A Bridge Too Far?

Okay, gonna do some local humor. What bridges are these?

TappanZeeBridgeFromBelow.JPG

The first one is the Verrazzano-Narrows Bridge between Brooklyn and Staten Island. The second one is the Tappan Zee Bridge between Tarrytown (NY) and Nyack. Neither of these are a bridge too far and both of which I have traveled over many times.

But New York is following in the footsteps of California and State Sen. Leroy Comrie has introduced the “It’s Your Data Act” (SB 9073). Who knows if it will pass but it sounds a lot like CCPA/CCRA/GDPR.

In particular it:

  1. Amends New York’s civil rights law to create a new “right of privacy”. That is something Facebook would be thrilled about.
  2. It also would amend the state’s general business law to add features similar to these other privacy laws.
  3. Like CCPA, it would affect businesses with more than $50 million in revenue -OR- who buy/sell/disclose information on more than 50,000 consumers, households or devices -OR- who derives more than 50% of the company’s revenue from selling your data.

It requires businesses to disclose:

  1. Your rights as a consumer
  2. Categories of sources from which information was collected
  3. Categories of third parties with whom your data is shared
  4. Length of time information is retained
  5. And several more rights

The retention disclosure requirement is new to New York and does not exist in CCPA or CCRA.

Among consumers new rights are:

  1. Right to deletion
  2. Access to retained personal information
  3. Access to disclosure of personal information to third parties
  4. Consent to additional collection or sharing of personal information
  5. Right to not be discriminated against for exercising these rights

Unlike California’s law, it requires reasonable security practices and procedures to protect that information (reasonable to a jury, that is).

Lastly, unlike CCPA, which only allows for a private right to sue a business in case of a breach, the IYDA proposes that same $750 damages (or more if actual damages are more) per consumer, per violation FOR ANY VIOLATION OF THE LAW BY A BUSINESS. That could change the equation of whether it is cheaper to be breached than be secure.

Of course, bills come and go and change a lot, so do not assume that this is what it will look like IF and WHEN it comes out the other end.

Businesses need to rethink the relationship they have towards security and privacy practices because even if this bill does not become law, others like it will. There was another bill introduced in New York earlier this year that proposed that companies that collect your data would have a fiduciary responsibility around using and protecting that data.

In light of that bill, is the IYDA a bridge too far? Seems pretty tame by comparison. Credit: JDSupra and Hinshaw Law Firm

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code