By: Samuel Roth
After the enactment of the EU’s globally sweeping General Data Protection Regulation (“GDPR”) in 2018, U.S. legislators are scrambling to propose like-minded regulatory acts of their own. The state of California responded by passing the California Consumer Privacy Act (“CCPA”) in 2018. The CCPA further protected California consumers’ data and provided them with the right to know, delete, and opt-out of the sale of their collected personal information while preventing discriminatory business practices. Unfortunately, other local legislatures are not so proactive, or willing to adopt similar protective measures. Luckily throughout 2020, states across the U.S. are taking more of an interest in drafting laws to protect consumer privacy. This is largely due to a combination of Facebook’s Cambridge Analytica scandal and a heightened interest in strengthening or weakening impactful data regulations like GDPR and CCPA. New York’s most recent attempt to bolster its consumers’ privacy displayed a potential positive future for U.S. policymakers but also revealed the unwillingness of legislators to adopt stricter guidelines.
New York Senator, Kevin Thomas, proposed the New York Privacy Act (“NYPA”) in May of 2019. Two months later, New York Governor Andrew Cuomo enacted the Stop Hacks and Improve Electronic Data Security Act (“SHIELD”), signaling New York’s commitment to legislate data privacy regulations. However, while SHIELD mandates businesses to implement and maintain “reasonable” administrative safeguards to protect the security of state residents’ private information, the NYPA proposal went a step further.
The NYPA mirrored the CCPA by adopting many of the definitions verbatim set forth in the GDPR. Additionally, it provided for more robust protections for consumers by creating a “fiduciary” duty on the part of any entity that collects, sells, or licenses personal data. This fiduciary duty would legally ban businesses from using consumer data in a way that benefits their companies to the detriment of their users. This concept, known as an “information fiduciary,” is a term coined by Yale Law School professor Jack Balkin. The term seeks to adapt old legal ideas to a new standard of online practice, one that clearly sets forth the duties businesses owe to their users and consumers. Further, the NYPA requires consumers to opt-in to the sale of their personal data, rather than opt-out, and provides New Yorkers the right to sue companies directly over privacy violations.
As expected, the NYPA caught the attention of technology and business-oriented lobbyists alike, of which appeared at a Senate hearing in June of 2019 to voice their concerns about the bill. The bill’s opposition included the Retail Council for New York State, industry trade association TechNet, Tech NYC, the Business Council of New York State, and the Internet Association, which represents the likes of Amazon, Google, and Facebook. Criticisms of the proposed NYPA targeted the effect on startups and small businesses who have little money to invest in compliance. Critics further argued that technological innovation would be stunted across the board to meet the expectations of New York’s protection standards. Meanwhile, privacy rights activists saw the bill as too flexible for corporations to work around, but lauded the inclusion of “information fiduciaries” as a step in the right direction.
Ultimately, the NYPA failed to garner any co-sponsors in the New York State Assembly and was not able to make it onto the legislative session in 2019. Although lobbyists had a hand in stalling Senator Thomas’s bill, it’s important to consider the NYPA within the scope of current domestic U.S. privacy proposals. State legislators have largely been drafting “copycat” CCPA bills that follow the same formulation of the consumer rights to know, delete, and opt-out of personal information sales while protecting against discrimination. California, Maine, and Nevada are the only states to have privacy regulations in place. States such as Massachusetts, Maryland, Hawaii, North Dakota, and New York are eager to roll-out comprehensive regulations of their own. In contrast, Arizona announced that their state legislators “oppose the enactment of laws, the adoption of regulations or the imposition of out-of-state standards that would restrict or otherwise dictate standards related to consumer data privacy, absent a clear nexus with consumer harm.” Arizona reasoned that they “believe a single federal standard for comprehensive consumer data privacy regulation is preferable to a state-by-state approach.”
Robert Gellman (“Gellman”), a privacy consultant and contributor to the International Association of Privacy Professionals, writes that “Congress continues to show interest in privacy, but nothing useful emerges.” Gellman notes that “Congress faces jurisdictional problems because many different committees have some jurisdiction over privacy legislation,” and that “writing a new law when so many divergent sectoral privacy laws exist is a problem for which there is no existing solution.” Gellman’s perspective on the current state of privacy law in the U.S. alludes to the potential for a federal regulation, but privacy experts have doubts of reaching an accepted national privacy bill anytime soon. In the meantime, as more and more states position themselves to adopt varying degrees of privacy regulations, businesses become increasingly worried to meet the standards set for each state consumer. The reality is a legitimate concern for small businesses that lack the funding to manage the risk of failing to conform to each state regulation.
The concern for small businesses was a large factor in preventing the NYPA’s enactment, yet simultaneously, the most burdensome compliance measure became the NYPA’s most celebrated feature. The NYPA’s inclusion of establishing a fiduciary duty upon data collectors recognized an important step beyond the CCPA and marked the future of progressive data privacy regulations to come. Ari Waldman, a professor at New York Law School, referred to the NYPA proposal as a “the first salvo,” further stating, “The idea [of the fiduciary concept] being that — similar to how we entrust our information and our health and our livelihood with experts like doctors and lawyers and financial planners — we entrust our data to these companies as well. The idea of the information fiduciary is to shift the burden of protecting our data from ourselves to companies.” A tough pill to swallow for tech-giants and lobbyists, but an achievement in consumer privacy standards.
Whether New York is able to successfully pass comprehensive data regulations in the next year is uncertain, but the concept of an informational fiduciary will remain in the political zeitgeist across the country. Although 2018 sparked a sense of urgency in state governments over privacy concerns, the U.S. still has a handful of work to do before a clear line can be drawn on the ethical and practical effects of state and federal data privacy regulation. Fortunately, the NYPA successfully shed a light on a new progression in consumer protection and fortuitously displayed the innate difficulties surrounding an abundance of state-by-state regulations.
Student Bio: Samuel Roth is a second-year law student at Suffolk University Law School. He is a staffer on the Journal of High Technology Law and a member of the Business Law Association. Samuel received a Bachelor of Arts Degree in History from the University of Rochester with a focus on African-American History.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.