Following in the footsteps of California, with its California Consumer Privacy Act (CCPA) that recently took effect on January 1, 2020, many states are now in the process of considering their own new privacy laws that would grant consumers more expansive rights over their personal information.
Prime among these states is New York. In early 2019, Senator Kevin Thomas introduced S.B. 5642, entitled the “New York Privacy Act,” which proposed a comprehensive regulatory privacy framework in many ways akin to the sweeping General Data Protection Regulation (GDPR) that took effect in the European Union in May 2018. The bill, however, failed to make it on the New York Legislature’s floor calendar last session.
Senator Thomas will likely introduce a revised version of the bill during the 2020 legislative session, however, which begins this month. In preparation for this, on November 22, 2019, the New York Joint-Senate Standing Committee on Consumer Protection, which Thomas chairs, held a public hearing regarding what should be included in the bill.
At the hearing, privacy advocates championed key privacy rights that the 2019 bill had proposed for consumers: the right to access their personal information, the right to request that a company delete personal information, and the right to correct any inaccuracies in personal information maintained by a business. Yet these advocates stressed that the bill could be improved by expanding the definitions of “personal data” and “sale,” as well as adding a right of non-discrimination. (By way of example, the 2019 bill defined “personal data” as “information relating to an identified or identifiable natural person,” including, among other things, identifiers such as a real name, alias, signature, date of birth, gender identity, sexual orientation, marital status, physical characteristics or descriptions, postal address, telephone number, unique personal identifier, military identification number, online identifier, IP address, email address, account name, mother’s maiden name, social security number, driver’s license number, passport number, or a similar identifier. CCPA was the first privacy regime to include a right to non-discrimination, meaning that a business subject to CCPA cannot demand a higher price or offer a lower level of service if a consumer exercises her rights under CCPA, for example the right to deletion.)
Hearing witnesses also advocated for a pure opt-in framework in relation to the sale of personal information. Currently, CCPA utilizes an opt-out framework, which generally allows a company to collect and sell a consumer’s personal information unless, and until, the consumer opts-out of the sale of their personal information. GDPR offers a hybrid system in relation to processing of personal information, requiring that such processing have a lawful basis, which can be satisfied, among other ways, by obtaining the data subject’s consent. By contrast, a pure opt-in framework in relation to sale would prohibit businesses from selling consumers’ personal information unless a consumer provides express opt-in consent. Such a system, if adopted, would be a global novelty and greatly increase individual rights in relation to how businesses collect and sell personal information.
Trade advocates urged, by contrast, that the bill should “color within the lines” of CCPA, arguing that enacting more expansive provisions would place a greater burden on businesses that would have to comply with both laws. Citing the hasty manner in which CCPA was passed, as well as its complicated and, at times, confusing language, trade advocates also urged that the New York bill should be more straightforward and provide a two-year implementation period, so that businesses could adequately prepare for the law. GDPR, for example, was passed in 2016, but gave organizations two years to comply before it took full effect. Trade advocates also urged that the New York bill should avoid overlap and conflict with already existing protections under federal law, such as those created by the Gramm-Leach-Bliley Act (“GLBA”) and the Health Insurance Portability and Accountability Act (“HIPAA”).
More hearings are expected as the New York Privacy Act progresses through the Legislature in 2020. Whatever the outcome of these hearings, it appears certain that the proposed Act will advance further in 2020 than it did last session, bringing with it the potential for sweeping changes to how organizations process the personal information of New York residents.