businesses argue that the CCPA is overly broad and that complying with different laws in every state is unworkable, preferring instead a lighter touch regulation at the federal level.
The New York Privacy Act bears some similarity to the California law. Like the CCPA, it would allow people to find out what data companies are collecting on them, see who they’re sharing that data with, request that it be corrected or deleted, and avoid having their data shared with or sold to third parties altogether.
But the New York bill, as it’s currently written, departs from the California model in significant ways. While the California law leaves enforcement to the state’s attorney general, the New York Privacy Act would give New Yorkers the right to sue companies directly over privacy violations, possibly setting up a barrage of individual lawsuits. Industry groups vehemently opposed a similar provision—also known as a private right of action—in California, and they succeeded in driving it out of the bill when it was finally signed into law last year. And while California’s law applies only to businesses that make more than $25 million annual gross revenue, the New York bill would apply to companies of any size.
The bill has already received praise from privacy advocates, including Mary Stone Ross, who helped write the California ballot initiative that formed the basis for the California Consumer Privacy Act.
"This on its own could spark change or at least fear," Ross says. "I'm sure the lobbyists of the big companies are freaking out right now."
Unsurprisingly, the draft is already facing staunch opposition from the tech industry. “The NY Privacy Act, in its current form, is unworkable for businesses that want to comply and fails to provide New York residents meaningful control over how their data is collected, used, and protected,” said John Olsen, a director for the Internet Association, which represents the likes of Facebook, Google, Amazon, and Microsoft.
Thomas met with the Internet Association before introducing his bill to hear what its members do and don't like about other privacy measures like the California law and the General Data Protection Act, which went into effect in Europe last year. Ultimately, however, the bill Thomas introduced still includes several line items that the industry opposes, like the private right to action and a requirement—similar to the GDPR—that companies obtain consumers’ affirmative consent before they process, share, or sell data.
Most notably, the New York bill would also require businesses to act as so-called “data fiduciaries,” an emerging idea in privacy circles that would legally bar businesses from using data in a way that benefits their companies to the detriment of their users. The concept, alternately known as an "information fiduciary," was coined by Yale Law School professor Jack Balkin, who has been promoting the idea since 2014 as one solution to data privacy issues. "To deal with the new problems that digital businesses create, we need to adapt old legal ideas to create a new kind of law—one that clearly states the kinds of duties that online firms owe their end users and customers," Balkin and his coauthor, Harvard professor Jonathan Zittrain, wrote in The Atlantic. "The most basic obligation is a duty to look out for the interests of the people whose data businesses regularly harvest and profit from."
State Senator Thomas agrees. “Fiduciaries, like an attorney or a doctor, hold onto your information. They don't share it, unless there is a need for the purpose for which they collected it,” he says. “That's not what's going on here with these data companies and these data brokers. They're sharing it, and we're getting targeted.”
Thomas says it’s time businesses that collect people’s data start looking out for those people, not just their bottom lines. To that end, the New York bill would not only require that businesses "reasonably secure" users' data and inform them of data breaches---stipulations most tech giants are already on board with---but it would also prohibit them from using data in a way that causes users some sort of financial or physical harm or in a manner that would be "unexpected and highly offensive to a reasonable consumer." The bill states that any entity the business shares or sells data with must assume these same duties, requiring companies to follow the often circuitous trail of data as it moves around the web. It also states that this duty supersedes businesses' other fiduciary duties to shareholders.
After the bill was introduced, Thomas also received a visit from Facebook's state policy manager for the northeast, Kia Floyd. Thomas says Floyd was particularly concerned about the data fiduciary requirements. "Facebook was basically like, 'We can't comply with this. We'd have to shut Facebook down in New York,'" Thomas recalls.
A Facebook spokesperson said this is an inaccurate characterization of the meeting, but that Facebook does have concerns about the New York bill. The company objects to the inclusion of a private right of action, as well as what it says is some overly broad language in the bill regarding data fiduciaries. Specifically, a line in the bill would require businesses to "act in the best interests of the consumer." Different consumers, Facebook argues, have different interests when it comes to the use of their data, making that a fuzzy line to draw.
"While the concept of the data fiduciary is certainly worth exploring further, we believe privacy legislation should provide consumers a clear set of rights that they can exercise, and this bill will need further work to do that," Floyd said in a statement. "We will continue to actively work with legislators to find a solution that establishes important privacy protections for all New Yorkers." Floyd said another of Thomas's bills, called the SHIELD Act, which modernizes the state's data breach laws, is an example of "a collaborative approach to privacy and consumer protection."
Tech companies aren't alone in scrutinizing the data fiduciary concept pushed by Balkin and others. Antitrust scholars, like Lina Khan, who works on the House Subcommittee on Antitrust, Commercial, and Administrative law, have argued that it's incompatible with existing law in Delaware, where so many tech giants are incorporated, that requires companies to maximize returns for shareholders. "A fiduciary with deeply divided loyalties teeters on the edge of contradiction," Khan and her fellow Columbia Law professor David Pozen wrote in March. "Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties (to end users) under the new body of law that Balkin proposes."
Still, privacy groups like the Electronic Frontier Foundation say that the legal contradictions can be resolved given the right legislation. "We do think data fiduciary is a good idea, and we recognize this is a snarl that needs to get worked out, but we don't think it's a fatal blow to the idea," says Adam Schwartz, a senior staff attorney with the Electronic Frontier Foundation. (The EFF has yet to take a position on the New York bill.)
A federal privacy bill called the Data Care Act, introduced in the Senate late last year by Hawaii Democrat Brian Schatz, also includes requirements for data fiduciaries. But it leaves enforcement to the Federal Trade Commission and state attorney generals, which tech companies find more palatable. And it doesn't include any rules regarding consent or what control people ought to have over whether and how their data is sold, shared, or stored. The Internet Association came out in support of that bill as soon as it was announced.
Ultimately, the industry's goal is to pass privacy laws at a federal level that preempt all of the state laws, including California's. Businesses say that complying with a patchwork of rules is overly burdensome. That is the one potential downside of states like New York introducing increasingly forceful bills, says Ashkan Soltani, a former chief technologist at the Federal Trade Commission, who helped craft the California Consumer Protection Act. The more state laws differ from one another in terms of their definitions and requirements, the easier it becomes for business groups to convince Congress that compliance with state laws is an insurmountable obstacle.
"There's a number of companies and lobbying groups that have been pushing different states to come up with slightly different versions of privacy law," Soltani says. "The industry has a strategy to try to divide the states, so they can justify preemption."
The last day of New York’s legislative session is June 19, and Thomas hopes to pass the bill before then. Both the Internet Association and consumer advocacy groups like the New York Civil Liberties Union plan to testify at the hearing on Tuesday.
If the New York Privacy Act does pass, it will likely follow California’s example and be amended and refined before it ultimately becomes law. It would also join California's law in guaranteeing one of the country's top population centers unprecedented data protections---and undoubtedly escalate the industry's fight in Washington to stop these laws from ever going into effect.