New York Democrats Push to Set Privacy Law Standards
New York should pass a state privacy law to set proper standards and push federal legislators to take action, Senate Democrats told a hearing. Industry opposed including a private right of action. Consumer advocates applauded the provision.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Five hours into the hearing, Republicans had yet to participate. Internet Committee ranking member Chris Jacobs (R) didn't attend because of a scheduling conflict in his district, a spokesperson said.
The New York Privacy Act would require social media companies disclose data collection methods and information about which parties are accessing consumer data. The private right of action would allow consumers to individually sue privacy violators. Consumer Protection Committee Chairman Kevin Thomas (D) introduced the measure in May. The bill outlines consumer rights to access, port and delete their data. It would require opt-in consumer consent for certain types of collection. Legislators are debating how long companies should have before complying, suggesting six months to two years.
Thomas looks forward to advancing his bill to protect consumers' privacy, he said in a later statement to us. Offices for other party leaders of both committees didn’t comment.
The bill's purpose is to provide more transparency, Thomas said, saying personal information is more valuable than oil, as evidenced by Facebook and Google's value. He's skeptical about arguments that strong privacy laws stifle innovation, noting major tech companies aren’t fleeing the EU or California because of new privacy laws. Washington state also has such a law (see 1904180036).
Privacy legislation should be comprehensive but simple, said Internet Committee Chair Diane Savino (D). The more complicated a bill, the more difficult it is to protect privacy, she said. Maine passed the simplest, while the soon-to-take-effect California Consumer Privacy Act is the most complicated, she said.
It’s doubtful anything's going to pass at the federal level, so it’s important states continue setting standards, said Assemblymember Linda Rosenthal (D), bill co-sponsor. Technology has far outpaced privacy law, she said. There’s no urgency for companies to protect consumer data since they can easily pay fines, said Sen. John Liu (D), who agreed states should help drive the conversation. Legislators should debate inclusion of opt-in and opt-out consent requirements, said Rep. Brian Kavanaugh (D).
Industry witnesses cited compliance costs for the CCPA and EU’s general data protection regulation. They argued a federal privacy law's the best solution. In many ways, Brown’s bill is “even more problematic” than the CCPA, said Free State Foundation Adjunct Senior Fellow Andrew Long, citing the opt-in regime, private right of action and application to a broader group of industry.
Startup investment in EU companies declined 40 percent since the GDPR took effect, said TechNet Executive Director-Northeast Christina Fisher. A uniform national privacy approach gives clarity to both consumers and industry, said Internet Association Director-Government Affairs John Olson, noting the GDPR fails to address American issues like free speech. Olson argued against the New York Privacy Act’s exemption for government agency data collection. TechNet and IA declined later additional comment.
The private right of action lets individuals make up for under-enforcement, said Consumer Reports Director-Consumer Privacy and Technology Justin Brookman. He noted California Attorney General Xavier Becerra (D) says he will be able to bring only a few major cases per year under the CCPA. Brookman said the New York law needs more clarity about the secondary use of data, arguing the current language allows industry too much discretion for handling data for secondary purposes.
Thomas appeared to interpret secondary data use “pretty aggressively,” Brookman emailed us, suggesting data sharing could be turned off by default. Brookman said it’s not clear what the rules are, as written, so it could be clarified in newer versions. Parsons School of Design associate professor David Carroll supported a private right of action. Citizens deserve rules to exercise more autonomy over their personal data and strengthen enforcement, Carroll said. It’s good the bill defines industry’s fiduciary duty to consumers, said ex-Cambridge Analytica Business Development Director Brittany Kaiser. She dismissed industry complaints about having to comply with a patchwork of privacy rules, saying companies can simply comply universally with the most-stringent measure to protect consumers.
Consumers should be able to opt out of having their data sold to third parties, but websites should be able to share data to deliver essential services, said Partnership for New York City CEO Kathryn Wylde. She opposed a private right of action, saying it could inundate companies and courts because of minor technical errors.
The best way to regulate privacy is federal, said Business Council of New York State Director-Government Affairs John Evers. State rules might conflict and give a false sense of security, he said. He aired concerns about the bill’s broad definitions of personal data and opt-in consent requirements. He opposed a private right of action, saying the state AG is the best source for enforcing the statute.