Every new privacy law is a battle over data. While the fight is still going on around privacy laws like Europe’s GDPR and California’s CCPA, New York State is set to become the next theater of war as legislators are poised to pass one of the strongest privacy laws in the United States.
The fight in New York state’s capital city of Albany is taking place with a backdrop of a much larger and significant – but ultimately much slower moving – struggle over federal privacy legislation that will govern the entire country. While Washington D.C. stalls out over partisan struggles and the 2020 presidential campaign, states are where the immediate action is taking place.
New York State senator Kevin Thomas introduced the New York Privacy Act last month and expects it to be voted on and passed this summer, according to a report in Wired.
“If this passes it will be one of the strictest laws in the country,” cybersecurity lawyer Kenneth Rashbaum told CyberScoop when the bill was introduced.
The New York law could have international reach (a tactic taken from Europe’s GDPR) because it applies to any business that holders sensitive data of New York residents. Give the size and scope of New York City, that means the legislation can apply to virtually every internet company of consequence.
Wired’s Issie Laposky has expertly outlined how New York’s bill departs from California’s law: New Yorkers would have the right to sue companies that violate privacy, all companies will be subject to the law no matter the size, and businesses would be deemed “data fiduciaries” and therefore barred from using consumer data in a way that harms users but benefits the company.
California’s law – and its chief law enforcement officer, the state’s attorney general – did want Californians to be able to directly sue companies but the law has been greatly amended since it was passed last year. The private right of action was killed last month in Sacramento over the objections of California Attorney General Xavier Bacerra who said his office cannot exclusively handle all of the privacy violations that will occur.
“He who has data is essentially in possession of wealth and she who controls and manipulates that data has not just wealth but the power as well,” Bacerra told Gizmodo. “So, in this new world, we have to make sure that privacy has a place. You should be able to control and own your data. You should have a choice about how to use it. You should have a right to know how it’s being used. You should have a right to delete information that you don’t want to be sold. You should have a right to opt out of any sale of your personal data. We should make sure that there’s a right to equal service so that people aren’t being discriminated against based on how much wealth they have.”
There are two deeply connected fronts to the ongoing privacy fight. In addition to what’s happening in capitals around the world, tech companies themselves are picking sides and pitching customers and voters. Apple’s annual WWDC event positions them as a privacy champion over their less scrupulous Silicon Valley competitors. It’s true that Apple does offer greater privacy protections than any of its major rivals but significant privacy problems remain.
Looming over all are the emerging and ongoing antitrust investigations of tech giants in both the United States and Europe that could impact everything these companies do. We’re nearing a pivot point in the history of big tech. What exactly that means for privacy remains to be seen – and won’t be known definitively for years to come.