Without a federal privacy law in place, individual states are starting to examine privacy legislation on their own. California already has the California Consumer Privacy Act (CCPA). It appears the next state will be New York.
NY Senate Bill 224 is privacy legislation that’s even tougher than California’s bill. Though the NY Privacy Act (NYPA) is still looking for a state assembly sponsor, legislators are looking for the bill to pass by the end of summer. The NYPA largely resembles the CCPA and the European General Data Protection Regulation (GDPR) and empowers everyday citizens with knowledge of their personal data, who collects it and why, the right to dispute and correct or delete erroneous data, and to refuse third-party distribution of their data. Companies would have only 30 days to respond to general information requests. Customers would also be entitles to a 12-month “look back period.”
A few differences in the proposed NYPA include the right for New Yorkers to bypass waiting for Attorney General action on their behalf and sue companies directly. Nicole Lindsey of CPO Magazine points out that “a tech giant like Facebook or Google might face tens of thousands of lawsuits, if not more, simply from New Yorkers in Manhattan who feel that their privacy rights may have been violated.” The NYPA also has no minimum size for companies covered by the new legislation. Lastly, the NYPA also calls for all businesses to act as “data fiduciaries” similar to doctors and attorneys. Big tech companies like Google and Facebook who run a very lucrative business trading personal data might find it extremely difficult to function under such strict guidelines.
Leaving the state to develop their own privacy policies opens a minefield of potential complications for commerce, with companies having to go above and beyond to ensure compliance at different levels for every state where they operate. The complexity of remaining in compliance would be particularly daunting for nationwide businesses.