Last month, New York’s legislature reintroduced the New York Privacy Act, Assembly Bill A680, which shares many features in common with the California Privacy Rights Act, including consumer rights and transparency. The proposal provides for a broad definition of “personal data,” including unique identifiers, biometric data, browsing history, and geolocation data. Perhaps the most interesting provision, however, is the New York proposal’s transition from the traditional “notice and choice” approach to data privacy to the imposition of fiduciary duties on every company that “collects, sells or licenses personal information of consumers.” This is an important departure that may signify a sea change in U.S. privacy law.
Historically, the Federal Trade Commission (FTC) has advocated for a “notice and choice” approach to data privacy. This model, based on a contractual relationship between companies and their customers, generally provides that companies must tell their customers how the company plans to use and share their data and provide customers with choices about their privacy. A fundamental problem with this approach – as anyone who has ever reviewed a privacy notice can confirm – is that consumers simply cannot adequately monitor who has their data, how their data is shared, and what choices to make to protect their privacy.
In contrast, the fiduciary duty approach contained in the proposed New York Privacy Act requires companies to affirmatively obtain “express and documented consent” prior to using, processing or transferring customers’ personal data. More specifically, companies “shall act in the best interests of the customer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable customer under the circumstances.” Whether the company’s action is reasonable generally depends on whether it would mislead a significant portion of the company’s customers who are acting reasonably under the circumstances. For example, if the company typically targets its goods and services toward customers who provide the company with their sensitive health information, those customers could reasonably expect the company to employ strongly protective data security practices.
A fiduciary duty to customers is vastly different from the “notice and choice” regime. Under the “notice and choice” approach, the burden is on the customer to choose how the company may share their personal information (often through an opt-in or opt-out procedure). A fiduciary duty, however, shifts the burden to the company to act in the customer’s best interests. The proposed New York Privacy Act explicitly imposes duties of care, loyalty, and confidentiality on companies, meaning that companies may be liable for, among other acts, failing to promptly inform a customer of a data breach and using the customer’s data in a way that benefits the company to the customer’s detriment or “would be unexpected and highly offensive to a reasonable customer.” The proposed Act also provides for a private right of action by any injured customer.
One tension in this approach, which the proposed Act acknowledges, is that this fiduciary duty to customers may conflict with a company’s fiduciary duty to its shareholders. While the proposed New York Privacy Act simply provides that the duty to shareholders supersedes the company’s duty to its customers, how these interests work together in practice will be complicated. For example, if a company’s primary business is to collect and sell user data for advertising purposes, is it possible to act in the best interests of both the shareholder (by maximizing company performance) and the customer (by maximizing privacy choices)?
The final form of the proposed New York Privacy Act may look very different from Assembly Bill A680, but this proposal reflects a notable trend in US privacy law. With the advent of the European Union’s GDPR and similar legislation, the privacy burden is shifting from customers to companies. A privacy notice with an opt-out mechanism is no longer sufficient to protect a company’s interests under these regimes; instead, a company must obtain meaningful consent from a customer before using the customer’s personal data.