Is New York's New Consumer Privacy Bill a Bridge Too Far?

Navigating the ever changing waters of consumer privacy could become much more challenging if the “It's Your Data Act" (IYDA) is passed in New York. Some provisions of the proposed law may apply to any person or business, even law firms no matter how small, that collects any personal information of New York residents for the purpose of generating commercial or economic value.

New York State Senator Leroy Comrie introduced Senate Bill 9073 on October 28, 2020. The bill would modify the state's civil rights and general business laws to expand the current "right of privacy" as well as create a series of consumer rights and business obligations concerning the collection, storage, and use of a consumer's personal information. Steep civil liabilities, as well as criminal liability, could result from violations. 

For example, under the proposed amendment to the civil rights law's right of privacy language, the owner of a newly-reopened local restaurant in New York photographs families attending the restaurant's grand opening without having first obtained written permission from each person visible in the frame may be guilty of a misdemeanor, even if the owner never publishes the image. 

With these liabilities in mind, we unpack the key features of the IYDA, starting with the expansion of New York's current right to privacy. 

Civil Rights Law Amendment

The bill would modify the state's civil rights law to create a "right of privacy" for New York State consumers (defined as state residents), which would require prior written consent and the exercise of reasonable care to use a consumer's personal information for nearly any commercial reason. Violations of the right to privacy would be considered a misdemeanor:

A person, firm or corporation that collects, stores, and/or uses for the purpose of advertising, trade, data-mining, or generating commercial or economic value, the name, portrait, picture, video, voice, likeness, and all other personal data, biometric data, and location data of any living person without having first obtained the written consent of such person, or if a minor of his or her parent or guardian, or, if such consent is obtained, subsequently fails to exercise reasonable care consistent with its obligations as bailee of that individual's name, portrait, picture, video, voice, likeness, and all other personal data, biometric data, and location data, is guilty of a misdemeanor.

The concepts of collection, storage, and economic value are just three of several proposed additions to the right of privacy that are not defined. Most troubling is the failure to define "all other personal data," which often means different things to different people. The right to privacy provision is not limited in scope and apparently applies to any person or business who collects personal data, no matter how small.

Aggrieved consumers would be permitted to pursue actions for injunction and for damages. Exemplary damages could be awarded for knowing violations. 

Amendment of General Business Law 

The bill also seeks to amend the state's general business law and establish the IYDA. With features similar to the California Consumer Protection Act (CCPA), the IYDA would impose various disclosure obligations on certain for-profit businesses that collect, store, or use personal information of New York consumers. The Act would also give New York consumers a number of rights concerning their personal data, including the right to sue for significant statutory damages for any violation.

New Obligations on Businesses

Generally, the IYDA would impose a number of privacy and security obligations on for-profit businesses that do business in New York and satisfy one or more of the following thresholds:

• Annual gross revenues in excess of $50 million;
• Buy, receive, or disclose for business purposes the personal information of 50,000 or more consumers, households, or devices; and
• Derive 50% or more of annual revenues from selling consumers' personal information.

Similar to the CCPA, businesses subject to the IYDA would be required to disclose the following information:

• Description of consumer rights pursuant to the IYDA;
• Description of the personal information collected;
• Categories of sources from which personal information is collected;
• Specific purpose for collecting, disclosing, or retaining personal information;
• Description of personal information it discloses about consumers
• Categories of third parties with whom personal information is shared;
• Categories of service providers with whom personal information is shared;
• Description of the length of time personal information is retained; and
• Description of any utilized methods of de-identification.

The mandated retention period disclosure is one of several ways in which the IYDA exceeds the scope of the CCPA.

Businesses that collect consumer personal information also would be required to limit the collection and sharing of personal information with third parties to what is "reasonably necessary to provide a service or conduct an activity that a consumer has requested or is reasonably necessary for security or fraud prevention." Third parties would be required to exercise care over the personal information consistent with the original business's obligations as a bailee of the information. In addition, the IYDA sets forth specific prohibitions concerning the use of personal information that must be contained in contracts between businesses and third parties to whom personal information is disclosed.

New Consumer Rights

Similar to the CCPA, the IYDA would give New York consumers the ability to exercise new rights concerning their “personal information," which means “information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer, household, or consumer device." Personal information would not include publicly available information, information that is de-identified, or aggregate consumer information. Importantly, any personal information collected or shared by a business upon the affirmative authorization of a consumer would remain the property of the consumer.

Under the proposed law, New York residents would be able to exercise the following rights with regard to their personal information:

• Right to deletion;
• Access to retained personal information;
• Access to disclosure of personal information to third parties;
• Consent to additional collection or sharing of personal information; and
• No discrimination by a business against a consumer for exercise of rights.

Generally, businesses would have to verify and fulfill consumer requests free of charge and within 45 days.

Reasonable Security Requirement

The IYDA also would impose risk-based security requirements on covered businesses and their service providers:

1. A business or service provider shall implement and maintain reasonable security procedures and practices, including administrative, physical, and technical safeguards, appropriate of the nature of the information and the purposes for which the personal information will be used, to protect consumers' personal information from unauthorized use, disclosure, access, destruction, or modification.
2.  A business or service provider may employ any lawful security measures that allow it to comply with the requirements set forth in this section.

Private Right of Action

One of the most significant features of the IYDA is the creation of a private right of action that would authorize significant statutory damages for any violation of the Act. In that regard, the IYDA goes much farther than the CCPA, which allows a private right of action only for certain data breaches resulting from a lack of reasonable security. All violations of the IYDA would be considered an injury in fact, regardless of whether the consumer has suffered a monetary or property loss. Consumers would be entitled to damages of up to $750 per consumer per violation or actual damages, whichever is greater.

Agency Enforcement

In addition to the private right of action, the IYDA would also allow for civil enforcement by the New York State Attorney General, county district attorneys, and city corporation counsel. Civil penalties for unintentional violations would be up to $2,500 per violation and $7,500 for each intentional violation.

Final Thoughts

Another proposed privacy law, the New York Privacy Act (NYPA), stalled in the New York Senate earlier this year. The NYPA drew considerable attention due to its proposed creation of a fiduciary obligation on data controllers. It is unclear whether the NYPA, either in its current or an amended format, will be re-introduced. It also remains to be seen when the IYDA will be acted on. The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD ACT), which amended New York's breach notification law and required covered businesses to implement and maintain reasonable security measures, was enacted earlier this year.

New York lawmakers are not alone in trying to craft a measured consumer privacy law. But if passed as written, the IYDA may have vast and unintended consequences. In the rush to adopt privacy protections, the proposed right of privacy language and broad private right of action might be a bridge too far.