The state Senate recently held a public hearing to discuss a bill that would give New Yorkers more control over their personal data online.
State Senator Kevin Thomas introduced a draft of the New York Privacy Act in May. The Democrat from Long Island’s 6th district says companies often only disclose the positive aspects of data collection, like package delivery and fraud prevention, while glossing over its more questionable uses. He says sharing and selling data can result in discrimination, differential pricing, and physical harm.
“Low-income consumers may get charged more for products online because they live far away from competitive retailers. Health insurance companies could charge higher rates based on your food purchases or information from your fitness tracker," Thomas explains. "A victim of domestic violence may even have real-time location tracking information sold to their attacker.”
The bill would allow New Yorkers to view who is collecting and sharing their personal information, request that it be corrected or deleted, or deny companies the ability to share that information altogether. Staff Attorney Lindsey Barrett of the Institute for Public Relations at Georgetown said even seemingly benign public information can be worthwhile to data brokers.
“You know, you can take information that, by itself, seems innocuous. You know, ‘Oh you purchased a pregnancy test here, but then didn’t buy diapers a year after,'" she proposed. "Whatever you can get from that, you can combine that with publicly available arrest records, driver’s records. There’s all kinds of publicly available information that can be used in a very privacy-invasive way.”
Wired reports the New York Privacy Act largely resembles a bill passed by California last year, the California Consumer Protections Act, or CCPA. But the New York bill would allow individual residents to sue any business they feel violated their privacy. Tech NYC’s Zachary Hecht opposes the concept, saying the bill needs to narrow its definitions of “harm” faced by consumers.
“Inconvenience of time…you have ‘alters individual’s experiences’ – that’s less clear what we’re talking about there. And if we’re talking about the deliverance of ads and things of that nature, there are free speech concerns and commercial speech concerns there," Hecht explained. "And we have to be very careful with how we go through those definitions.”
Hecht also takes issue with the bill’s concept of “data fiduciaries.”
As “data fiduciaries,” Thomas says, businesses would not be allowed to benefit from data use at the “detriment” of the consumer – they’d have to put privacy before profits. And Hecht said that complicates things for businesses.
“Publicly-traded companies have a fiduciary duty to their shareholders – so would this new fiduciary responsibility supersede that? How would those work together?" Hecht noted. "And then the way that the data fiduciary is described here is quite broad – a lot of the legal work that talks about data fiduciary says, in certain contexts, it needs to be narrowly framed. And this is very broad.”
Unlike the CCPA, which only applies to companies making more than $25 million (in gross revenue) a year, the New York Protection Act would apply to all businesses. Critics claim data regulation escalates costs, stifles innovation, and burdens small businesses. Professor Ari Ezra Waldman from New York Law School said he’s never seen evidence to that end, and that critics are missing the point.
“It’s not necessarily better that a company is smaller. Two guys in a garage can invade our privacy just as insidiously as a 40,000-person company," Waldman said. "The focus should be on not the size of the company, but in the purpose of regulation. Regulation has the capacity to actually inspire innovation.”
Those in favor of increased regulation also came with suggestions for the bill. Mary Ross of MSR Strategies, who worked on the CCPA, warned against using specific, market-based definitions of “harm,” and suggested Thomas expand a provision allowing people to opt out of sharing their data.
“In the California law, we allow a third party to opt out on a person’s behalf. There’s so many companies out there that are collecting, processing, and selling your personal information. And an individual has no idea who these companies are," she noted. "So it would be great – speaking of another business opportunity, or a non-profit opportunity – to allow other people or organizations to be able to opt out of the sale of your information on your behalf.”
Ari Ezra Waldman, from New York Law School, said he would like to see the bill make room for the concept of “privacy by design” – where companies create their products with privacy in mind – but says in general, the act is a good start.
“Sure we could educate, we could put it in curriculum in schools, we could have campaigns about it. But that’s not the goal," he said. "We have to shift the burden to companies and provide regulation that limits what they can collect – because we are cognitively unable, even with all possible information, to make those adequate choices.”
Senator Thomas says he would like to see the bill ASAP, but time is of the essence: the 2019 legislative session ends June 19.