New York State's Privacy Law Would Be Among The Toughest In The US
from the this-will-get-messy dept
A few years ago, you might (or might not) recall that telecom lobbyists convinced Congress to kill some fairly modest FCC privacy rules before they could even take effect. The rules would have required that broadband providers transparently disclose what consumer data is being collected and sold, and to which companies. It also required that consumers opt in to the sharing of more sensitive financial or location data. Those rules, had they survived, would have gone a long way in protecting consumers from the endless location data scandals that have plagued the industry in the two years' since.
In the wake of obvious federal apathy to crafting meaningful privacy rules for the location data and social media age, numerous states have begun crafting their own privacy rules... with mixed results. California's privacy proposal, for example, is well intentioned but has been criticized for being a bit rushed and overcooked. ISPs have been quick to breathlessly complain about the rise of such state efforts, ignoring that they likely wouldn't be happening if they hadn't lobbied to crush the FCC's privacy rules.
This week New York State joined the fun, and has been pushing for a new law (S5642) that experts say is significantly tougher than California's proposal:
The New York bill, as it’s currently written, departs from the California model in significant ways. While the California law leaves enforcement to the state’s attorney general, the New York Privacy Act would give New Yorkers the right to sue companies directly over privacy violations, possibly setting up a barrage of individual lawsuits. Industry groups vehemently opposed a similar provision—also known as a private right of action—in California, and they succeeded in driving it out of the bill when it was finally signed into law last year. And while California’s law applies only to businesses that make more than $25 million annual gross revenue, the New York bill would apply to companies of any size.
Privacy wonks say there are several problems with the bill as written, including the continued insistence on so-called "right to be forgotten" restrictions, which we've noted usually come with a high potential for abuse by malicious third parties. Another contentious issue is the bill's decision to classify companies as “data fiduciaries,” barring them from using data in a way that benefits their companies but harms the end user:
The concept, alternately known as an "information fiduciary," was coined by Yale Law School professor Jack Balkin, who has been promoting the idea since 2014 as one solution to data privacy issues. "To deal with the new problems that digital businesses create, we need to adapt old legal ideas to create a new kind of law—one that clearly states the kinds of duties that online firms owe their end users and customers," Balkin and his coauthor, Harvard professor Jonathan Zittrain, wrote in The Atlantic. "The most basic obligation is a duty to look out for the interests of the people whose data businesses regularly harvest and profit from."
The idea has critics in and outside of industry, including Lina Khan, one of the leading modern voices on antitrust reform. She's been arguing for a while that the requirement conflicts with existing laws, like in Delaware, which require that companies maximize returns for shareholders:
"A fiduciary with deeply divided loyalties teeters on the edge of contradiction," Khan and her fellow Columbia Law professor David Pozen wrote in March. "Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties (to end users) under the new body of law that Balkin proposes."
Clearly, crafting a useful state or federal privacy law is going to be a steep uphill climb. In part because of well-intentioned errors and overreach on the part of the states or Congress, but also because you'd be hard pressed to find a meaningful privacy proposal that industry actually agrees with. Even the best crafted privacy law would inform, educate, and empower consumers to opt out of data collection and monetization. Given that would cost countless companies billions of dollars, they're going to fight tooth and nail against pretty much any proposal with teeth, regardless of proclaimed public support.
That puts consumers in a precarious position. Numerous industries are now pushing for federal privacy laws that sound good on the surface, but are largely filled with loopholes and designed to do just one thing: preempt tougher state and federal laws. And with a long line of sectors all lobbying in unison (telecom, Silicon Valley, marketing, advertising, healthcare) against any meaningful law whatsoever, getting anything of substance passed on either the federal or state level is going to prove problematic (part of the reason the FCC acted unilaterally on privacy and net neutrality in the first place).
As a result, it's likely we're going to just keep seeing a percussive array of massive privacy scandals until a consensus and solution is forged by necessity and outrage. But it remains entirely unclear when that's actually going to happen in a Congress flooded with industry campaign contributions. It's a wide open question just how stupid our repeated privacy scandals are going to get before the United States figures out that having absolutely no real privacy rules of the road isn't likely to work.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: information fiduciaries, new york, privacy, privacy laws
Reader Comments
Subscribe: RSS
View by: Time | Thread
I'm no expert in corporate law, but I would imagine that this is not a legitimate contradiction. There has to be some law (or case law, or probably both) that clarifies that it's not a breach of fiduciary duty to refuse to take some action that, while profitable, would also be illegal... right? That's just common sense; otherwise we would see shareholders suing companies to force them to violate the law in the name of maximizing profit.
[ link to this | view in chronology ]
Re:
Employment law firms have had similar conflicts with regard to their duty to client and anti-discrimination laws, e.g., where they decide that a female or minority attorney gives them the best chance to win, but deploying on runs afoul of Title VII. I think the client's interest prevails there but I doubt breaking the law would prevail here.
[ link to this | view in chronology ]
Re: Re:
Wait, what?
[ link to this | view in chronology ]
Re:
Ah common sense.
Unfortunately that is not the same as good sense or a sense of morality.
Both of those are tossed off the table and burned when it comes to profits.
Shareholders can and do "encourage" the violation of laws and regulations in the name of the maximization of profits.
[ link to this | view in chronology ]
Re:
Actually, the laws wouldn't contradict at all. Fiduciary duties are a backstop: Under Delaware law, corporations have a duty to maximize profit to their shareholders. That doesn't mean maximize short term profits at the cost of long-term lawsuits. It means that corporations have to take their fiduciary duties to New York customers into consideration on how to best maximize profits for their shareholders -- ignore them, and the corporation violates their duties in BOTH states; uphold them, and if taken to court in Delaware, the company can point out that while it might not be making as much short term profit as it could by behaving illegally, it is maximizing the profit within the confines of the law.
[ link to this | view in chronology ]
Re:
Yeah, I'm not seeing any conflict there either, as while it may not be spelled out explicitly(if for no other reason than it shouldn't have to be), I imagine 'maximize profits' is generally understood to to be followed with an unsaid '... without breaking the law in the process'.
[ link to this | view in chronology ]
Opt out? You have it backwards...
I think the best crafted privacy law would protect the public by default. It should take a positive action by consumers to lower the barrier to their data, not to protect it.
[ link to this | view in chronology ]
Screw fiduciary duties
"Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties (to end users) under the new body of law that Balkin proposes."
... and that needs to change, globally. e.g.
Health of the planet, life on the planet and the systems that support life are WAY more important than how much Exxon is giving to shareholders.
Poisoning life (pharma/agriculture) and using the 'cost of doing business' on the insurance report to pay for harm that should not have and possibly would not have happened if not for 'fiduciary duties". i.e. (cheaper to pay after the harm then tests to prevent harm).
[ link to this | view in chronology ]
Re: Screw fiduciary duties
It doesn't actually have to change at all... they just have to ensure that proper time scales are taken into consideration: vis, fiduciary duties to stockholders aren't for the next quarter, they're for the next quarter century. The company going bankrupt in the long term to maximize quarterly profits is NOT upholding their fiduciary duties to stockholders.
[ link to this | view in chronology ]
Re: Re: Screw fiduciary duties
"fiduciary duties to stockholders aren't for the next quarter, they're for the next quarter century. "
The MicroSpan CEO said the same thing at a presidential fundraiser in "In The Line Of Fire."
[ link to this | view in chronology ]
'Someone fetch me the world's tiniest violin!'
"A fiduciary with deeply divided loyalties teeters on the edge of contradiction," Khan and her fellow Columbia Law professor David Pozen wrote in March. "Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties (to end users) under the new body of law that Balkin proposes."
Oh darn, they'd have to give users a higher priority than profits, truly such a terrible burden and one deserving of great sympathy.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Good
http://manjood.com
[ link to this | view in chronology ]