In May, New York State proposed the New York Privacy Act, a new privacy bill which, if enacted, would lead to the toughest state privacy law in the U.S. to date.
The California Consumer Protection Act (CCPA) currently leads the way as the staunchest state consumer privacy law and the New York Privacy Act resembles the CCPA in certain respects. Similar to the CCPA, the New York Privacy Act contains an expansive definition of “personal data” and would protect a wide range of data beyond personal identifiers, including biometric information and internet or other electronic network activity information (browsing history, search history, etc.). Also, as with the CCPA, the New York Privacy Act would give state residents greater control over their personal data, including allowing residents the right to find out what data is being collected on them by businesses and the right to find out who the businesses are sharing the data with. New York State residents would also be entitled to request that their personal data be collected or deleted, and that their personal data not be sold to third parties.
Despite the similarities, the New York Privacy Act would differ from the CCPA in several important ways. To begin with, the New York Privacy Act would require companies to act as “data fiduciaries” of the consumer data it holds. In this regard, the bill requires businesses which collect, sell or license personal information of consumers to “exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk” as well as to act in the best interest of the consumer. The bill clarifies that the fiduciary duty owed to a consumer under this law would supersede any duty owed to owners or shareholders of a business, controller or data broker.
A second key difference between the CCPA and the New York Privacy Act relates to enforcement of the laws. Under the CCPA, there is no private right of action and claims under the act are to be brought by the California Attorney General. The New York Privacy Act would allow for a private right of action so that state residents could directly sue companies for their violations of the act.
A final key distinction between the two is the reach of the two laws. Whereas the CCPA applies only to businesses with annual gross revenues exceeding $25,000,000, the New York Privacy Act would apply to all businesses regardless of revenue size.
The passage of the New York Privacy Act would mean two of the three most populous states in the U.S. having enacted tough but also very different privacy laws. As more and more states enact their own increasingly strict privacy laws, this state-by-state framework would seem to strengthen the call for Congressional action.
The issue of whether a federal privacy law should preempt state law has been a point of contention between business groups and privacy advocates. Privacy advocates believe preemption will lead to watered-down protection for consumers and business groups have expressed that complying with a patchwork of rules is overly burdensome, so a uniform federal standard is necessary. Though privacy advocates may celebrate the ultimate passage of a tough privacy law like the New York Privacy Act, it may be that the unique requirements of the law will enable business groups to convince Congress that the patchwork approach to privacy is unworkable for businesses, and therefore any federal law should preempt state law.
It will be interesting to see how this plays out, but the passage of each new state law would seem to increase pressure on Congress to determine its course of action.