The NYPA Is Dead (for Now), But Consumer Privacy Trends Carry On

 In Data Governance, Privacy Regulation

Reading Time: 5 minutes

If you’ve been paying attention to the privacy regulation space, it seems like there’s no stopping the political momentum of consumer privacy legislation. Soon, companies may bear a fiduciary role towards consumer data, a monumental shift in how companies interact with consumer data.

The first big domino in privacy regulation to fall was the European Union’s General Data Protection Regulation, which sent businesses across the globe scrambling to figure out a legal basis for data collection and how to manage consent. Then it was the California’s Consumer Privacy Act, and companies are still preparing to comply with new rules around household data and the absolute right of consumers to say “Do not sell my personal information.” The next generation of consumer privacy legislation was supposed to be the New York Privacy Act, but it recently failed to garner enough support in the New York State Assembly.

What Is?…Was?…Will Be? The Life, Death, and Coming Rebirth of the NYPA

The New York Privacy Act was intended to be a more rigorous take on consumer privacy than even the CCPA, which was itself more rigorous than the GDPR in some ways. As Government Technology reported, the NYPA introduced similar consumer privacy rights and data use restrictions for companies as the CCPA and GDPR, while also going further in three key ways:

  1. The concept of “data fiduciary,” 
  2. The right to private action instead of just class action lawsuits,
  3. Increased transparency around data usage and sales.

The headline-grabbing provision was the right for individual consumers to sue companies— which activists pushed to include in the CCPA, as well, but was dropped from the bill with the exception of data breaches. While the prospect of thousands of potential individual litigations is daunting, it’s the concept of “data fiduciary” that will have the most far-reaching impact on how businesses function. 

Though the NYPA is dead for now, there’s no reason for it not to be picked up by the state’s legislature in future sessions, or for those three activist-driven provisions to be part of other state or federal bills. The idea of stronger individual rights for consumers around their own data and a higher level of responsibility for the companies that handle that data won’t be disappearing anytime soon.

Why the NYPA Failed

It won’t be for lack of trying on behalf of business groups and tech giants, though. On paper, the NYPA failed because there was no momentum in the State Assembly, which effectively killed the bill for this legislative session. However, there was immense pressure against the bill in the Senate (where there were no co-sponsors of the bill) to can it. 

According to Government Technology, powerful groups like the Retail Council for New York State, TechNet, and the Internet Association showed up to legislative sessions to decry the restrictions of the bill. These groups pointed to the impact of GDPR on the region’s small businesses as a warning for the NYPA.

Despite the NYPA stalling out, businesses should look toward this as legislation as a model for the future and, in particular, adopt the notion of data fiduciary as the core of their data strategy.

What is a Data Fiduciary?

In the NYPA, companies’ role as a “data fiduciary” is introduced as such:

Personal data of consumers shall not be used, processed or transferred to a third party, unless the consumer provides express and documented consent. Every legal entity, or any affiliate of such entity, and every controller and data broker, which collects, sells or licenses personal information of consumers, shall exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances. [emphasis mine]

As you can see from this definition, companies that want to collect or sell personal consumer information are required to “act in the best interests of the consumer,” and not the interests of the business. That’s a pretty radical approach to the consumer-company relationship that would bring many businesses under the same guiding principles as health providers and financial institutions.

The potential transformative power of this shouldn’t be underestimated. We can look towards HIPAA— a patient privacy act passed in 1996— to glimpse what a fiduciary approach to consumer data would mean.

HIPAA compliance created roadblocks to the free flow of patient information between providers (consent forms needed to be signed) and raised costs associated with compliance. However, as RSI Security notes, HIPAA compliance brings sizable benefits, such as engendering patient trust, building proactive data security measures, and avoiding hefty fines.

Whereas many patients in a health care system are locked into a provider— and subject to their data policies— consumers at large have more choices on who they do business with. Increasingly, consumers make choices with an eye towards how much they trust a company. According to a recent PwC study, 92% of consumers say companies must proactively protect data, and a staggering 85% say they won’t do business with a company they believe has lax security. 

The Business Imperative to Treat Consumer Data Like Financial and Health Information

As consumers become more aware of the uses (and abuses) of their personal information, legislative action like the CCPA and NYPA will continue. 

While there are no rules compelling businesses to treat consumer data with the same care and security as health and finance industries, adopting a “data fiduciary” approach to consumer data can act as a competitive differentiator. Just look at the work Apple has put into promoting itself as a privacy-centric brand in the last year, with new features like “Sign in with Apple” and changes to its Safari browser.

Being a good steward of consumer information is more than just smart marketing, of course. With a data strategy built around safeguarding information first and foremost, your business will be able to more quickly adapt to new and changing privacy regulations.

Becoming a data fiduciary, as the NYPA defines it, will likely require a shift from simply collecting and securely storing customer data to adopting a privacy-first data strategy. 

Any privacy-first strategy should start with an automated, orchestrated, governed and secured data supply chain for customer data at the center. This data pipeline enables companies to get end-to-end visibility, control and auditability of data from the point it’s created all the way to activation in the tech stack. 

While Tealium enables you to put this data supply chain in place, we have also taken additional measures to help safeguard customer data at a foundational level including encryption of data in transit and at rest, a built-in consent manager for data collection, and the ability to manage data flow based on geography, just to name a few.   

The concept of data fiduciary may not be enshrined in law, but it represents a sound business strategy moving forward for companies in our new consumer privacy landscape. 

Even if the NYPA is DOA, the CCPA is coming soon. Learn about the new law and how Tealium can help you at our CCPA Resource page, or download our latest white paper, “How to Build a Data Foundation that Meets CCPA Compliance.”

Recommended Posts