The newly proposed New York Privacy Act, S5642, would give consumers substantial control over the use of their personal data, such as the right to demand review, corrections and/or deletions of their private information, and the authority to bring civil actions against companies. The tech industry immediately called the proposed law “unworkable.”
Proposed by state Senator Kevin Thomas, the bill would require companies to “disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.” Thomas also called for the establishment of a new state office of privacy and data protection.
“Fiduciaries, like an attorney or a doctor, hold onto your information. They don’t share it, unless there is a need for the purpose for which they collected it,” Thomas said. “That’s not what’s going on here with these data companies and these data brokers. They’re sharing it, and we’re getting targeted.”
S5642 would authorize the state attorney general to bring an action on behalf of the state or on behalf of New York residents. Consumers would be able to bring their own action to enjoin any unlawful act and/or to recover actual damages and attorney’s fees.
Any data controller or processor who violates the law would be subject to an injunction and liable for damages and a civil penalty. When calculating damages and civil penalties courts would consider the number of affected individuals, the severity of the violation, and the size and revenues of the covered entity. Each individual whose information is unlawfully processed and each provision of the law that is violated would count as separate violations.
In detailing the proposed consumer rights, controllers of the data – anyone who determines the “purposes and means of the processing of personal data” – would have to notify consumers of their rights under the law and give them a clear opportunity to opt in or opt out. Controllers would be required to confirm whether they are processing a consumer’s personal data and whether the data is sold to brokers. Controllers would have to share where the data is being processed, provide access to the data, and share the names of third parties to whom the data has been sold or licensed.
Upon a consumer’s request a controller would also have to provide, up to twice a year and free of charge, a copy of the personal data undergoing processing. Controllers would have to delete or correct any data at a consumer’s request.
The law also would protect consumers from retaliation, such as denial of consequential services or support from data -controlling companies, like financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, and health care services.
The bill is currently with the Senate Consumer Protection Committee.
Pushback from the tech industry has been swift. John Olsen, Director of the Internet Association, called the proposed act “unworkable for businesses that want to comply and fails to provide New York residents meaningful control over how their data is collected, used, and protected.” Facebook said it would have to shut down access to New York users if the bill becomes law.
MoginRubin Attorney Nicole Ambrosetti compared the law to global regulations. “The bill proposed in New York State includes the option for consumers to demand deletions of their private information, much like the statutory erasure obligations of Article 17(2) of the GDPR. It will be interesting to see how the right to be forgotten — which has so far been limited to Europe — can be implemented in the U.S. when pitted against concerns that particular proposals, like the one in New York State, are unconstitutional.”
“I applaud New York’s recognition of the effectiveness of private enforcement,” added MoginRubin Partner Jennifer Oliver, who practices in California and New York. “California attempted this but, after fierce lobbying, ultimately failed to preserve it other than in cases of data breach.”
Oliver doesn’t see a smooth path for the proposed law. “It would apply to companies of any size, whereas California’s only applies to companies with $25 million revenue or more, except under certain circumstances. This could prove especially onerous for small businesses in New York. I predict an intense lobbying battle between the business community and privacy rights activists in New York.”
“Given all the activity at the state level, pressure on Congress to pass a single national privacy law is truly mounting,” Oliver said.