New York’s state legislature is considering a new data privacy law that would set the standard for data privacy in the U.S. The New York Privacy Act (the “NYPA” or the “Act”), which is currently being considered by the state Senate’s Consumer Protection Committee, would provide New York consumers with a robust set of data privacy rights, would place fiduciary duties on businesses that control and process data, and would prevent businesses from using algorithms to profile consumers when making decisions that could significantly affect consumers. The Act also carries a robust enforcement mechanism that confers a private right of action on consumers. In several respects, the Act provides more protections for consumers, and imposes more responsibilities on businesses, than does its West-Coast counterpart, the California Consumer Privacy Act (“CCPA”).
Let’s take a look at the NYPA’s key provisions:
Applicability: The NYPA applies to “legal entities that conduct business in New York” or that “intentionally target” residents of New York with their products or services. Notably, the Act applies to all such legal entities, which I will refer to in this post as “businesses.” Unlike the CCPA, it is not necessarily limited to for-profit businesses (Do non-profits “conduct business”? Maybe! The term is not defined.), and there is no revenue threshold to exempt small- or medium-sized businesses. In this respect, its extra-territorial application resembles the GDPR.
The law does exempt state and local governments, as well as personal information subject to certain federal regulations (such as HIPAA).
Effective Date: Businesses will have to act quickly if and when the NYPA becomes law. The Act becomes effective 180 days after enactment. That means that, depending on the legislature’s alacrity, the NYPA could conceivably become enforceable before the CCPA, which goes into effect on January 1, 2020 but cannot be enforced until the earlier of the date on which the state’s Attorney General issues regulations, or July 1, 2020, whichever is sooner.
Consent: The NYPA prohibits businesses from using, processing, or transferring to a third party any consumer personal data “unless the consumer provides express and documented consent.” Section 1103 requires businesses to “provide consumers the opportunity to opt in or opt out of processing their personal data,” and must do so “in such a manner that the consumer must select and clearly indicate their consent or denial of consent.”
Fiduciary Responsibilities: Here is where we start to get into the heart of the Act. Section 1102 imposes fiduciary duties on any legal entity that collects, sells, or licenses personal data, and defines those duties broadly. This is a concept that consumer privacy advocates have long been pushing. Creating fiduciary responsibilities shifts some of the burden for managing consumer privacy expectations from consumers to businesses. Otherwise, the onus falls entirely on consumers to review businesses’ privacy notices, to understand what they are consenting to, and to police the businesses’ future use of their personal information. A law that operates purely on this notice and consent structure, like the CCPA, might be overwhelming for consumers who have to manage their data for every device, application, and social network they use.
Under the NYPA, businesses would have to “exercise the duty of care, loyalty and confidentiality . . . with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, . . . in a manner expected by a reasonable consumer under the circumstances.” What is a “privacy risk”? And what does a “reasonable consumer” expect? The bill provides some substance to both concepts.
“Privacy risk” means “potential adverse consequences to consumers and society arising from the processing of personal data.” Adverse consequences include . . . well, pretty much everything. Significant inconveniences and expenditures of time; anxiety, embarrassment, and fear; unwanted commercial communications; and other consequences that affect a person’s “private life” are just some examples of adverse consequences. Thus, businesses have a fiduciary duty to secure consumer personal data in a manner that protects against virtually any risk that the data will be misused in any way that adversely impacts consumers. It is hard to imagine a higher standard of care when it comes to securing personal data.
While the Act anticipates that reasonable consumer expectations will vary with the circumstances, it does provide some guidance as to what will ordinarily be required. Businesses must “reasonably secure personal data from unauthorized access,” and must “promptly” inform consumers of any breach of that duty. By its terms, this latter clause only requires prompt notification when the business fails to take reasonable steps to secure personal data. But, the drafters probably intend the clause to require notification whenever a data breach occurs, even if the breach happened despite the business’s reasonable security measures. The Act also prevents businesses from using personal data in a way that: (i) benefits an online service provider to the detriment of an end user; (ii) would result in reasonably foreseeable physical or financial harm to a consumer; or (iii) would be unexpected and “highly offensive” to a “reasonable consumer.”
Transfers of Personal Data: As a threshold matter, transfers of personal data to third parties require a consumer’s “express and documented consent,” as noted above. Beyond obtaining consent, businesses must also ensure that the transfer is made consistent with its duties of care and loyalty. Whenever a business shares, discloses, or sells personal data to a third party, the business must impose the duties of care, loyalty, and confidentiality it owes to the consumer on the third party via contractual agreement. And, the business must take “reasonable steps” to ensure that the third party’s practices conform to those duties. Such reasonable steps may include regularly auditing the third party’s data security and data information practices.
Consumer Rights: The NYPA confers a broad set of rights on consumers. Consumers have the right to access their personal data and certain information about their personal data (such as whether the data has been sold). They have the right to have inaccurate personal data corrected and to have incomplete data completed. (By comparison, the CCPA does not contain this right to rectification, but the European Union’s data privacy law, the GDPR, does.) Consumers have the right to delete. That is, businesses must delete consumers’ personal data upon request, with some exceptions. Businesses must also take “reasonable steps” to notify third parties when a consumer’s personal data must be deleted. Consumers have a right to stop processing, whereby businesses must stop processing the consumer’s data upon the consumer’s request. Finally, consumers have a right to data portability. In most instances, businesses must provide consumers with their personal data upon request “in a structured, commonly used, and machine-readable format.” Consumers can also request that a business transfer their personal data to another business.
Prohibition on Profiling: The NYPA protects consumers from having their personal data used in algorithms when businesses are making important decisions about them. Section 1103(6) states that “[a] consumer shall not be subject to a decision based solely on profiling which produces legal [or similarly significant] effects for the consumer.” The Act defines “profiling” as “any form of automated processing consisting of the use of personal data . . . to analyze or predict . . . [a] natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” In some exceptional situations where the Act does permit profiling, businesses must implement “suitable measures” to safeguard consumer rights and interests, including providing human review of the profiling decision.
Privacy Notice & Disclosures: Businesses must make a clear, meaningful, easy to understand privacy notice reasonably accessible to consumers. The privacy notice must include: (i) the categories of personal data it collects and shares with third parties; (ii) the purposes for which personal data is used and disclosed to third parties; (iii) the names and categories of any third parties with whom the business shares personal data; and (iv) the consumer’s rights.
Additional disclosures are required if the business engages in profiling. In such cases, the business must disclose the fact of the profiling and “meaningful information about the logic involved and the significance and envisaged consequences of the profiling” at or before the point of data collection. Additional disclosures are also required for businesses that process data for marketing purposes, including targeted advertising.
Enforcement: The NYPA can be enforced by the state’s Attorney General and via private actions. The Act authorizes injunctive relief, recovery of actual damages, reasonable attorney’s fees, and civil penalties. In awarding damages and penalties, courts must consider “the number of affected individuals, the severity of the violation, and the size and revenues of the covered entity.” Each individual whose personal data was unlawfully processed and each provision of the Act that is violated counts as a separate violation. The Act also establishes that a violation of its terms constitutes an “unfair or deceptive act” and “an unfair method of competition” for purposes of New York’s consumer protection statute.