On May 9, 2019, New York State Senator Kevin Thomas introduced S5642, the New York Privacy Act (the “Act”), to amend the general business law in relation to the management and oversight of consumer personal information. Senator Thomas, citing a 2014 Pew survey, is concerned that Americans may have lost control over how their personal information is collected and used, and that government should step-in to address this issue. Because the federal government has not yet passed consumer data privacy regulations, states (such as California and Nevada) have stepped into the breach and adopted privacy laws to address these concerns. New York looks to join these states by adopting the New York Privacy Law, which, if it is passed in its current form, would be more restrictive in some respects than those of other states.

What are the additional privacy restrictions introduced by the Act?

Proposed Requirements of the New York Privacy Law

The proposed New York Privacy Law differentiates itself from other states’ laws in three major respects: 1) Senator Thomas wants the Act to “capture as many businesses as possible,” and, as such, the Act does not propose a revenue threshold that would exclude small businesses; 2) the Act allows both the Attorney General and individuals to bring action against offending businesses; and 3) the Act would require businesses to act as “data fiduciaries,” placing the best interests of consumers before any duty owed to the owners or shareholders of a legal entity or affiliate thereof.

Concerns Surrounding Requirements of the New York Privacy Law

Presently, the Act is being reviewed by the Consumer Protection Committee. On June 4, 2019, a public hearing was held to discuss the New York Privacy Law in in its current form and what role the New York State Legislature should play in its implementation. Opponents of the Act suggest that providing individuals with a private right of action will unnecessarily bog businesses down in litigation. In California, for example, when the California Consumer Protection Act (“CCPA”) was initially proposed, it also contained a private right of action that was opposed and ultimately removed before it was signed into law. Critics are also concerned with the obligations that businesses will take on in their capacities as “data fiduciaries.” Businesses already have fiduciary duties to stockholders. Some worry that businesses could be put in a position where the interests of stockholders and users deviate, forcing businesses to choose which of their fiduciary duties to violate. As the Act moves through the legislative process, these will be some of the issues that interested parties will look for clarity on.