New York Privacy Act: It Goes Beyond CCPA

New York Privacy Act: It Goes Beyond CCPA

The idea that consumers own their private financial information can be traced to an early 1970s California state constitutional amendment adding ‘privacy’ to guarantees of life, liberty, and other inalienable rights. While financial privacy is not explicitly mentioned in this original amendment, California courts have determined that it is included.

Only relatively modest consumer protection measures have been adopted at the federal level. Most notably is Title V of the 1999 Gramm-Leach-Bliley Act. Title V’s requirements include a measure that prevents unauthorized disclosure of customers’ nonpublic personally identifiable financial information (NPFI) and disclosure of sharing practices.

Other states have addressed some of the perceived gaps in GLBA. In 2001, Vermont enacted the Financial Privacy Act — notable in that it requires a financial institution to obtain affirmative consent (an “opt in”) from a consumer before sharing his or her information. As under GLBA however, the act applies only to financial companies and information and includes a number of exceptions. While Vermont has since updated the law, and created other legislation to protect consumer privacy, there has been a scarcity of legislation with such sweeping implications until recently.

The Golden State’s Gold Standard

California recently adopted the California Consumer Privacy Act (CCPA), which becomes effective on January 1, 2020 (albeit with numerous amendments to the original proposal). The CCPA goes much further than either GLBA or Vermont’s statute. It covers virtually any business that collects personal information —not just financial information— from consumers in California. Most notably, the CCPA will give consumers broad control over the sale and use of their data. Beginning January 1, California will lead the nation in consumer information privacy protection. But that may soon change.

New York Privacy Act May Take the Lead

If adopted as proposed, the New York Privacy Act (NYPA) would make New York the national leader in consumer data protection. Key differences between the CCPA and the NYPA include:

  • Affiliate Sharing
    • Unlike GLBA, neither the CCPA as adopted nor the proposed NYPA contains a blanket exemption for sharing between affiliates (considered a “sale” under the CCPA, even if no consideration changes hands). However, the NYPA does not contain the CCPA’s consideration for affiliates who share a brand.
  • Private Cause of Action
      • Industry groups succeeded in defeating a provision in the CCPA that would have allowed consumers to sue for violations. The CCPA entrusts enforcement to the Attorney General. The NYPA as introduced would allow private consumer suits.
  • Designation of “Data Fiduciary”
        • This is perhaps the NYPA’s most significant departure from the CCPA, especially when coupled with the NYPA’s allowance of private lawsuits. The NYPA would require any business which collects, sells or licenses personal information to exercise the care, loyalty, and confidentiality expected of a fiduciary in securing the personal data of a consumer against a “privacy risk.” A privacy risk is defined in the act as compromised data that leads to:
          • Financial, physical, or psychological harm
          • Significant inconvenience of expenditure of time
          • Stigmatization or reputational harm
          • Adverse employment, credit or insurance events
          • Disruption and intrusion from unwanted commercial communications (spam)
          • Price discrimination

A fiduciary standard of care is considerably more stringent than that of an ordinary breach of contract or negligence case. Examples of this relationship include that of business partners, corporate directors, and employers.

Existing statutes further define the duties of a fiduciary in other contexts. It seems reasonable to expect that reference would be made to these definitions, especially in private litigation. For example, Section 5-1505 of the General Obligations Law, which deals with powers of attorney, lists three duties of a fiduciary not otherwise enumerated in the act:

  • To act according to any instructions from the principal (in this case, the consumer) or, where there are no instructions, in the best interest of the principal, and to avoid conflicts of interest.
    • A conflict of interest between a data recipient and the consumer subject of that data seems to be inherent in the relationship. It is difficult to see how this conflict can be avoided without prohibiting any sort of sharing without the consumer’s express instruction. Since an “opt-out” is activated only upon the consumer’s request, this would seem to impair any such right.
    • Failure to observe an instruction to opt-out (or failure to properly implement an “opt-in”) a breach of fiduciary duty. As noted above, such a claim under the NYPA could be pursued privately.
  • To keep the principal’s property separate and distinct from any other property owned or controlled by the agent.
    • Since any data collector or processor by definition “controls” personal data, this suggests that each consumer’s data must somehow be segregated.
  • To keep a record of all receipts, disbursements, and transactions involving the principal’s and to make the record available to the principal or to third parties at the request of the principal.
    • Businesses would presumably be obliged to disclose to the consumer or any designated third party the details of transactions relating to the consumer’s personal data. This would appear to go beyond the NYPA’s obligation to identify any entity with which information is shared.

 Prospects for Passage of the NYPA

It remains to be seen whether industry groups will be able to defeat A08526 in its entirety or achieve significant revisions. As under the CCPA, the private cause of action seems a likely target for lobbying efforts, as does the imposition of a fiduciary duty on data custodians.

In August, AB 8526 was referred to the Assembly Committee on Consumer Affairs and Protection.

Learn more about the New York Data Privacy Act. Attend the most comprehensive New York State Data Privacy, Data Protection and Cyber Governance Seminar on February 21st in New York City.  For all business executives and board members. More info here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top