Look out, California. New York appears to be poised to make 2021 the year of data privacy for the Empire State. As part of the 2021 State of the State address, Governor Andrew Cuomo announced a comprehensive law that "will provide New Yorkers with transparency and control over their personal data and provide new privacy protections."
New York has already had laws on the books related to data security. In fact, New York's data breach notification law, the New York State Information Security Breach and Notification Act, has been active since December 2005. And recently, the data breach notification law has been amended and updated with the passage of the Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act), N.Y. Gen. Bus. Law §899-bb. The SHIELD Act takes cybersecurity a step further from the 2005 version in that it requires any entity that collects and stores personal data on New York residents to have proactive requirements around cybersecurity.
It is against this backdrop of proactive cybersecurity laws that we see New York move closer to consumer-focused data privacy laws like the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the recently approved California Privacy Rights Act (CRPA). So, what are these proposed laws and, more importantly, what does this mean for New York and businesses that are "doing business" in New York?
As part of Governor Cuomo's announcement, he did not specifically cite the proposed New York Privacy Act (NYPA), S. 5642/A. 8526, 2019-20 Reg. Sess. (N.Y. 2019); rather, he highlighted some of the proposed data privacy law's attributes. To start, the governor stated that the law will mandate companies collecting information on large numbers of New Yorkers disclose the purposes of any data collection and collect only data needed for those purposes. New Yorkers will have the right to access, control, and erase data collected about them. Moreover, the law will give New York residents protection from being discriminated against simply for exercising their rights.
In all, these rights will be neatly packaged into a Consumer Data Privacy Bill of Rights. Of course, this may sound all too familiar because these principles are already included in other data privacy regulations like the CCPA and GDPR. But it appears New York may be ready to take data privacy one step further.
The proposed New York Privacy Act
First off, the NYPA, as written, creates a fiduciary obligation on the businesses that have personal data. A fiduciary obligation is when an individual, or in this case a business, that collects personal data owes a duty so that it must act in a way that will benefit someone else—in this case, the New York data subject. So why is this so significant? Normally, if a duty is owed, it is one of ordinary care. This means that the legal standard, and therefore obligations, is lower. The fact that the NYPA creates fiduciary obligations means that the duty owed by the business to the data subject is heightened, and those businesses will be held to a higher standard of care for the data collected.
More to the point, the business must exercise its fiduciary obligation to secure the personal data of the consumer, and must act in the consumer's best interest without regard to the interest of the business. NYPA §1102(1). The business must always act in the best interest of the data subject, even if that interest is not in the best interest of the business itself.
A few other noteworthy points related to the NYPA. NYPA requires "opt-in" consent, which means that the data subject needs to take affirmative action to consent prior to the collection of data, rather than a default "opt-out" consent. Unlike the CCPA, there is no minimum threshold on covered entities, meaning the law would impact all entities that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state. NYPA §1101. NYPA also provides for the dreaded private right of action. The NYPA, however, limits recovery to violations of the Act in the form of injunctive relief and "actual damages." Id. at §1109(3). In sum, this means that a plaintiff must show they were harmed by the failure of the business to comply with the NYPA prior to being able to recover.
The proposed Biometric Privacy Act
Aside from the NYPA, New York is also considering a biometric privacy law entitled the Biometric Privacy Act (NY BPA). NY BPA would apply to biometric identifiers and biometric information. Businesses that collect and retain biometric identifiers and biometric information would be limited by NY BPA as to how they can use the data. Such limitations would extend to employees' biometric data, as well.
To be clear, NY BPA requires that entities: (i) inform the data subject that the biometric data is being collected; (ii) inform the data subject of the purpose and duration of time that the data will be collected and stored; and (iii) obtain a written release. These entities collecting and storing biometric data would have an obligation to protect that data. As such, NY BPA creates a private cause of action that would include attorneys’ fees and costs. Regarding the obvious follow-up question of whether there might be an uptick in litigation, significant litigation has already been brought under the Illinois Biometric Information Privacy Act (BIPA), and thus it seems like a relatively safe assumption that there would be the same interest in litigation around NY BPA.
The likelihood of success
At the risk of sounding like a lawyer and diving back to the classic law school response, it certainly depends in this case on the direction the proposal takes from here. As a bit of background, during the same 2018-19 legislative session that the NY SHIELD Act was passed, the NYPA was introduced and then reintroduced in the 2019-20 legislative session. It failed to progress in either sessions. Predictably, the heightened obligations, especially the creation of a data fiduciary, have caused the bill to be met with significant opposition, including public hearings where concerns were raised over the costs associated with compliance and the creation of a private right of action.
In total, NY BPA has been introduced no less than three times but has failed to pass to this point. It is clear that the governor of New York has made data privacy for New Yorkers a legislative priority in 2021. So, you might be asking at this point whether a comprehensive data privacy law is doomed to remain eternally on the runway. However, the better question at this stage is, given the protections evidenced under the CCPA in California, and more broadly those under the GDPR across the globe, can New York afford at this stage not to take similar steps in light of news events surrounding SolarWinds and the rolling data breaches now occurring through private and public industries? Consumer data privacy protections stemming from the creation of corporate fiduciary obligations will no doubt increase the free flow of commercial business dollars by empowering consumers with the confidence that their data is safe, thereby ensuring the smooth economic merger of consumer spending and business growth onto the digital highway.
What should businesses do?
This leads us squarely to the age-old question of how should businesses approach data privacy going forward. For now, at least, states seem poised to maintain control over data privacy legislation. While one of the first pieces of legislation proposed by the new Biden Administration included $10 billion in funding for IT and cybersecurity, it does not seem likely that a federal data privacy law will be passed anytime in the near future. This is an unfortunate reality as it forces businesses to continue to comply with an often confusing state-by-state patchwork of data privacy laws. And yes, it is true that privacy legislation seems to happen in fits and starts, but it is clear at least that the states, and also consumers, are growing increasingly concerned about the integrity and confidentiality surrounding data privacy. But as history continually teaches us about greatness, good things take time.
In fact, by way of example, look at privacy-focused search engine DuckDuckGo. The company grew by 62% in 2020, demonstrating that Americans are indeed becoming increasingly concerned about their privacy while online. It is therefore not hard to see that data privacy is not going away anytime soon. Consumers are increasingly asking for, and frankly demanding, accountability for their data, which is heavily influencing the direction of their consumer dollars. So, for companies that embrace data privacy, and the concept of privacy by design, this evolution of data privacy legislation and economic reality will not cause too many growing pains. On the flip side, for those companies that ignore privacy laws and the obvious trend toward a more GDPR-like approach to data privacy, the domestic data privacy landscape will continue to cause problems and concerns.
Any organization would be wise to start considering data privacy yesterday. A solid start would be to get a data privacy impact assessment and data categorization. Understanding what data you are collecting and which laws impact that data is key. Once you have that baseline understanding, it will be much easier to create a data privacy program that fits with your organizational blueprint. Waiting is just not an option. Whether it is NY BPA or NYPA, or some other form, the data privacy tidal wave is not just coming, it is already here. The faster your organization takes the legally appropriate steps to comply, the better off your business will be in this expanding digital economy.