NY’s Data Privacy Bill Failed; Is There Hope Next Session?

Though it was hailed as a potentially groundbreaking bill, the New York Privacy Act (NYPA) failed to materialize during the state’s most recent session. Had it done so, the bill would have introduced a regulatory framework that rivaled or potentially even surpassed that of the California Consumer Privacy Act (CCPA), the first major piece of data privacy legislation in the U.S.  

Sen. Kevin Thomas introduced the bill earlier this year, quickly garnering a number of co-sponsors in the Senate, but failing to find any in the Assembly. The legislation received considerable media attention — with outlets calling it potentially "tougher," "bolder" and more "sweeping" than legislation that had come before. 

Still, privacy rights activists and the business community alike have found themselves less than enthused with the promise of the bill. 

The bill offers a number of innovative solutions to data privacy, including:  

• Perhaps the most groundbreaking thing the new bill would have done is introduce the legal concept of an information fiduciary. Theoretically, the fiduciary concept says that once a company is given consumer data, it necessarily takes on the “duty to exercise loyalty and care in how it uses that information,” as the Electronic Frontier Foundation put it. This would mean instituting standards of care — basic norms and practices — that protect rather than exploit consumer information. 
   
• The legislation would also have enabled a private right of action — a long-sought goal by privacy rights activists — which would allow individuals to sue tech companies for data breaches and other infringements. Right now, most privacy scandals are handled through a higher authority, rather than by individuals. In the case of the CCPA, for instance, legal action against tech giants is taken by the state's Attorney General, typically on behalf of a collective of affected consumers.
   
• The bill would also have increased transparency about how data is being used, with a mandate that companies routinely alert consumers to the types of data being collected, the purpose for its collection, as well as the kinds of data being shared with third parties and the identities of those third parties.  

Tech- and business-oriented lobbyists appeared at a June Senate hearing to decry the bill. These included the Retail Council for New York State, industry trade association TechNet, Tech NYC, the Business Council of New York State, and the Internet Association, which represents the likes of Amazon, Google and Facebook. 

Christina Fisher, TechNet’s executive director for the Northeast, criticized the GDPR-style legislation, saying that while the European regulations had clearly had some benefits for consumers, it also had unintended consequences for business and innovation. 

“There is going to be a dramatic impact on the startup and small business economy in Europe,” she said. “Startups have little money to invest in compliance.”

“TechNet is strongly opposed to the New York Privacy Act as written. ... The tech community would like to continue to work with the Legislature on these topics in the future.”

Of course, while the business community has criticized the restrictions imposed by the legislation, privacy rights activists see a bill that still gives corporations too much flexibility. 

Ari Waldman, a professor at New York Law School and director of the Innovation Center for Law and Technology, described the proposal as a “first salvo” in New York’s attempt to create a comprehensive privacy package. 

The introduction of an "information fiduciary" paradigm into New York law, Waldman said, was a step in the right direction.   

“The idea [of the fiduciary concept] being that — similar to how we entrust our information and our health and our livelihood with experts like doctors and lawyers and financial planners — we entrust our data to these companies as well,” said Waldman, in an interview with Government Technology. “The idea of the information fiduciary is to shift the burden of protecting our data from ourselves to companies.”  

Allie Bohm, legal counsel for the American Civil Liberties Union of New York, said that while the bill had its heart in the right place, it ultimately falls short of being the kind of landmark legislation the state should be looking to pass.  

“I fully believe that the senator and his staff considered and understand what problems comprehensive privacy legislation should be solving for,” said Bohm. 

Thomas's legislation failed to pass during the most recent session because it had "no coalition for it in the Senate," Bohm argued. The tech lobby going to bat against it didn't help either, she noted. 

“The gravitas that the companies have and the amount of lobbyists they will send to Albany shouldn’t be underestimated,” she said, a fact that makes her skeptical over the likelihood of the bill succeeding next session.  

“I’m not optimistic on a comprehensive privacy bill passing next year,” Bohm said, clarifying that she felt smaller, individual bills that address specific privacy issues may have a better likelihood of passing. “We could certainly see a ban on biometric surveillance in schools passed, that would be huge. Maybe we’d get a broadband privacy bill through.” 

The bill that pushes the needle forward will be legislation with “airtight” language, one that addresses the “many, many harms” that come from the use and abuse of personal data, said Bohm. That, hopefully, will galvanize privacy activists both locally and nationally in a push for broader, more comprehensive regulations, she said. 

“Frankly, that’s what we’re going to end up needing if we’re up against all the tech company fire power, because, you know, Google’s wallet is a little larger than the NYCLU,” said Bohm. 

Editor's note: The institution Ari Waldman is associated with was corrected for accuracy. The relationship between TechNet and Microsoft was also corrected.