Move Over CCPA Here Comes The New York Privacy Act
One of the bigger messes in all facets of the law is that every State may have different legal requirements, which is part of the reason why each state has a different Bar Exam for attorneys. Different laws can be very confusing and organizations operating out of multiple States may be challenged to understand and comply with them all. Specifically, for cyber security and privacy this can become overwhelming as we see this play out with various data breach notification laws throughout the country. As you know California passed the California Consumer Protection Act (CCPA) and it is set to go into enforcement in 2020. Since it was passed, we have watched the battle as big tech companies are crying wolf about the fact that the law is overly broad and unworkable and they have been successfully chipping away, bit by bit at some of its protections. Big tech if you think that is bad, take a look at the New York Privacy Act (NYPA), and be very very afraid!
There are several things in the NYPA that should scare anyone doing business in NY.
As written, it applies to ALL companies of any size doing business in NY. Not like CCPA which only applies to companies making more than $25 million annual gross revenue.
It gives any NY citizen the ability to sue companies directly over privacy violations, called a private right of action, which was successfully stripped from CCPA.
The NYPA also incorporates an idea called “data fiduciaries” this concept means a company that collects your data should put privacy before profits and “would legally bar businesses from using data in a way that benefits their companies to the detriment of their users.”
These are significant changes that companies operating in NY have to think about! As breaches keep happening, the idea of sweeping changes in privacy and cyber security laws are going to become more palatable. Interesting enough, companies are now lobbying for more comprehensive federal regulation, wanting it to supersede any state privacy law.
Although federal laws can be enacted by Congress that supersede state laws, in the area of privacy I wonder if whatever legislation eventually enacted will be superseding. There are states like California and New York that are more proactive on protecting the privacy of its citizens, whereas a state like Delaware or Las Vegas would be more restrictive on privacy as they are corporate friendly states. I surmise that any federal regulation will create a floor rather than a ceiling and there will be some clause in the regulation that would reserve the states sovereign power to make their laws more restrictive. Interesting to see what happens.