It’s no secret that consumers worldwide have been disquieted by major data breach scandals in recent years. In the absence of federal legislation, many states have acted to draft their own standards. New York’s SHIELD act and California’s CCPA, have paved the way for other states to enact strict and sweeping legislation that requires companies to act as data fiduciaries. Now, New York is taking aim again with a proposed bill called the New York Privacy act, which will give consumers residing in New York state more control over their data than any other state by requiring businesses to place privacy rights over profits. In other words, the proposed bill expects companies to act as data fiduciaries.
What is a Data Fiduciary?
A company acting as a data fiduciary is expected to exercise the duties of care, loyalty, and confidentiality with respect to the data it collects, and to utilize data only when it is in the best interest of the consumer. This may create a conflict of interest for financial entities because their fiduciary duty with respect to consumer data would take precedence over any fiduciary duty owed to business owners or shareholders.
Given the simple fact that corporations answer to their boards and shareholders, being legally required to put consumer privacy first begs significant questions. If the foremost goal of a corporation is to maximize profits for shareholders, but the surest route to doing so is to utilize consumer data in a manner that benefits shareholders, which duty takes precedence?
These questions are not hypothetical either, due to the portion of the NYPA that affords consumers the right to sue corporations in their capacity as private individuals. In California, the CCPA leaves lawsuits to the office of the attorney general, which affords corporations some level of ease in knowing that the occasional disgruntled consumer won’t file frivolous suits ad hoc. But still, companies need to act quickly to develop a plan for navigating this new role.
What is a Data Fiduciary Expected to Do?
As a data fiduciary, a company will need to abide by several key tenets. First and foremost, if operations require that customer data be stored after it is initially gathered, companies will need to assess which of its current business practices conflict with the idea that customers are owed a special duty of loyalty and care. This sounds straightforward, but it probably means scaling up current security measures to meet the higher standard imposed on data fiduciaries.
Companies will also need to ensure that data is used in the manner for which it is collected. For example, if a customer provides their phone number or email address so that they can be contacted regarding an investment account, giving that information to a political organization wishing to solicit the customer’s vote would obviously be unacceptable. But what about sharing an email address internally to provide the customer with company updates about products or services they might want to use? As a data fiduciary, that would also be improper. The investment team cannot share its data with the marketing team. Customers must be notified – upfront – of all the ways in which their information will be used.
When partnering with other companies in the course of business, a company that is required to act as a data fiduciary continues to be held to the same standard of responsibility to the consumer even after the data is transferred to their partner for the next phase of any business transaction. Basically, this means companies have to continue to follow the trail of any data that is passed to another company.
Be Ready for the New York Privacy Act
Companies must keep data secure, use it only for its intended purpose, and continue to monitor it while it’s used in the course of business. This is simple enough in theory, but it will require most companies to take stock of their data management practices in a way that they’ve never before had to do before. Though NYPA might not have yet passed, it is a potent harbinger of standards to come, and companies should begin as soon as possible to fold them into regular practice in order to maintain compliance with the law.