A680 titled the New York Privacy Act has been introduced into the New York State Assembly. The bill is sponsored by Assemblywoman Rosenthal (D-District 67). 

The proposed bill seeks to enact the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared. Furthermore the proposed bill creates a special account to fund a new office of privacy and data protection.  

While the bill has echoes of Europe’s General Data Protection Regulation consent requirements, this bill takes a hard line approach on the subject which requires consent for all   processing activities and third-party disclosures, with no exceptions, the proposed bill as currently written raises significant concerns with how businesses would realistically be able to comply with the proposal’s requirements. 

Penalties are very strong under this proposal as seen below:

The attorney general may bring an action in the name of the state,or as parens patriae on behalf of persons  residing  in  the  state,  to enforce this article.

In addition to any right of action granted to any governmental body pursuant to this section, any person who has been injured by reason of a violation  of this article may bring an action in his or her own name to enjoin such unlawful act, or to recover his or her  actual  damages,  or both  such  actions. The court may award reasonable attorney's fees to a prevailing plaintiff.

Any controller or processor who violates this article is subject to an injunction and liable for damages and a civil penalty. When calculating damages and civil penalties, the court shall consider the number  of affected  individuals,  the  severity of the violation, and the size and revenues of the covered entity. Each individual  whose  information  was unlawfully  processed  counts as a separate violation. Each provision of this article that was violated counts as a separate violation.

Privacy is a hotly trending topic that is showing now signs of slowing down. Bills like this one will require significant work as it makes its way through the legislature in order for New York to achieve consumer protection while enacting a workable law that businesses will be able to comply with. 

We at Lanton Law can help. Our legal and lobbying tools can help offer your organization a clear path forward to navigate what will be changing policies for healthcare, technology and clean energy stakeholders. We are a D.C. based firm with no state boundaries as we are active nationwide. Contact us today to discuss your options.  

Lanton Law’s privacy practice has been closely monitoring the various state conversations around data privacy. We previously wrote a blog post titled California’s Consumer Privacy Act Could Be Coming to a State Near You, where we traced how California took the first step to create a consumer privacy law in the wake of Europe’s General Data Protection Regulation.    

So what’s going on with Virginia? Earlier this month the Virginia Senate passed 

 Senate Bill 1392, titled the Consumer Data Protection Act. The Virginia House of Delegates approved a companion (identical) House Bill H.B. 2307 by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. The state General Assembly will adjourn on March 1, it is expected that Governor Northam will sign the legislation. 

What does the bill do? The proposed legislation seeks the following:

“Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising. The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort. The bill has a delayed effective date of January 1, 2023.”

As with major policy issues that have yet to have a federal solution, states like California, Virginia and others are creating piecemeal policies, which will create compliance issues for entities that operate in several jurisdictions. New York, Oklahoma, Washington State, Minnesota, and North Dakota are jurisdictions that we continue to monitor with brewing policies on point.  

As we become more reliant on technology which crosses several sectors now, businesses are finding that they have to increase their awareness of state and federal policy in order to remain compliant. We at Lanton Law can help. Our legal and lobbying tools can help offer your organization a clear path forward to navigate what will be changing policies for healthcare, technology and clean energy stakeholders. We are a D.C. based firm with no state boundaries as we are active nationwide. Contact us today to discuss your options. 

Oftentimes policy changes that sweep across the nation originate in policy “hot spots” like Massachusetts, California, New York, etc. This time its consumer privacy. As we rely more and more on the internet of things, artificial intelligence and fitness applications, we are unfortunately becoming more exposed to potential data breaches. If you operate in California, the California Consumer Privacy Act (CCPA) will be a defining factor in how you manage risks around consumer data. Approximately 500,000 businesses across all business sectors will have to comply with CCPA once the act goes into effect on January 1, 2020. 

So what is the CCPA? Passed in 2018 as AB 375, the Act models itself on Europe’s General Data Protection Regulation that went into effect recently. The bill awards California residents with the right to be informed on how companies collect and use their data. The law also allows their personal data to be deleted. CCPA creates a sliding scale approach by applying to California businesses who generate an annual gross revenue of $25 million with half of their annual revenue deriving from selling consumer information, or by companies that buy, sell or share personal information from at least 50,000 consumers, households or devices. 

Recently, the California legislature passed five bills seeking to amend CCPA in which Governor Gavin Newsom (D-CA) has until October 13, 2019 to sign or veto the legislation. Additionally, the state attorney general is expected to release draft regulations by the end of the year. Interestingly, an economic impact assessment prepared by a third party for the California Attorney General’s office stated that the new law could cost companies a total of up to $55 billion in initial compliance costs. 

So what is this important? Our society’s reliance on connectivity is not slowing down. The very companies that many of us interact with on a daily basis such as Amazon, Twitter and Facebook find themselves at the center of how they will comply with CCPA. But while this can be explained away as something that impacts only California, I have seen this type of legislation starting to spread to a cluster of other states. 

If you traffic in data, it will be a good idea to take inventory of your operational risks and whether your company will be able to comply if a similar law is enacted in your state. If you need assistance with regulatory compliance or are interested in finding out how your company can best engage with policymakers on this issue, don’t hesitate to reach out to us at either Lanton Strategies or Lanton Law.