Communications Litigation Today was a Warren News publication.
Strictest Yet?

N.Y. Privacy Act Advances in State Senate

A New York Senate panel approved a sweeping privacy bill Tuesday with a private right of action. After the hearing, Consumer Reports praised the bill, but tech industry groups raised concerns. Parts of the proposed New York Privacy Act are stricter than other state laws, said Fox Rothschild attorney Odia Kagan.

No Consumer Protection Committee member voted against advancing S-365 by Chair Kevin Thomas (D) at the livestreamed hearing. One member, Internet and Technology Committee Chair Sen. Kristen Gonzalez (D), said she’s excited to have the bill come to her group next. “We’re still taking stakeholder feedback” and hope to “pass something that meets the urgency of the moment,” she said.

The two committee leaders will “be working together to make sure this moves to the floor later on,” said Thomas. “We’ve been working on this bill for the past five years,” while California and some other states passed bills. “I will not hold my breath for the federal government to do anything on this.”

Privacy is a fundamental right and an essential element of freedom,” says S-365 text. Under the bill, consumers would get rights to know how their data is used, processed and shared; access and transfer their data; correct inaccurate data; delete data; and challenge some automated decisions. Unlike other state bills that passed this year, it would include a private right of action and lacks a right to cure. Consumers may opt out of processing personal data for targeted ads, selling data and profiling; the bill would be opt-in for sensitive data. The bill would allow users to use global opt-out controls including through browsers or devices. Much of the bill wouldn’t take effect until two years after becoming law, and the private cause of action wouldn’t take effect for three years.

Consumer Reports will support the bill, said CR policy analyst Matt Schwartz in an interview. The private right of action, support for universal opt-out mechanisms and inclusion of automated decision-making rules make S-365 much stronger than all other privacy bills passed this year, he said. It might even be stronger than California’s law if lawmakers keep the ability for consumers to sue, he said. The bill’s targeted advertising definition could use refinement, said Schwartz, and S-365 is weaker than Thomas’ previous version that would have required opting in for all data.

The New York Privacy Act’s chances are unclear, said Schwartz. “There’s several other competing bills in New York and we don’t know how serious [their] sponsors are about those” or if there will be any crossed wires among the different legislators. Tuesday’s hearing was a surprise, after S-365 got no movement for months after introduction, he said.

Tech groups have concerns. The Computer and Communications Industry Association worries the proposed private right of action “would lead to numerous frivolous lawsuits and pressure businesses to settle to avoid exorbitant legal fees,” said CCIA Northeast Regional Policy Manager Alex Spyropoulos. States should standardize terms and definitions, following Connecticut’s lead, he said. NetChoice General Counsel Carl Szabo warned state lawmakers not to “reinvent the wheel as doing so will result in New York businesses spending millions to come into compliance with yet another state privacy law.” Base the bill on Connecticut, Colorado and Virginia laws instead, he urged.

More business-friendly privacy bills passed Friday in Montana and Tennessee (see 2304210060), and earlier this year in Iowa (see 2303290052) and Indiana (see 2304140050). Governors have signed privacy bills in six states: California, Colorado, Connecticut, Iowa, Utah and Virginia. A Florida bill advanced to the Senate floor Monday (see 2304240045).

The New York bill has some similarities to Virginia and Connecticut laws, but some requirements are stricter than what’s in any other state law, said Kagan. Those include more stringent rules “for automated decision making; the triggers for conducting impact assessments; the scope for the duty of loyalty and duty of care; requirements for data brokers; requirements for data processing agreements and the private right of action,” the privacy attorney emailed.

Teasing out the similarities and differences between state privacy measures is like looking at a kaleidoscope for businesses seeking to comply, noted Kagan: “We have infinite colorful moving particles, floating in space, with different definitions and meanings, causing … dizziness and frustration.”