New York Considering Dramatic Expansion of Consumer Privacy Rights
In 2018, the California Consumer Privacy Act (“CCPA”), which provides for an expansive array of privacy rights and obligations, was enacted. At the time, it was reasonable to wonder whether California’s bold example would catalyze similar activity in other states. It’s clear now that it has. Virginia recently passed its own robust privacy law, the Consumer Data Protection Act (“CDPA”), and New York, as well as other states, like Florida, appear poised to follow suit. (Building on its own momentum, California passed another privacy law, the California Consumer Privacy Act (“CPRA”), last November, which expands the rights and obligations established by the CCPA).
New York currently has two bills under consideration, S567 and A680, which would dramatically expand the privacy rights afforded to New York data subjects and the compliance burden imposed on the organizations that control or process that data.
S567, which tracks the CCPA in certain respects, would have broad jurisdictional scope. It would apply to any for-profit organization doing business in New York that collects the personal information of New York residents and either (a) has annual gross revenue exceeding $50M, (b) annually sells the personal information of 100,000 or more state residents or devices, or (c) derives at least 50% of its annual revenue from the sale of residents’ personal information. Like the CCPA, S567 broadly defines personal information as any “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.”
S567 has been referred to the Senate Consumer Protection Committee. If passed by the Senate, the bill would be sent to the governor and, if signed, would take effect 180 days thereafter.
Consumer Rights: S567 would grant consumers, among others, the rights to:
Know” what categories of their personal information an organization has collected, or sold or disclosed to a third party for a business purpose (including the categories of third parties to whom the information was sold or disclosed).
Opt-out” of the sale of their personal information.
Non-Discrimination: Subject organizations would also be required to refrain from discriminating against consumers who exercise their rights under the law.
Private Right of Action: S567 would provide a broad private right of action to pursue violations of its privacy provisions. This private right would extend to “any person who becomes aware, based on non-public information, that a person or business has violated” this law. In theory, therefore, potential plaintiffs could include vendors, competitors, and consumer privacy groups. S567 provides for statutory damage awards of the greater of $1,000 per violation or actual damages, as well as up to $3,000 for knowing or willful violations.
A680, meanwhile, would grant certain rights and impose certain obligations that extend beyond even those provided for under the CCPA/CPRA. For instance, it would require subject organizations to obtain written consent from New York data subjects before using, processing, or transferring to a third party their “personal data,” which the bill broadly defines as “information relating to an identified or identifiable natural person.”
A680 would also make such organizations “data fiduciaries,” meaning that they would owe a “duty of care, loyalty, and confidentiality” to consumers to secure their personal data against “privacy risk” (a term which the bill expansively defines), as well as to “act in the best interests of the consumer” without regard to the organizations’ own interests.
A680 would apply to organizations “that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state,” subject to certain exceptions.
The bill has been referred to the Assembly’s Consumer Affairs and Protection Committee. If passed by the Assembly and Senate, the bill would be sent to the governor for signature and would take effect 180 days after it was signed into law.
Consumer Rights: A680 would grant consumers, among others, the rights to:
Opt in or out of the processing of their personal data.
Request confirmation of whether their personal data is being processed, including whether it is being sold to data brokers.
Request access to their personal data.
Request the names of the third parties to whom their personal data is sold.
Request correction of inaccurate personal data.
Request deletion of their personal data.
Notice: Organizations subject to the law would be required to disclose the above rights to consumers and to make other requisite disclosures regarding their processing of personal data.
De-Identified Data: Subject organizations that use de-identified data would be required to “exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data is subject” and to “take appropriate steps to address any breaches of contractual commitments.”
Private Right of Action: In addition to granting enforcement authority to the State AG, A680 would empower consumers to bring suit in their own names for injunctive relief, as well as actual damages and reasonable attorney’s fees.
Momentum is building in states across the country to enhance consumer data privacy and security protections. Organizations, regardless of their location, must therefore carefully assess their data collection activities, develop policies and procedures to address their evolving compliance obligations and data-related risks, and train their workforce on effective implementation of those policies and procedures.