Following the implementation of groundbreaking data privacy restrictions in the European Union and California, New York is one of a handful of states that’s now taking on the fight to protect consumer data. As part of his executive budget proposal earlier this year, Gov. Andrew Cuomo introduced the New York Data Accountability and Transparency Act – a law that will limit the ability of internet companies to collect, sell and share consumer data.
The proposal, which also includes the creation of a “Consumer Data Privacy Bill of Rights,” is just the latest example of states addressing the goal of protecting users’ personal information, as our understanding of just how much of our data is collected and shared – often for profit – by large tech companies expands. “Personal information” is an overarching term; it might refer to your demographic data, location data or even your online purchasing history. In practice, the sharing, selling or leveraging of personal information can cross into discrimination or civil rights abuses, as companies have been accused of targeting job openings or housing listings based on race and gender.
Cuomo isn’t the only one intent on tackling the way companies monetize consumer data. On Monday, state Sen. Liz Krueger announced a new bill that would impose a tax on companies collecting and profiting off of user data. “Every time New Yorkers visit social media sites or shop online, their data is being harvested for profit, often without their having any idea it’s happening. Big companies are making a fortune from New Yorkers’ data – it’s time for New Yorkers to get a little something in return,” Krueger told News10.
The appearance of this proposal in the budget suggests that the Cuomo administration is interested in curbing the practice by large internet companies of profiting off of their users’ personal information, but the devil is in the details. Some of the privacy and consumer organizations who have long been advocating for this kind of interest from government in regulating the use of personal data are raising concerns about Cuomo’s proposal. In a letter sent to the Cuomo administration earlier this month, organizations including the New York Civil Liberties Union, the National Action Network and the Immigrant Defense Project urged that the act be removed from the budget. “This is a bill that looks like we're doing something about privacy if you don't read the details,” said Allie Bohm, policy counsel at the NYCLU. “If you start reading the details, you realize there are so many loopholes that it's not actually clear to me that it protects consumer privacy at all.”
From what’s included in Cuomo’s proposal to details on the backlash it’s already facing, here’s what you need to know about the New York Data Accountability and Transparency Act.
What would the New York Data Accountability and Transparency Act do?
The New York Data Accountability and Transparency Act – known also by the helpful acronym NYDATA – would crack down on what personal information companies collect on New Yorkers, and how that data can be sold or shared. The bill would require that any company processing the personal information of 100,000 New Yorkers or more – or companies that derive more than 50% of their revenue from the collection, sharing and processing of personal information – disclose to consumers what purpose that data will be used for. It also limits companies to then using that data only for the stated purposes. Under the proposal, consumers would also be able to request copies of their personal information that’s been collected in the last 12 months, and in some cases, request that that information be returned or destroyed.
As part of the proposed Consumer Data Privacy Bill of Rights, consumers would also have the right to “opt-out” of the sale or sharing of their personal data, meaning that consumers could demand that companies not share their information with third parties. There’s some language in the proposal requiring that companies make it easy to opt-out. They’d be required to provide “clear and conspicuous” links on their sites titled “Do Not Sell or Share My Personal Information” and “Limit the Use and Collection of My Personal Information.”
“New Yorkers appreciate the value and convenience that technology has afforded their lives, but progress does not need to come at the expense of basic privacy,” Cuomo said in a statement when announcing the act last month. “In a world where we are reliant on technology to work, learn, and even see our family, New Yorkers deserve transparency and accountability from the companies who collect and use their information. New York will act to pass a strong privacy law that safeguards New Yorker's personal information and continues to encourage innovation.”
What do privacy and consumer advocacy groups say about the proposal?
In a letter sent to the Cuomo administration earlier this month, a little over a dozen civil liberties, privacy and consumer advocacy groups raised concerns about the New York Data Accountability and Transparency Act. Included in those concerns are arguments that the proposal defines “consumer” too narrowly, lacks an adequate enforcement mechanism and targets the sharing and selling of personal information, but not the practice of companies who may not share or sell their users’ information, but who leverage it to sell ads.
Bohm, the policy counsel at the NYCLU, provided one example of this. “An advertiser approaches a Facebook or an Amazon with ‘Here's the audience I want to reach. I want to reach women who live in the suburbs, who have 2.5 kids and drive blue minivans.’ And Facebook says, ‘Okay, I can find that audience,’” Bohm said. But instead of sharing the information on 300 people who met that criteria, Facebook goes back to the advertiser and says that their ad was shared 300 times. While no personal information changes hands, the practice still involves the monetization of user data.
The groups who sent the letter – including the Surveillance Technology Oversight Project and the Electronic Frontier Foundation – also took issue with the opt-out portion of the proposal, saying that as written, the act allows companies to evade the requirement limiting their use of consumers’ personal information, simply by offering users the opt-out option. More generally, Bohm said an opt-out system for consenting to data sharing – as opposed to an opt-in system – may make it more likely that people won’t exercise that right to opt out, and may negatively impact people with less digital literacy. “There will always be more information processed under an opt-out regime than under an opt-in regime,” she said.
Similar concerns about opt-out systems have been raised by consumer advocacy groups with other states’ attempts to pass privacy legislation, including in Virginia, where a consumer data protection bill is poised to pass soon.
A spokesperson for Cuomo did not respond to the specific concerns raised in the letter, but a state Department of Budget spokesperson said that the proposal leaves open the possibility for regulations to be refined in the future. “New York State's proposal, in conjunction with California's similar recent actions, will result in market-changing digital privacy protections that will drive reform nationwide,” DOB spokesperson Freeman Klopott wrote in an email. “Given the complexity of the issue and its constant evolution, the proposal in the Executive Budget empowers regulators to develop and implement rules that will maximize these protections.”
Privacy advocates and tech watch dogs aren’t the only ones who aren’t quite sold on the proposal yet. The tech industry will likely look for refinements in the budget proposal. One area they might target is ensuring that smaller tech companies aren’t burdened by the regulations. “We value consumer privacy and our members do as well,” said Ryan Naples, policy director and deputy director at the industry group Tech:NYC. “This is why we're working with the governor's office and other stakeholders toward a framework that ensures smaller tech companies and others are able to comply with a privacy law in a way that isn’t so expensive that it threatens their viability.”
Doesn’t New York already have data privacy laws?
This isn’t New York’s first crack at protecting consumer data. In 2019, New York passed the SHIELD (Stop Hacks and Improve Electronic Data Security) Act, which requires businesses to implement “reasonable” technical, administrative and physical security measures to protect individuals’ sensitive information, such as biometric data. That law amends a data breach notification law that has been on the books since 2005.
Some data privacy proposals are still waiting for their moment in the sun. State Sen. Kevin Thomas has introduced the New York Privacy Act, a bill which has failed to gain momentum the last few years, but which most notably would have introduced a concept known as a “data fiduciary.” Under the idea, companies would be legally obligated to protect users’ personal information and be barred from exploiting it at the expense of its users.
Thomas said he was encouraged to see Cuomo tackle data privacy in the budget, but said he still favors his own approach. “The inclusion of data privacy in the executive budget is hopefully a turning point,” Thomas wrote in an email. “This has been a priority issue of mine since taking office two years ago. It's great to see that the Governor is now focusing on it as well but my plan is stronger and more comprehensive.” Thomas said that he plans to introduce a new, updated version of the New York Privacy Act in the next few weeks.
Cuomo’s proposal still has a ways to go before gaining approval from consumer advocacy groups – and from the tech industry. New York isn’t the only state with a renewed interest in taking on data privacy legislation, but Bohm said that despite the urgency of the issue, it’s not legislation that should be rushed. “This is too important to get wrong,” she said.
NEXT STORY: The backlash to the Cuomo backlash has begun