State Legislature should act to protect New Yorkers’ data privacy

The recent data-sharing scandals at Facebook, Cambridge Analytica and other technology companies appear to have finally pierced the consciousness of New Yorkers, sparking basic questions such as, “Do I own my most sensitive information? My face? My voice? Can I control my online history?” Sadly, for the most part, the answer is no, and until the state Legislature acts to adequately protect our privacy, the answer will stay that way.

Though New York should be a leader in protecting the privacy of its residents and their personal information, New Yorkers currently have no effective control over who has their personal information after it is originally shared and how their information is used, putting them at risk of exploitation by companies seeking to profit from their data.

Few realize that when the Federal Communications Commission gutted net neutrality rules last year it simultaneously effectively relinquished its legal authority over the internet by declaring broadband no longer a common carrier subject to FCC jurisdiction. As a result, regulation of the internet has fallen by default to the Federal Trade Commission, but only for unfair and deceptive trade practices. Unlike the FCC, the FTC lacks rule-making authority and can only issue “guidance” for how companies should operate and bring occasional enforcement actions against flagrant violators. Even Facebook’s numerous recent privacy scandals, beginning last March with the Cambridge Analytica data harvesting debacle, have so far been met with a mere threat of fines for violating a years-old consent decree. While the FTC has recently shown it may be willing to take a more active role in issuing guidance and is currently considering data privacy issues in a comprehensive process for the first time since 2012, companies currently need only avoid unfair and deceptive practices to not run afoul of FTC guidance. In other words, companies can do almost anything with your data as long as they avoid blatantly negligent privacy and data security practices, and accurately disclose their data practices, even if buried in lengthy and unintelligible privacy policies that no one reads.

Other than data breach notification laws in effect in all states, Americans do not have adequate federal and state laws protecting the privacy and integrity of the vast majority of information we need to post to participate in the increasingly vital online world. At the federal level, data privacy protection is limited, out-of-date and ineffective for the complex online environment. Aside from a handful of sector-specific privacy rules governing areas like medical (but not fitness) and financial information, the United States has no federal laws that comprehensively protect the use or integrity of personal information. In Europe, which regards privacy as a fundamental human right, the European Union recently passed the General Data Protection Regulation protecting the personal information of all EU residents.

With this lack of federal oversight, states are beginning to step up. Last year, California passed the California Consumer Privacy Act, which will give consumers more control over and insight into the data companies collect about them, including letting them edit or delete their data as well as prohibit companies from selling it. Legislators in Washington state, Massachusetts, Maryland, Hawaii and several other states have recently proposed broad privacy legislation.

In New York, state Sen. Brad Hoylman recently introduced a consumer privacy act, which is a good start, and Hoylman is to be commended, but the bill is limited in scope and falls far short of the comprehensive privacy legislation that New Yorkers need and deserve. The proposal would enable New Yorkers to access the information companies have on them, the categories of information shared with third parties, and the names and contact information of those third parties.

But comprehensive privacy legislation should ensure that New Yorkers have the right to prevent companies from selling their personal information in the first place. It should ensure that New Yorkers have the right to know not only who has their information, but who it can be transferred to, and to know the purpose for which any information collected about them is used. New Yorkers should have the right to correct errors in online information about them, and they should be able to delete information they no longer want to remain with a company. New Yorkers should not face discrimination in the form of higher prices or denial of services if they choose not to share or permit selling of their personal information. In addition, privacy legislation should regulate the collection and use of New Yorkers’ biometric identifiers, such as their face scans, voice prints and retina scans.

As scandals relating to corporate exploitation of our personal information continue to mount and New Yorkers steadily lose confidence in the online environment, businesses and online commerce may suffer. New Yorkers deserve control over who has their personal information and how it is used, as well as recourse to retrieve, correct and otherwise protect their personal information, so that they can confidently participate in the online world. There’s no reason that New Yorkers can’t have the protections that Californians and residents of other states will soon enjoy.