Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Senators in New York proposed a tough new consumer privacy law, the New York Privacy Act (NYPA) (NY State Senate Bill S5642). The NYPA doesn't seem likely to ever come to fruition, but it stands to show the future of privacy laws that states and countries may enact or attempt to enact.
The NYPA would have imposed extensive obligations on businesses of all sizes, forced companies to store personal data securely, and provided consumers with a formidable new set of digital rights.
If your business operates in the EU, this should sound familiar. The NYPA clearly took inspiration from the EU's General Data Protection Regulation (GDPR). From its definition of "personal data" to its guiding data protection principles, the NYPA would have imposed a level of data protection on businesses that would have made the EU proud.
Let's see how the two laws measure up.
The NYPA and GDPR come out of very different legal contexts. Let's take a look at the differing aims and scope of each law.
According to the summary of the Senate bill, the NYPA would have:
Fundamentally, the bill sought to change the nature of the relationship between consumers and the companies that process their personal data.
The GDPR was an update of a previous EU law, the Data Protection Directive. That older law already provided a very high standard of data protection across the EU. But the GDPR did introduce some important changes. For example, the GDPR:
Both laws are intended to apply to millions of companies around the world.
The NYPA would have applied to any legal entity that:
The Act was meant to apply to all organizations that are covered by the criteria above. The turnover, sector, or size of the company wouldn't have been relevant. Nonprofits and sole traders were included. However, it wouldn't have applied to state and local governments.
The GDPR applies to anyone who:
Again, the size of the company is not relevant, although there are some exemptions to specific rules. Unlike the NYPA, the GDPR applies to governments as well as private companies..
The NYPA would have been enforced under the New York General Business Law Article 22-A: Consumer Protection From Deceptive Acts And Practices (Section 350-D). This allows civil penalties of up to $5000 per violation.
This might not sound like a lot, but a data breach involving just 1000 users could have resulted in a penalty of up to $5 million.
Violating the GDPR carries a crippling maximum penalty of up to 4 percent of annual turnover or €25 million. And the EU's Data Protection Authorities aren't afraid to use these powers. The $229 million dollar fine levied on British Airways in June 2019 is evidence of this.
Both laws also give rise to a "private right of action," meaning that private citizens can take action in court against those who have breached their privacy rights.
The NYPA bore some striking similarity to the GDPR in how it defined certain terms. Frankly, there appeared to have been some copy-pasting going on.
The NYPA and the GDPR both use the term "personal data" to describe their main subject matter. This is the first sign that New York lawmakers might have been looking over the shoulders of their EU counterparts. The term "personal information" is normally used in the US.
Both laws define personal data as any information relating, directly or indirectly, to a living individual.
The NYPA provided many specific examples of personal data, including:
Identifiers, such as:
Information such as:
Commercial information, such as:
Biometric information, such as:
Online information, such as:
All of these examples are also personal data under the GDPR.
Interestingly, however, the NYPA didn't specifically mention cookies. This matters because it would have greatly affected how businesses advertise online. It's not clear whether this omission from the NYPA's definition was intentional.
Consent is an important concept in privacy law. Certain actions, such as sharing a person's data or sending them marketing emails, are only lawful with a person's consent.
Businesses must make sure that if they're required to earn a person's consent, they ask for consent in a way that is recognized as valid under the law.
The GDPR is famous for its very high standard of consent. And that same high standard of consent was present in the NYPA.
Under both laws, consent must be:
This means that under both laws:
The NYPA protected "consumers." A consumer is any living individual who is a New York resident. However, this definition doesn't include individuals acting in their capacity as employees or contractors.
This exception to the definition of "consumer" means that the NYPA wouldn't protect employee records. Human resources departments weren't required to comply with the law in respect of their own company's employees.
The GDPR protects "data subjects." A data subject is any "natural person" (living individual, not a corporate entity). The GDPR does apply to employees.
The NYPA and the GDPR both regulate the activities of "controllers" and "processors." This is how the laws define people according to their relationship with personal data. Every business (or other legal entity) is a controller or a processor in some respect.
A controller "determines the purposes and means of the processing of personal data." A controller normally has an objective that can be achieved by processing a consumer's personal data. It decides how to go about achieving this goal.
For example, if Amazon wants to sell you a product, the company requires your name and contact details to do this. Amazon requests this information from you via its website. Amazon is a data controller in this context.
A processor "processes personal data on behalf of a controller." A processor normally offers its services to controllers who need to process personal data regularly. It doesn't usually have a stake in the end product of the process.
For example, Mailchimp provides an email marketing service to businesses. A company can send Mailchimp its mailing list, and Mailchimp will make contact with the company's customers on its behalf. Mailchimp is a data processor in this context.
An important concept in the NYPA was "de-identified data." This means data that was once personal data but has been stripped of identifying characteristics.
The GDPR recognizes "anonymization" is a method of true de-identification. Data that is truly anonymous is not covered by the GDPR.
De-identification methods are coming under increased legal scrutiny. Businesses are collecting increasingly large amounts of data about users' online activities. Sometimes a company will claim that data is "anonymous," whereas in fact it could be linked to an individual with relatively little effort.
The NYPA defined de-identified data as:
Data that has been modified so much that the risk of identification is "small," as long as:
Both the NYPA and the GDPR contain principles and obligations designed to protect personal data.
Under the NYPA, a company in possession of consumers' personal data would have been required to act as a "data fiduciary." This is a radical concept that would have imposed a new level of data protection responsibility on US companies.
On a fundamental level, a data fiduciary must look after a consumer's personal data. A doctor would not share their patients' data without permission, unless it was in the patient's best interests. Under the NYPA, the same principle would be extended to all businesses that control personal data.
The principles imposed on data fiduciaries are reminiscent of the six principles of data processing under the GDPR. The GDPR's six principles are more extensive than the data fiduciary obligations.
Both the GDPR and the NYPA require you to protect personal data in your possession.
The NYPA required that you:
The GDPR requires, among many other things, that you:
Both the NYPA and the GDPR contain a set of data rights. These give consumers some control over their personal data. When a consumer wishes to exercise their rights, they simply make a request to the entity processing their personal data.
Let's take a look at how the rights under the two laws compare.
|Right of access||Controllers must provide the following to consumers on request:
||The GDPR incorporates all the requirements of the NYPA, and also requires controllers to provide information about:
|Right to rectification||A controller must correct any inaccurate personal data on request. Where appropriate they must complete an incomplete set of personal data by adding a supplementary statement.||The right to rectification is the same under the GDPR as under the NYPA.|
|Right to erasure||A controller must erase a consumer's personal data on request, unless the personal data is needed for:
||The right to erasure is the same under the GDPR as under the NYPA.|
|Right to restrict processing||The right to restrict processing requires a controller not to process personal data in any way other than storing it. For example, the controller must remove personal data from a website but not delete it.||The right to erasure is the same under the GDPR as under the NYPA.|
|Right to data portability||The controller must provide a copy of any personal data they hold on a consumer, in an accessible, machine-readable format.||The right to data portability is the same under the GDPR as under the NYPA.|
|Right not to be subject to profiling||Controllers must not make decisions with "legal or similarly significant effects" (e.g. access to credit or housing) based solely on profiling. "Profiling" means building up a profile of a person based on their activities or personal data.||The GDPR contains a substantially similar right related to "automated decision-making".|
Controllers must respond within 30 days. A further 60 day extension is available where required.
Consumers can exercise their rights for free, twice per calendar year. Controllers must not refuse or charge a fee for the first two requests unless they are "unfounded or excessive."
|The conditions are the same under the NYPA and the GDPR, except that there's no set restriction on the number of requests.|
The GDPR also contains two additional rights.
Under the "right to object," data subjects can object to the processing of their personal data in certain ways. This is most relevant to direct marketing. The right to object was not among the consumer rights in the NYPA, but consumers would have been able to object to the sale of their personal data under the NYPA.
Many companies already provide this information in their Privacy Policies to comply with existing laws.
For example, here's how UTAM complies with point 2 above:
Interestingly, the GDPR doesn't specifically require you to reveal the names or third parties with whom you share personal data - only the "categories" of third parties.
While this is fine under the GDPR, it might not have been enough information to satisfy the NYPA.
While the NYPA is likely dead in the water, it's good to understand it so you can be prepared for privacy laws of the future that will be likely to pass, and likely to be similar in scope and style to the NYPA and the GDPR.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022