New York State's Privacy Law Would Be Among The Toughest In The US
from the this-will-get-messy dept
A few years ago, you might (or might not) recall that telecom lobbyists convinced Congress to kill some fairly modest FCC privacy rules before they could even take effect. The rules would have required that broadband providers transparently disclose what consumer data is being collected and sold, and to which companies. It also required that consumers opt in to the sharing of more sensitive financial or location data. Those rules, had they survived, would have gone a long way in protecting consumers from the endless location data scandals that have plagued the industry in the two years' since.
In the wake of obvious federal apathy to crafting meaningful privacy rules for the location data and social media age, numerous states have begun crafting their own privacy rules... with mixed results. California's privacy proposal, for example, is well intentioned but has been criticized for being a bit rushed and overcooked. ISPs have been quick to breathlessly complain about the rise of such state efforts, ignoring that they likely wouldn't be happening if they hadn't lobbied to crush the FCC's privacy rules.
This week New York State joined the fun, and has been pushing for a new law (S5642) that experts say is significantly tougher than California's proposal:
The New York bill, as it’s currently written, departs from the California model in significant ways. While the California law leaves enforcement to the state’s attorney general, the New York Privacy Act would give New Yorkers the right to sue companies directly over privacy violations, possibly setting up a barrage of individual lawsuits. Industry groups vehemently opposed a similar provision—also known as a private right of action—in California, and they succeeded in driving it out of the bill when it was finally signed into law last year. And while California’s law applies only to businesses that make more than $25 million annual gross revenue, the New York bill would apply to companies of any size.
Privacy wonks say there are several problems with the bill as written, including the continued insistence on so-called "right to be forgotten" restrictions, which we've noted usually come with a high potential for abuse by malicious third parties. Another contentious issue is the bill's decision to classify companies as “data fiduciaries,” barring them from using data in a way that benefits their companies but harms the end user:
The concept, alternately known as an "information fiduciary," was coined by Yale Law School professor Jack Balkin, who has been promoting the idea since 2014 as one solution to data privacy issues. "To deal with the new problems that digital businesses create, we need to adapt old legal ideas to create a new kind of law—one that clearly states the kinds of duties that online firms owe their end users and customers," Balkin and his coauthor, Harvard professor Jonathan Zittrain, wrote in The Atlantic. "The most basic obligation is a duty to look out for the interests of the people whose data businesses regularly harvest and profit from."
The idea has critics in and outside of industry, including Lina Khan, one of the leading modern voices on antitrust reform. She's been arguing for a while that the requirement conflicts with existing laws, like in Delaware, which require that companies maximize returns for shareholders:
"A fiduciary with deeply divided loyalties teeters on the edge of contradiction," Khan and her fellow Columbia Law professor David Pozen wrote in March. "Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties (to end users) under the new body of law that Balkin proposes."
Clearly, crafting a useful state or federal privacy law is going to be a steep uphill climb. In part because of well-intentioned errors and overreach on the part of the states or Congress, but also because you'd be hard pressed to find a meaningful privacy proposal that industry actually agrees with. Even the best crafted privacy law would inform, educate, and empower consumers to opt out of data collection and monetization. Given that would cost countless companies billions of dollars, they're going to fight tooth and nail against pretty much any proposal with teeth, regardless of proclaimed public support.
That puts consumers in a precarious position. Numerous industries are now pushing for federal privacy laws that sound good on the surface, but are largely filled with loopholes and designed to do just one thing: preempt tougher state and federal laws. And with a long line of sectors all lobbying in unison (telecom, Silicon Valley, marketing, advertising, healthcare) against any meaningful law whatsoever, getting anything of substance passed on either the federal or state level is going to prove problematic (part of the reason the FCC acted unilaterally on privacy and net neutrality in the first place).
As a result, it's likely we're going to just keep seeing a percussive array of massive privacy scandals until a consensus and solution is forged by necessity and outrage. But it remains entirely unclear when that's actually going to happen in a Congress flooded with industry campaign contributions. It's a wide open question just how stupid our repeated privacy scandals are going to get before the United States figures out that having absolutely no real privacy rules of the road isn't likely to work.
Filed Under: information fiduciaries, new york, privacy, privacy laws
