The 2021-22 New York State legislative session started off with a bang, featuring nearly a dozen consumer privacy bills introduced in the House and Senate on the opening day. A number of the proposals, including the New York Privacy Act and the Right to Know Act, are carbon copies of bills that were introduced in the 2019-20 legislative session but did not make it out of committee. Others, such as SB 567, which closely resembles the California Consumer Privacy Act (CCPA), are new this session. With a Democratic supermajority in the House and Senate, the New York Legislature appears poised to move forward with pro-consumer privacy legislation, though it remains to be seen whether the ongoing COVID-19 pandemic will continue to consume legislative focus this year.
Below, we provide a summary of the bills introduced on January 6 that have broad applicability to consumer privacy and are generally industry agnostic.
- Senate Bill S567 (SB 567). SB 567 is nearly a clone of the CCPA, but notably includes a private right of action. In particular, the law specifies that a consumer who suffers an injury in fact may recover the greater of statutory damages of $1,000 or actual damages, and $3,000 or actual damages for an intentional violation. In addition, “any person who becomes aware, based on non-public information, that a person or business has violated this section may file a civil action for civil penalties.” This provision would allow for suits to be brought by competitors, vendors and consumer groups based on violations of the law. As with the CCPA, the New York attorney general would be tasked with rulemaking and given enforcement powers.
- Assembly Bill A680 (the New York Privacy Act or NYPA). If passed in its current form, compliance with the New York Privacy Act likely would prove impossible. The bill includes a consent requirement like that of the EU’s General Data Protection Regulation (GDPR) – for all processing activities and third-party disclosures, with no exceptions – that raises significant concerns about the realities of strict compliance. “Specific” consent would ostensibly require a separate check box for each processing activity and each third-party recipient – possibly dozens, hundreds, or even thousands of separate consents for some organizations. Moreover, given that the bill provides no exceptions to the consent requirement for disclosures to “processors” (many of which carry out routine activities for “controllers”), a consumer’s refusal to consent to certain types of disclosures could result in significant interruptions to basic business operations.
Considering the NYPA includes a private right of action for technical noncompliance, we can expect significant efforts to amend this bill as it advances through the New York Legislature. The bill does not specify statutory damages; litigants would have to prove actual damages, which often is difficult for claimants in privacy cases. The NYPA’s private right of action also would allow other injured “persons,” including other businesses and nonprofit consumer groups, to bring actions (including for injunctive relief).
Other significant aspects of the NYPA include:
- Jurisdictional scope. The scope is quite broad, more like that of the GDPR than that of the CCPA. The NYPA would apply to “legal entities that conduct business in New York State or Produce Products or Services that are intentionally targeted to residents of New York State.” There are no revenue thresholds or minimum amounts of personal data a company must process in order to be subject to the law, nor is there an exemption for individuals or for nonprofits (though purely household activities are exempt).
- Covered data subjects. The bill covers “consumers,” which are defined as “a natural person who is a New York resident.” Employees and contractors are specifically excluded from the definition of consumer. Job applicants are not explicitly excluded from the definition of consumer; however, “data sets maintained for employment records purposes” are excluded. There is no “business-to-business” exemption.
- Covered information. The NYPA covers “personal data,” the definition of which closely tracks “personal information” under the CCPA. Publicly available information and de-identified information (each defined in the NYPA) are excluded from the definition of personal data. Similar to the CCPA, the NYPA includes exemptions for HIPAA and GLBA regulated information.
- Increased transparency requirements. The NYPA includes privacy notice requirements similar to the CCPA, plus a requirement that a controller’s privacy notice list all third parties with whom the controller shares personal data.
- Consumer rights. The NYPA gives consumers rights similar to those in the GDPR: access, rectification/correction, deletion, restriction of processing if certain conditions are met and portability (to another controller). Controllers must alert third parties of receipt of such requests (e.g., must notify processors of a consumer’s deletion request).
- “Profiling” requirements. The law includes heightened disclosure and opt-out requirements relating to “profiling” that likely would implicate routine interest-based advertising.
- Data fiduciary concept. The bill introduces the concept of a “data fiduciary,” which requires controllers to prioritize personal data protection over the duty they owe to their shareholders.
- Heightened obligations with respect to data broker disclosures. Controllers have heightened obligations to third-party data recipients classified as “data brokers” (apparently aimed at the advertising technology industry).
- “Comparative fault” liability. The bill states that “where more than one controller or processor, or both a controller or processor, involved in the same processing, is in violation of this article, the liability shall be allocated among the parties according to principles of comparative fault, unless such liability is otherwise allocated by contract amongst the parties.”
Based on the bill’s effective date of 180 days after passage, the earliest the NYPA could become law would be summer or fall 2021. The NYPA is identical to Senate Bill 5642, which was introduced but did not advance out of committee in the prior legislative session.
- Assembly Bill A405 (AB 405 or the Online Consumer Protection Act). AB 405 is a proposed amendment to New York’s General Business Law and directly addresses interest-based advertising activities. Rather than utilizing that industry-accepted term, however, the bill dubs the relevant regulated activities “online preference marketing.” AB 405 prohibits “publishers” (e.g., website owners) and “advertising networks” from collecting non-personally identifiable information (e.g., device identifiable information) for the purposes of online preference marketing “unless the consumer is given an opportunity to opt-out.” The bill also requires that the publisher “post a clear and conspicuous notice on its website that describes the collection and use of information by the advertising network” (advertising networks also must post a notice on their home pages regarding such practices and describe how a consumer can opt out). It seems that publishers and advertisers that comply with the Digital Advertising Alliance’s self-regulatory principles (which require the provision of such an opt-out) would be in compliance with this requirement, as would advertising technology companies that are members of the Network Advertising Initiative and in compliance with its code of conduct.
The bill also appears to prohibit the widespread practice of list or audience matching (combining personally identifiable information, such as phone number and email address, with other data sets, including non-personally identifiable information, to target advertisements) absent the consent of a consumer. AB 405 states “No publisher of a webpage or advertising network shall collect personally identifiable information for the purposes of online preference marketing.” The text clarifies that the prior requirement “shall not apply to the collection of personally identifiable information provided to a publisher of a webpage or advertising network contracted with a publisher by the consumer with his or her consent.” The term “consent” is not defined in the bill, leaving open the possibility that implicit consent may suffice.
There is no private right of action in AB 405. The attorney general has sole authority to bring actions under the law, including injunctive relief and statutory damages of $250 per violation (which may be increased at the discretion of the court to up to three times that amount if the violation relates to use of personally identifiable information for online preference marketing or the failure to provide an opt out).
- Assembly Bill A400 (AB 400 or the Right to Know Act of 2021). This bill would require a “business” to make available to a “customer” the categories of the customer’s personal information disclosed to third parties, and the names and contact information of all such third parties, including the third party’s designated request address. This is similar to what is required under California’s Shine the Light law. The bill also provides a right for customers to request access to their personal information.
Importantly, the Right to Know Act provides a private right of action for customers, as well as the authority for actions to be brought by the attorney general, a district attorney, a city attorney, or a city prosecutor in a court of competent jurisdiction. No statutory damages are specified. The earliest that AB 400 could become law is Q1 2021 (its effective date is “immediately” upon passage). Based on the history of the bill (this is the fifth time it has been introduced) and the likelihood of it being overshadowed by the NYPA and the Biometric Privacy Act, it’s possible that AB 400 will be left for dead yet again (though, like the NYPA, it has different sponsors this time).
Other consumer privacy bills that were introduced at the top of this legislative session include Assembly Bill 27 (proposed Biometric Privacy Act); Assembly Bill 687/Senate Bill 301 (relating to requirements for the collection and use of emergency health data and personal information and the use of technology to aid during COVID-19); Assembly Bill 713/Senate Bill 336 (relating to establishment of the Wellness Program Privacy Act); and Assembly Bill 954/Senate Bill 893 (relating to the use of biometric identifying technology in schools).
We are monitoring these and the other bills that have been introduced and will continue to provide updates as the legislative session progresses. For additional articles covering the CCPA, the CPRA or the recent Schrems II decision, including our recently published 2020 year-in-review article, visit BakerHostetler’s Data Counsel blog and our Consumer Privacy Resource Center.