New York State's Privacy Law Would Be Among The Toughest In The US

from the this-will-get-messy dept

A few years ago, you might (or might not) recall that telecom lobbyists convinced Congress to kill some fairly modest FCC privacy rules before they could even take effect. The rules would have required that broadband providers transparently disclose what consumer data is being collected and sold, and to which companies. It also required that consumers opt in to the sharing of more sensitive financial or location data. Those rules, had they survived, would have gone a long way in protecting consumers from the endless location data scandals that have plagued the industry in the two years' since.

In the wake of obvious federal apathy to crafting meaningful privacy rules for the location data and social media age, numerous states have begun crafting their own privacy rules... with mixed results. California's privacy proposal, for example, is well intentioned but has been criticized for being a bit rushed and overcooked. ISPs have been quick to breathlessly complain about the rise of such state efforts, ignoring that they likely wouldn't be happening if they hadn't lobbied to crush the FCC's privacy rules.

This week New York State joined the fun, and has been pushing for a new law (S5642) that experts say is significantly tougher than California's proposal:

The New York bill, as it’s currently written, departs from the California model in significant ways. While the California law leaves enforcement to the state’s attorney general, the New York Privacy Act would give New Yorkers the right to sue companies directly over privacy violations, possibly setting up a barrage of individual lawsuits. Industry groups vehemently opposed a similar provision—also known as a private right of action—in California, and they succeeded in driving it out of the bill when it was finally signed into law last year. And while California’s law applies only to businesses that make more than $25 million annual gross revenue, the New York bill would apply to companies of any size.

Privacy wonks say there are several problems with the bill as written, including the continued insistence on so-called "right to be forgotten" restrictions, which we've noted usually come with a high potential for abuse by malicious third parties. Another contentious issue is the bill's decision to classify companies as “data fiduciaries,” barring them from using data in a way that benefits their companies but harms the end user:

The concept, alternately known as an "information fiduciary," was coined by Yale Law School professor Jack Balkin, who has been promoting the idea since 2014 as one solution to data privacy issues. "To deal with the new problems that digital businesses create, we need to adapt old legal ideas to create a new kind of law—one that clearly states the kinds of duties that online firms owe their end users and customers," Balkin and his coauthor, Harvard professor Jonathan Zittrain, wrote in The Atlantic. "The most basic obligation is a duty to look out for the interests of the people whose data businesses regularly harvest and profit from."

The idea has critics in and outside of industry, including Lina Khan, one of the leading modern voices on antitrust reform. She's been arguing for a while that the requirement conflicts with existing laws, like in Delaware, which require that companies maximize returns for shareholders:

"A fiduciary with deeply divided loyalties teeters on the edge of contradiction," Khan and her fellow Columbia Law professor David Pozen wrote in March. "Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties (to end users) under the new body of law that Balkin proposes."

Clearly, crafting a useful state or federal privacy law is going to be a steep uphill climb. In part because of well-intentioned errors and overreach on the part of the states or Congress, but also because you'd be hard pressed to find a meaningful privacy proposal that industry actually agrees with. Even the best crafted privacy law would inform, educate, and empower consumers to opt out of data collection and monetization. Given that would cost countless companies billions of dollars, they're going to fight tooth and nail against pretty much any proposal with teeth, regardless of proclaimed public support.

That puts consumers in a precarious position. Numerous industries are now pushing for federal privacy laws that sound good on the surface, but are largely filled with loopholes and designed to do just one thing: preempt tougher state and federal laws. And with a long line of sectors all lobbying in unison (telecom, Silicon Valley, marketing, advertising, healthcare) against any meaningful law whatsoever, getting anything of substance passed on either the federal or state level is going to prove problematic (part of the reason the FCC acted unilaterally on privacy and net neutrality in the first place).

As a result, it's likely we're going to just keep seeing a percussive array of massive privacy scandals until a consensus and solution is forged by necessity and outrage. But it remains entirely unclear when that's actually going to happen in a Congress flooded with industry campaign contributions. It's a wide open question just how stupid our repeated privacy scandals are going to get before the United States figures out that having absolutely no real privacy rules of the road isn't likely to work.

Filed Under: information fiduciaries, new york, privacy, privacy laws


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Mason Wheeler (profile), 6 Jun 2019 @ 11:05am

    Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties (to end users) under the new body of law that Balkin proposes.

    I'm no expert in corporate law, but I would imagine that this is not a legitimate contradiction. There has to be some law (or case law, or probably both) that clarifies that it's not a breach of fiduciary duty to refuse to take some action that, while profitable, would also be illegal... right? That's just common sense; otherwise we would see shareholders suing companies to force them to violate the law in the name of maximizing profit.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Jun 2019 @ 12:29pm

      Re:

      Employment law firms have had similar conflicts with regard to their duty to client and anti-discrimination laws, e.g., where they decide that a female or minority attorney gives them the best chance to win, but deploying on runs afoul of Title VII. I think the client's interest prevails there but I doubt breaking the law would prevail here.

      reply to this | link to this | view in chronology ]

    • identicon
      Annonymouse, 6 Jun 2019 @ 1:13pm

      Re:

      Ah common sense.
      Unfortunately that is not the same as good sense or a sense of morality.
      Both of those are tossed off the table and burned when it comes to profits.

      Shareholders can and do "encourage" the violation of laws and regulations in the name of the maximization of profits.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Jun 2019 @ 1:27pm

      Re:

      Actually, the laws wouldn't contradict at all. Fiduciary duties are a backstop: Under Delaware law, corporations have a duty to maximize profit to their shareholders. That doesn't mean maximize short term profits at the cost of long-term lawsuits. It means that corporations have to take their fiduciary duties to New York customers into consideration on how to best maximize profits for their shareholders -- ignore them, and the corporation violates their duties in BOTH states; uphold them, and if taken to court in Delaware, the company can point out that while it might not be making as much short term profit as it could by behaving illegally, it is maximizing the profit within the confines of the law.

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 7 Jun 2019 @ 1:28am

      Re:

      Yeah, I'm not seeing any conflict there either, as while it may not be spelled out explicitly(if for no other reason than it shouldn't have to be), I imagine 'maximize profits' is generally understood to to be followed with an unsaid '... without breaking the law in the process'.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jun 2019 @ 12:58pm

    Opt out? You have it backwards...

    Even the best crafted privacy law would inform, educate, and empower consumers to opt out of data collection and monetization.

    I think the best crafted privacy law would protect the public by default. It should take a positive action by consumers to lower the barrier to their data, not to protect it.

    reply to this | link to this | view in chronology ]

  • identicon
    GetOverIt, 6 Jun 2019 @ 1:03pm

    Screw fiduciary duties

    "Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties (to end users) under the new body of law that Balkin proposes."

    ... and that needs to change, globally. e.g.
    Health of the planet, life on the planet and the systems that support life are WAY more important than how much Exxon is giving to shareholders.

    Poisoning life (pharma/agriculture) and using the 'cost of doing business' on the insurance report to pay for harm that should not have and possibly would not have happened if not for 'fiduciary duties". i.e. (cheaper to pay after the harm then tests to prevent harm).

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Jun 2019 @ 1:30pm

      Re: Screw fiduciary duties

      It doesn't actually have to change at all... they just have to ensure that proper time scales are taken into consideration: vis, fiduciary duties to stockholders aren't for the next quarter, they're for the next quarter century. The company going bankrupt in the long term to maximize quarterly profits is NOT upholding their fiduciary duties to stockholders.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Jun 2019 @ 4:45am

        Re: Re: Screw fiduciary duties

        "fiduciary duties to stockholders aren't for the next quarter, they're for the next quarter century. "

        The MicroSpan CEO said the same thing at a presidential fundraiser in "In The Line Of Fire."

        reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 6 Jun 2019 @ 4:26pm

    'Someone fetch me the world's tiniest violin!'

    "A fiduciary with deeply divided loyalties teeters on the edge of contradiction," Khan and her fellow Columbia Law professor David Pozen wrote in March. "Insofar as the interests of stockholders and users diverge, the officers and directors of these companies may be put in the untenable position of having to violate their fiduciary duties (to stockholders) under Delaware law in order to fulfill their fiduciary duties (to end users) under the new body of law that Balkin proposes."

    Oh darn, they'd have to give users a higher priority than profits, truly such a terrible burden and one deserving of great sympathy.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Jun 2019 @ 2:18am

    breathlessly
    STOP

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.