New York Looks at Regulating Online Privacy 

Written By Stephan Matanovic

Last month, I gave a presentation to developers and business owners about the one-year anniversary of Europe’s General Data Protection Regulation (“GDPR”). In the year since GDPR has been in place, we’ve seen enforcement actions brought against smaller entities (such as a hospital in Portugal) as well as large multinational companies (Google, in France and Ireland). In addition, California has enacted the California Consumer Protection Act (“CCPA”), which goes into effect on January 1, 2020, and which is likely to be the de facto privacy standard for the United States.  

Now, New York is taking up its own privacy regulation, the New York Privacy Act (“NYPA”). The NYPA, though similar to its predecessor regulations, would give New York residents more control over their data than in any other state. Unlike GDPR or the CCPA, it would require that companies act as fiduciaries for their users, putting their customers’ privacy before their own profits.  

Also, NYPA differs from CCPA in two very significant ways: 1) it creates a private right of action, which would allow individual consumers to bring litigation over privacy violations; and 2) it would apply to companies of any size. These two differences are potentially monumental. Under the CCPA, only the state’s attorney general can initiate a claim against a company; NYPA would allow ordinary citizens to bring an action. Not surprisingly, the industry vehemently opposes the private right of action. Second, CCPA only applies to companies that make more than $25 million in revenue or make most of their revenue from selling data; NYPA’s reach is much more broad and would apply to anyone doing business with New York consumers. 

It’s far too early to know what these state-level policies will look like in action, or whether they will spur Congress into crafting a national standard. What we _do_ know, however, is that businesses that collect people’s data need to put their customers’ interests front and center, and incorporate privacy by design.

Stephan Matanovic
Previous

Don't do what the Spanish Soccer League did (GDPR related)
Next

GDPR, one year in; Ireland takes a shot at Google