The Proposed New York Privacy Law: A Closer Look

New York Privacy Law

Lawmakers in the Empire State are poised to approve a sweeping data privacy law that rivals the strongest ones in the world.

New York already has several such laws on the books, most notably the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act).

The most recent version of this law requires companies to proactively protect their customers’ data privacy. Governor Cuomo plans for the New York Privacy Act to be part of a data privacy Bill of Rights, which would include the proposed Biometric Security Act.

Similar laws which are already on the books include California’s Consumer Privacy Act and the European Union’s General Data Protection Regulation.

Fiduciary Duty

Currently, only doctors, lawyers, accountants, and other professionals have a fiduciary duty toward their clients or patients. The expanded New York Privacy Law would add businesses who have electronic information about customers to this list.

A fiduciary duty is the highest duty of care in New York. Therefore, it’s easier for a New York privacy attorney to establish a lack of care in court.

Occasionally, a fiduciary duty applies. Bank account information is a good example. But the New York Privacy Law imposes this responsibility on all information.

Assume XYZ’s employee manual prohibits workers from using thumb drives or other portable storage devices. But XYZ’s managers do not enforce this policy.

If a worker leaves a portable drive in her computer while she goes to the bathroom, the worker was probably negligent. And, the company is responsible for her negligence, because it failed to properly supervise her.

Most data breaches resemble this example. Workers unintentionally expose information to privacy thieves.

Since most states only impose a duty of reasonable care in these situations, such events might or might not be negligent, especially if the worker knew the risk s/he was taking.

In practical terms, a fiduciary duty means that the company must set aside all other priorities and only do what is best for its customers. During retail and other transactions, making money is usually a company’s top priority.

A fiduciary duty forced these firms to change the way they do business.

The high duty of care in these cases sets the tones for some other key provisions of the New York Privacy Act.

Opt-In Provision

When it comes to data privacy, most companies have opt-out provisions, such as “click here to unsubscribe from our email list.”

But the proposed New York Privacy Law requires opt-in provisions. Users must affirmatively agree to the distribution of their email addresses or other information.

That’s not the same thing as a “Terms of Use” agreement. Such provisions are not voluntary.

The user must agree to the terms of use in order to use the site. Furthermore, these proposals are a take-it-or-leave-it contract of adhesion. The users have absolutely no bargaining power.

Individual users also have limited bargaining power regarding opt-in provisions.

Just like collective bargaining helps union workers earn higher wages, collective action helps users affect company policy in this area. A New York privacy attorney can explain this option to you in detail.

Private Right of Action

This feature of the New York Privacy Act is almost as important as the fiduciary duty clause.

Normally, only the state has the power to sue companies who unlawfully expose customer or client information. But if this law passes, New York customers may individually take such action.

Collective action, which was outlined above, is even more effective in this area.

Typically, these actions begin with a demand letter. Usually, companies who expose personal data know they are in the wrong.

That’s especially true if they had a fiduciary duty to protect this information. So, many claims settle before the plaintiff even files legal paperwork.

However, some cases are more complex.

So, to put pressure on the company and also to preserve your legal rights, an attorney must file legal paperwork in court. At this juncture, most companies file procedural motions and try to defeat the claim on a technicality. If there is any evidence whatsoever to support the claim, these motions usually fail.

Most claims settle during mediation.

A neutral third party, who is usually an unaffiliated privacy lawyer, tries to facilitate a settlement between the two sides. If both parties negotiate in good faith, which basically means they are willing to make compromises if that means reaching an agreement, mediation is usually successful.

The proposed New York Privacy Law would greatly benefit customers like you.

For a free consultation with an experienced New York data privacy attorney, contact Napoli Shkolnik PLLC. We have offices nationwide.