Now that the one-year anniversary of the GDPR implementation date has come and gone, many in the business world are collectively exhaling after a long and arduous period of privacy compliance efforts. But the respite is short-lived: preparations are already underway to handle the new California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020 (pending any last-minute amendments during the interim). The CCPA has a one-year lookback period, meaning that CCPA-compliant recordkeeping should already be well underway. However, another challenging new privacy law is already potentially looming on the horizon. New York lawmakers recently introduced a groundbreaking new piece of legislation that in some aspects might be significantly tougher than either the GDPR or the CCPA. If passed as written, the New York Privacy Act may represent a seismic shift in how companies use and manage their customers’ personal data. While similar to other privacy laws in many respects, the draft law may have dramatically sharper teeth due to two important provisions.
In the first, it imposes a completely novel new duty on anyone processing consumer personal data, which the law calls a “data fiduciary.” A data fiduciary must exercise the “duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” Any third party with whom the fiduciary shares or sells data must also agree to abide by that same standard. Furthermore, to avoid any doubt, the law clarifies that the data fiduciary duty “shall supersede any duty owed to owners or shareholders of a legal entity or affiliate thereof, controller or data broker, to whom this article applies.”
Acting in a way that protects the interests of consumers is a worthy goal, but the immediate issue with this provision for many businesses is that processing personal data for use in marketing, including the selling of targeted advertisements, generally confers a financial benefit on the company at the expense of consumers’ privacy. And although the businesses have a duty to their shareholders to manage the business in a profitable way and extract value from its assets, that duty now takes a backseat to their obligations to consumers. The practice is so lucrative that it has become an indispensable bedrock revenue stream for some of the largest tech giants of Silicon Valley, without which many of those companies may not be profitable at all.
In the second, the law departs from the CCPA by granting an expansive private right of action to consumers who have been harmed by non-compliance with the law. The CCPA mostly leaves enforcement to the California Attorney General, allowing private persons to recover damages only in the limited event of a data breach that exposes their unencrypted personal information. But New York’s draft law would instead give every individual the right to sue to enjoin any activity that violates the law and/or recover damages. The private right of action would potentially force companies to defend against a barrage of lawsuits, particularly class-action lawsuits, from a variety of different claimants. A similar provision was contemplated for the CCPA but was ultimately excluded from the final version after an intense round of lobbying from business interests.
Taken together, those two features could constitute a one-two punch that deals a heavy blow to company bottom lines by exposing them to open-ended liability while simultaneously hampering many of their most reliable and profitable revenue streams.
In addition, the law also doesn’t have any type of revenue hurdle for bringing businesses into its enforcement purview. The CCPA sets the threshold for compliance at one of the following: $25 million in revenue, service of 50k or more California consumers or devices, or deriving at least 50% of revenue from selling California consumers’ personal information. Conversely, the New York Privacy Act would be applicable to all entities and individuals, large and small—which could potentially make compliance for small businesses very tricky or expensive.
Since this bill is still only in draft form in committee, a lot could change before it is put for a vote or enacted into law. And with New York and other states joining California in a push to regulate personal data privacy, the incentive to replace a myriad of State-level laws with one unified Federal privacy act may grow even stronger in the near future. As they wait for the legislative process to unfold, in the meantime business managers and privacy professionals should continue to build out their capacities to monitor and control their processing of personal data so that they will have the flexibility and agility to be able to proactively manage requirements like the New York Privacy Act and other future regulatory developments.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.