The New York Privacy Act was hailed by many as a bigger, badder version of California’s recent Consumer Privacy Act, but a lack of support and a substantial lobbying effort stopped it in its tracks.
Though it was hailed as a potentially groundbreaking bill, the New York Privacy Act (NYPA) failed to materialize during the state’s most recent session. Had it done so, the bill would have introduced a regulatory framework that rivaled or potentially even surpassed that of the California Consumer Privacy Act (CCPA), the first major piece of data privacy legislation in the U.S.
Sen. Kevin Thomas introduced the bill earlier this year, quickly garnering a number of co-sponsors in the Senate, but failing to find any in the Assembly. The legislation received considerable media attention — with outlets calling it potentially "tougher," "bolder" and more "sweeping" than legislation that had come before.
Still, privacy rights activists and the business community alike have found themselves less than enthused with the promise of the bill.
The bill offers a number of innovative solutions to data privacy, including:
Tech- and business-oriented lobbyists appeared at a June Senate hearing to decry the bill. These included the Retail Council for New York State, industry trade association TechNet, Tech NYC, the Business Council of New York State, and the Internet Association, which represents the likes of Amazon, Google and Facebook.
Christina Fisher, TechNet’s executive director for the Northeast, criticized the GDPR-style legislation, saying that while the European regulations had clearly had some benefits for consumers, it also had unintended consequences for business and innovation.
“There is going to be a dramatic impact on the startup and small business economy in Europe,” she said. “Startups have little money to invest in compliance.”
“TechNet is strongly opposed to the New York Privacy Act as written. ... The tech community would like to continue to work with the Legislature on these topics in the future.”
Of course, while the business community has criticized the restrictions imposed by the legislation, privacy rights activists see a bill that still gives corporations too much flexibility.
Ari Waldman, a professor at New York Law School and director of the Innovation Center for Law and Technology, described the proposal as a “first salvo” in New York’s attempt to create a comprehensive privacy package.
The introduction of an "information fiduciary" paradigm into New York law, Waldman said, was a step in the right direction.
“The idea [of the fiduciary concept] being that — similar to how we entrust our information and our health and our livelihood with experts like doctors and lawyers and financial planners — we entrust our data to these companies as well,” said Waldman, in an interview with Government Technology. “The idea of the information fiduciary is to shift the burden of protecting our data from ourselves to companies.”
Allie Bohm, legal counsel for the American Civil Liberties Union of New York, said that while the bill had its heart in the right place, it ultimately falls short of being the kind of landmark legislation the state should be looking to pass.
“I fully believe that the senator and his staff considered and understand what problems comprehensive privacy legislation should be solving for,” said Bohm.
Thomas's legislation failed to pass during the most recent session because it had "no coalition for it in the Senate," Bohm argued. The tech lobby going to bat against it didn't help either, she noted.
“The gravitas that the companies have and the amount of lobbyists they will send to Albany shouldn’t be underestimated,” she said, a fact that makes her skeptical over the likelihood of the bill succeeding next session.
“I’m not optimistic on a comprehensive privacy bill passing next year,” Bohm said, clarifying that she felt smaller, individual bills that address specific privacy issues may have a better likelihood of passing. “We could certainly see a ban on biometric surveillance in schools passed, that would be huge. Maybe we’d get a broadband privacy bill through.”
The bill that pushes the needle forward will be legislation with “airtight” language, one that addresses the “many, many harms” that come from the use and abuse of personal data, said Bohm. That, hopefully, will galvanize privacy activists both locally and nationally in a push for broader, more comprehensive regulations, she said.
“Frankly, that’s what we’re going to end up needing if we’re up against all the tech company fire power, because, you know, Google’s wallet is a little larger than the NYCLU,” said Bohm.
Editor's note: The institution Ari Waldman is associated with was corrected for accuracy. The relationship between TechNet and Microsoft was also corrected.